Malicious Component Found on Server Motherboards Supplied to Numerous Companies

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Show that Sega Saturn Save Battery Who’s Boss

Breaking out the Sega Saturn out of the closet for a hit of 90’s nostalgia comes with its own set of compromises: the wired controllers, the composite video, and worst of all that dead CR2032 battery behind the backdoor. Along with the death of that battery went your clock and all those precious hours put into your game save files. While the bulk of us kept feeding the insatiable SRAM, a friendly Canadian engineer named [René] decided to fix the problem for good with FRAM.

The issue with the battery-backed memory in the Saturn stems from the particularly power-hungry factory installed SRAM chip. Normally when the console is plugged-in to a main power source the CR2032 battery is not in use, though after several weeks in storage the battery slowly discharges. [René’s] proposed solution was to use a non-volatile form of RAM chip that would match the pinout of the factory SRAM as close as possible. This would allow for easier install with the minimum number of jumper wires.

Enter the FM1808 FRAM chip complete with a whopping 256 kb of addressable memory. The ferroelectric chip operates at the same voltage as the Saturn’s factory SRAM, and has the added benefit of being able to use a read/write mode similar to that of the Saturn’s original memory chip. Both chips conform to a DIP-28 footprint, and only a single jumper wire on pin 22 was required to hold the FM1808 chip’s output-enable signal active-low as opposed to the active-high enable signal on the Saturn’s factory memory chip. The before and after motherboard photos are below:

After a quick test run of multiple successful read and writes to memory, [René] unplugged his Saturn for a couple days and found that his save files had been maintained. According to the FM1808 datasheet, they should be there for the next 45 years or so. The only downside to the upgrade is that the clock & calendar settings were not maintained upon boot-up and reset to the year 1996. But that’s nothing a bit of button-mashing through couldn’t solve, because after all wasn’t the point of all this to relive a piece of the 90s?

For more Sega Saturn goodness, check out how the Sega Saturn was finally cracked after 20 years.

Badgelife, The Hardware Demoscene Documentary

Last week, tens of thousands of people headed home from Vegas, fresh out of this year’s DEF CON. This was a great year for DEF CON, especially when it comes to hardware. This was the year independent badges took over, thanks to a small community of people dedicated to creating small-run hardware, puzzles, and PCB art for thousands of conference-goers. This is badgelife, a demoscene of hardware, and this is just the beginning. It’s only going to get bigger from here on out.

We were lucky enough to sit down with a few of the creators behind the badges of this year’s DEF CON and the interviews were fantastic. Right here is a lesson on electronic design, manufacturing, and logistics. If you’ve ever wanted to be an engineer that ships a product instead of a lowly maker that ships a product, this is the greatest classroom in the world.

Continue reading “Badgelife, The Hardware Demoscene Documentary”

H2gO Keeps Us from Drying Out

The scientific community cannot always agree on how much water a person needs in a day, and since we are not Fremen, we should give it more thought than we do. For many people, remembering to take a sip now and then is all we need and the H2gO is built to remind [Angeliki Beyko] when to reach for the water bottle. A kitchen timer would probably get the job done, but we can assure you, that is not how we do things around here.

A cast silicone droplet lights up to show how much water you have drunk and pressing the center of the device means you have taken a drink. Under the hood, you find a twelve-node NeoPixel ring, a twelve millimeter momentary switch, and an Arduino Pro Mini holding it all together. A GitHub repo is linked in the article where you can find Arduino code, the droplet model, and links to all the parts. I do not think we will need a device to remind us when to use the bathroom after all this water.

Another intrepid hacker seeks to measure a person’s intake while another measures output.

Continue reading “H2gO Keeps Us from Drying Out”

SPIDriver Shows You What’s Going On

When you’re debugging two bits of electronics talking SPI to each other, there’s a lot that can go sideways. Starting from the ground up, the signals can be wrong: data not synced with clocks right, or phase inverted. On top of that, the actual data sent needs to make sense to the receiving device. Are you sending the right commands?

When nothing’s working, you’re fighting simultaneously on these two fronts and you might need different tools to debug each. An oscilloscope works great at the physical layer, while something like a Bus Pirate or fancier logic analyzer works better at the data layer because it can do parsing for you. [James Bowman]’s SPIDriver looks to us like a Bus Pirate with a screen — giving you a fighting chance on both fronts.

SPIDriver also has a couple more tricks up its sleeve: a voltage and current monitor for the device under test, so you don’t even have to break out your multimeter when you’re experiencing random resets. We asked [James] if these additions had a sad history behind them. He included this XKCD.

Everything about SPIDriver is open, so you can check out the hardware design, browse the code, and modify any and all of it to your taste. And speaking of open, [James] is also the man behind the Gameduino and an amazing FPGA Forth soft-CPU.

It’s fully crowd-funded, but it closes in a couple of days so if you want one, get on it soon.

And if you want to learn more about SPI debugging, we’ve written up a crash-course. With the gear and the know-how, you at least stand a fighting chance.

This Is The Year Conference Badges Get Their Own Badges

Over the last few years, the art and artistry of printed circuit boards has moved from business cards to the most desirable of all disposable electronics. I speak, of course, of badgelife. This is the community built on creating and distributing independent electronic conference badges at the various tech and security conferences around the globe.

Until now, badgelife has been a loose confederation of badgemakers and distributors outdoing themselves each year with ever more impressive boards, techniques, and always more blinky bling. The field is advancing so fast there is no comparison to what was being done in years past; where a simple PCB and blinking LED would have sufficed a decade ago, now we have customized microcontrollers direct from the factory, fancy new chips, and the greatest art you’ve ever seen.

Now we have reached a threshold. The badgelife community has gotten so big, the badges are getting their own badges. This is the year of the badge add-on. We’re all building tiny trinkets for our badges, and this time, they’ll all work together. We’re exactly one year away from a sweet Voltron robot made of badges.

Continue reading “This Is The Year Conference Badges Get Their Own Badges”

Scotty Allen Visits Strange Parts, Builds an iPhone

Scotty Allen has a YouTube blog called Strange Parts; maybe you’ve seen his super-popular video about building his own iPhone “from scratch”. It’s a great story, and it’s also a pretext for a slightly deeper dive into the electronics hardware manufacturing, assembly, and repair capital of the world: Shenzhen, China. After his talk at the 2017 Superconference, we got a chance to sit down with Scotty and ask about cellphones and his other travels. Check it out:

The Story of the Phone

Scotty was sitting around with friends, drinking in one of Shenzhen’s night markets, and talking about how bizarre some things seem to outsiders. There are people sitting on street corners, shucking cellphones like you’d shuck oysters, and harvesting the good parts inside. Electronics parts, new and used, don’t come from somewhere far away and there’s no mail-ordering. A ten-minute walk over to the markets will get you everything you need. The desire to explain some small part of this alternate reality to outsiders was what drove Scotty to dig into China’s cellphone ecosystem.

Continue reading “Scotty Allen Visits Strange Parts, Builds an iPhone”