Ask HN: Is the “big hack” technically possible?

7 points by kuon ↗ HN
I guess we've all read the big hack story by now.

Like all sensational tech stories, I have my doubts on it.

I cannot verify any claim made by either party, but what I can do is evaluate the technical feasibility of the hack.

As I understand, it was a tiny chip used to control the BMC of supermicro servers.

By the look of it, it has 6 pins, which 2 must be used for power, that let us with four for whatever it was doing.

I do a bit of electronics, I went as far as designing my own low power arduino like board. But that's not enough to have a clear idea on how this chip could attack the board. The chip must be using SPI or something similar but where would it be hooked?

I know that this is mostly speculations, but I'm interested in all possible theories about how this chip works.

5 comments

[ 2.4 ms ] story [ 33.5 ms ] thread
i2c/smbus is a standard 2-wire multi node bus that is used all over the place in motherboards.
Feasible yes. Unlikely yes.

It would require multi master bus arbitration which isn’t built into the SPI protocol so it would have to intercept the protocol’s MOSI/MISO lines. Thus requiring more pins.

That means larger package.

And a larger piece of steaming evidence sitting there.

I can’t see any logic however in doing this because there are tens of not hundreds of easier vectors involving the software side of it. Edit: which are all plausibly deniable.

Also rewriting SPI would be difficult to do fast without dedicated silicon (expensive dev cycle) or FPGA (physically large).

Edit: to note, eSPI was only formalised in 2016 by Intel to replace LPC so this either predates that or talks to the LPC bus which has a much higher pin count.

Edit 2: also these would be very easy to find. You pull the known components attached to the SPI bus off the board at a rework station, dump a few hundred volts down the SPI bus and look for where the smoke comes out. Then you buy another identical board and analyse that part of it. The change in impedance and current drain of the device would be evident as well.

Spinning custom silicon is not beyond the capability of a nation-state.
You're right. It isn't beyond it. But to do this you need access to the binaries and build process to do a differential analysis for injection. If you had access to that why would you not modify at firmware load time?

I can't see any logic in leaving a physical device on the board as evidence. It's like leaving a machete with your fingerprints all over it when you murder someone.

The Register has an interesting article about it, and how it could be possible. On the other hand, they point out that it would be more likely that the actual firmware to be changed. It reminds me of the fiction book "Ghost Fleet", where China starts a war with the US and a bunch of the US war machine is compromised.

https://www.theregister.co.uk/2018/10/04/supermicro_bloomber...