[bdamm]

Eh... it's not quite that simple. Checking the firmware before it goes into the device is not the issue. It's after the firmware is in the (integrated) device that it's an issue. How do you check that? You have to boot the device to calculate the CRC. Now assume that the device's bootloader is compromised and that the device actually has more internal storage than you thought. Now what? Ensuring correctness of firmware to verify the device won't do something you've never seen it do is quite difficult.

[kickopotomus]

I just brought up the CRCs as an example of due diligence. This attack, as I understand it, hinges on a design and BOM change to the board. So my question is how did that change manage to make it past both Supermicro and Elemental?

[stevehawk]

Simply put, they never checked?