Hacker News new | ask | show | jobs
by mhjas 2808 days ago
I just don't think the relationship between those two things you are describing exists. If the Chinese government approaches a Chinese manufacturer with the goal of compromising US software companies adding some sort of chip that reconfigured the hardware would be the most straight forward thing for them to do.

If anything I think the idea that a Chinese manufacturer with complete access to the hardware having to execute some exploit towards the web interface to get access is far fetched. So is that you could pretend to update the firmware (surely no one is going to notice that the new version doesn't have the features you wanted?) and that dumping the firmware would be inconvenient (it would be the first thing you did if you suspected something).
1 comments
gvb 2808 days ago
The "chip that reconfigured the hardware" is already built in; it's the BMC.

All the Chinese government has to do is go to the factory and tell them "flash the BMC firmware with this image" where the image is subverted (but operationally indistinguishable) BMC firmware. It doesn't get much more straight forward than that.

link
vel0city 2808 days ago
There are attacks where flashing a malicious firmware on to the device prevents real firmware flashing (just updates version numbers, re-infects the flashing payload on write, etc). However, those attacks can be mitigated by physically connecting to the flash module and writing to the device directly through SPI. If you've got a chip between the BMC and the flash memory as the report suggests, it can re-infect the memory even when you're done. You could even read the contents of the flash memory directly and find no evidence of the attacker, as the attack code might never actually write to the memory and may only load when the BMC boots and attempts to read from the flash memory.
link
mhjas 2808 days ago
It is straight forward to compromise the BMC, it isn't straight forward to hide a backdoor in the BMC in front of some of the best security researchers in the world. Especially with such attack being well known and seemingly trivial to check for.
link