undefined | Better HN

0 pointstimschmidt4y ago0 comments

It was also quite a plausible hack. The faker, if indeed anything was faked, knew more than most. Enough to have done the thing for real.

0 comments

6 comments · 1 top-level

djrogers4y ago· 5 in thread

It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

derefr4y ago

> processing power; networking

Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

tablespoon4y ago

>> It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

> Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

IIRC, that's exactly what was alleged in the article. It was an implant that sat on the BMC ROM bus, fiddling with bits as the ROM was read during bootup. No need for any networking or processing ability beyond what was needed to that. This guy actually did a POC of that: https://trmm.net/Modchips/.

So totally plausable.

exikyut4y ago

My understanding was that it sat between the BMC and its boot flash and (assuming it was real) was designed to bit-twiddle regions of the firmware as it flew past over SPI. So basically streaming strpos() (or maybe even counting bytes) and then sending some alternate sequence of data.

That would require some processing chops to handle whatever speed the SPI bus ran at, and a bit of space to store the replacement bytes. Firmly within the margin for plausibility with even basic off-the-shelf kit. Honestly depressing really.

luma4y ago

Not at all implausible, it was reported to be connected to the BMC which are often notoriously insecure and which could conceivably grant it network access.

rob_c4y ago

No adding components activates different hardware features on the chipset its connected to. I.e. remote debug access via a reserved data line when pinX is high/low... all that would need is a single surface mount resistor or frankly tin-foil.

j / k navigate · click thread line to collapse