[dboreham]

As a matter of routine, nobody with a clue would ever allow public Internet connectivity to the BMC NIC. They would also never allow the "bridge" mode where the BMC NIC gets logically connected to one of the primary NICs (useful if you want to spin up a box with only one drop cable in the lab). I wondered if perhaps the attack involved subverting the air gap between the BMC NIC and a primary NIC. Perhaps a reason to use https://en.wikipedia.org/wiki/IEEE_802.1X

[heartbreak]

In the other threads it has been mentioned that this hypothetical attack could run similarly to the US/Xerox op in the Cold War. The Xerox machines recorded data which was collected by a Xerox technician during regular maintenance. A board with a trojan chip on it could potentially record data to be collected during an RMA. No need for network transmission.

[cpr]

Heck, you can find millions of pages of highly confidential documentation in any Xerox copier junkyard--it's all standardly copied to their internal disks, which are never cleaned on junking.

This caused a small stink a while back but I doubt if anything's changed.

[teknologist]

If the rogue firmware was indeed loaded from this chip, the "bridge mode" could have been forcefully activated.

[tessi3r]

But monitoring software really wouldn't detect this...?

[teknologist]

"Monitoring software" could really mean anything, or nothing.

[dboreham]

Parent probably means network exfiltration detection.

[tessi3r]

The article did mention something around the lines of "the compromised machines could talk to other compromised machines on a network" so I guess the idea is to find a compromised machine close enough to an edge network to reach a C&C server?