[djrogers]

It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

[derefr]

> processing power; networking

Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

[tablespoon]

>> It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

> Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

IIRC, that's exactly what was alleged in the article. It was an implant that sat on the BMC ROM bus, fiddling with bits as the ROM was read during bootup. No need for any networking or processing ability beyond what was needed to that. This guy actually did a POC of that: https://trmm.net/Modchips/.

So totally plausable.

[exikyut]

My understanding was that it sat between the BMC and its boot flash and (assuming it was real) was designed to bit-twiddle regions of the firmware as it flew past over SPI. So basically streaming strpos() (or maybe even counting bytes) and then sending some alternate sequence of data.

That would require some processing chops to handle whatever speed the SPI bus ran at, and a bit of space to store the replacement bytes. Firmly within the margin for plausibility with even basic off-the-shelf kit. Honestly depressing really.

[luma]

Not at all implausible, it was reported to be connected to the BMC which are often notoriously insecure and which could conceivably grant it network access.

[rob_c]

No adding components activates different hardware features on the chipset its connected to. I.e. remote debug access via a reserved data line when pinX is high/low... all that would need is a single surface mount resistor or frankly tin-foil.