Today we are going to more thoroughly address the Bloomberg Businessweek article alleging that China targeted 30 companies by inserting chips in the manufacturing process of Supermicro servers. Despite denials from named companies and the technology press casting some reasonable doubt on the story, Bloomberg doubled down and posted a follow-up article claiming a different hack took place. In this piece, we are going to present a critical view of Bloomberg’s claims, as supported by anonymous sources, in order to allow our readers to decide for themselves the credibility of Bloomberg’s reporting in this case.
Technical Lightness or Inaccuracy
This is a long article. In the first section, we are going to discuss why there are some fairly astounding plausibility and feasibility gaps in Bloomberg’s description of how the hacks worked. The weakness in this section of the Bloomberg article makes it extremely difficult to navigate and it is light on details. We are going to evaluate some of the parts in isolation, and also discuss some of the logical outcomes. In our first investigative piece, Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate, we went into some detail about why a motherboard and hardware for a motherboard is a very difficult way to hack a BMC. If you have not read our Explaining the Baseboard Management Controller or BMC in Servers that should be a precursor to reading the next section. STH has a relatively technically minded audience, so we are going to assume our audience has at least the knowledge imparted in that article.
Read more.
si ... Insecure Firmware Updates in Server Management Systems