Malicious Component Found On Server Motherboards Supplied To Numerous Companies

October 4, 2018 by 270 Comments

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Linux Fu: Keep An Eye On That File

October 4, 2018 by 38 Comments

One of the things that’s nice about Linux or Unix compared to many other operating systems is there’s a good chance a Linux program will spew out informational messages to a log somewhere. Many commands even have a way to turn on more logs. I know that Windows has the event viewer, but many programs don’t have much to say which makes it difficult to know what’s happening when things go wrong.

The problem is, sometimes programs tell you too much information. How do you find what you want to know? It looks cool on a movie where the hacker is in front of a terminal scrolling 500 lines a second of some log file, but in real life, it is hard to read a moving screen, although with some practice you can sometimes — unreliably — pick out a keyword as it whizzes by.

Like most Unix things, there’s a tool for that. In fact, unsurprisingly, there are many tools for that. If you are using the tail command, that’s certainly one of them. But there are others you should consider.

Continue reading “Linux Fu: Keep An Eye On That File”

Doom Battle Royale Mod With 64 Players Hurts Plenty

October 4, 2018 by 14 Comments

Sixty-four players are dropped into a map, but there can be only one that emerges victorious…heard that before, right? Thanks to PC Game modder [Bambamalicious] there is yet another entrant into the rapidly growing videogame genre. The difference this time, however, is that their 64 player DooM Royale (with cheese) mod is ready to show all those other also-ran games how the granddaddy of FPS games does it.

Doom Battle Royale WIth Cheese Mod Screenshot

According to the announcement post the mod is “…a 64 player Battle Royale using Doom 2 as the IWAD, and the Zandronum engine as it’s base. The speed of gameplay will be unchanged from normal Doom, and when you die, that’s not the end for you!”. There is a respawn system, but each player is given a limited number of lives. To ensure no server feels like a ghost town [Bambamalicious] included bots that will spawn in matches with low participation. Each game inevitably results in a “last man standing” face off that has the victor coming away with the coveted “Royale with cheese”. Other than the aforementioned changes, this is still the seminal classic Doom (1993).

Do note that in order to play the mod, the Zandronum engine is a required in order to take part in the fun. The engine is the backbone that allows for leaderboards as well as hopping between custom servers. Zandronum additionally supports many other multiplayer match types for instance: Team Deathmatch, Capture the Flag, Possession, and Skulltag. Up to 64 players are supported in those match types as well.

From the looks of the DooM Royale (with cheese) map, there should be frequent enemy player encounters and no respite for those seeking to just “hide in a bathtub”. The multiple levels should supply plenty of opportunity to take advantage by attacking from above. Test footage of the mod in action can be seen in the video below.

For more on the DOS game that just won’t die, check out Doom running on an ATM.

Continue reading “Doom Battle Royale Mod With 64 Players Hurts Plenty”

Easy Access Point Configuration On ESP8266

October 4, 2018 by 19 Comments

One of the biggest advantages of using the ESP8266 in your projects is how easy it is to get WiFi up and running. Just plug in the WiFi library, put the SSID and encryption key in your source code, and away you go. It authenticates with your network in seconds and you can get on with building your project. But things get a little trickier if you want to take your project someplace else, or distribute your source code to others. Quickly we learn the downside of using static variables for authentication.

While there are already a few solutions to this problem out there, [Martin Raynsford] wasn’t too thrilled with them. Usually they put the ESP8266 in Access Point mode, allow the user to connect, and then ask which network they should authenticate with. But he didn’t want his projects to require an existing network, and figured he could do just as well making a field-configurable AP.

Using it is simple. Once the ESP8266 starts up it will create a new network in the form of “APConfig XXXXXX”, which should be easy enough to find from your client side device. Once connected, you can go to a simple administration page which allows you to configure a new AP name and encryption key. You even have the option to create an open AP by leaving the “Password” field blank. Once rebooted, the ESP8266 will create a new network with the defined parameters.

[Martin] has also included a “backdoor” to let anyone with physical access to the ESP8266 board create a new open AP that can be used to reconfigure the network settings. During boot up there is a brief period, indicated with specific blinks of the LED, wherein you can hit the reset button and trigger the open AP. This keeps you from getting locked out of your own project if you forget what key you gave it.

If you’re not one to go the austere route, take a look at some of the more robust solutions we’ve seen for easier end-user setup of the ESP8266.

WebSockets Embedded With The ESP8266

October 3, 2018 by 15 Comments

It used to be that Web browsing was simple. You asked a server for some text, which was duly sent, and then formatted by your browser. Now a web page is as likely to be a full-blown application that is reading mail, editing text, or lots of other things and may use WebSockets to create a back channel to the server. Thanks to affordable hardware like the ESP8266 one of those things a modern web browser can do is sense and control the real world. [Acrobotic] has an interesting video about using WebSockets to allow a browser to talk to an ESP8266 web server in real time. You can see his simple demo in the video below.

Of course, you’ll use the usual language you use on the ESP8266 — [Acrobotic] uses C++ in the Arduino IDE. On the browser side you’ll use JavaScript, although that will be embedded in your C++ program which acts as a web server.

Continue reading “WebSockets Embedded With The ESP8266”

Robot Solves Rubik’s Cube With One Hand Tied Behind Its Back

October 3, 2018 by 3 Comments

For all those who have complained about Rubik’s Cube solving robots in the past by dismissing purpose-built rigs that hold the cube in a non-anthropomorphic manner: checkmate.

The video below shows not only that a robot can solve the classic puzzle with mechanical hands, but it can also do it with just one of them – and that with only three fingers. The [Yamakawa] lab at the University of Tokyo built the high-speed manipulator to explore the kinds of fine motions that humans perform without even thinking about them. Their hand, guided by a 500-fps machine vision system, uses two opposing fingers to grip the lower part of the cube while using the other finger to flick the top face of the cube counterclockwise. The entire cube can also be rotated on the vertical axis, or flipped 90° at a time. Piecing these moves together lets the hand solve the cube with impressive speed; extra points for the little, “How’s that, human?” flick at the end.

It might not be the fastest cube solver, or one that’s built right into the cube itself, but there’s something about the dexterity of this hand that we really appreciate.

Continue reading “Robot Solves Rubik’s Cube With One Hand Tied Behind Its Back”

Ants, Dirt, Rain, And The Commodore 64 That Wouldn’t Quit

October 3, 2018 by 34 Comments

Some electronics gear is built for the roughest conditions. With rugged steel cases, weatherproof gaskets, and cables passing through sealed glands, these machines are built to take the worst that Mother Nature can throw at them, shrugging off dust, mud, rain, and ice. Consumer-grade computers from the start of the home PC era, however, are decidedly not such machines.

Built to a price point and liable to succumb to a spilled Mountain Dew, few machines from that era that received any kind of abuse lived to tell the tale. Not so this plucky Commodore 64C, which survived decades exposed to the elements. As [Adrian Black] relates in the video below, this machine was on a scrap heap in an Oregon field, piled there along with other goodies by one of those “pickers” that reality TV loves so much. The machine was a disaster. It hadn’t been soaked in oil, but it was loaded with pine needles and an ant colony. The worst part, though, was the rust. The RF shielding had corroded into powder in some places, leaving reddish rust stains all over the place. Undeterred, [Adrian] gave the machine a good bath, first in water, then in isopropanol. Liberal applications of Deoxit helped with header connections, enough to see that the machine miraculously booted. It took some finagling, especially with the 6526 I/O controller, but [Adrian] was eventually able to get everything on the motherboard working, even the sound chip.

Whether this machine survived due to good engineering or good luck is debatable, but it’s a treat to see it come back to life. We hope a full restoration is in the works, not least as a way to make up for the decades of neglect.

Continue reading “Ants, Dirt, Rain, And The Commodore 64 That Wouldn’t Quit”