6 comments

[ 5.7 ms ] story [ 27.4 ms ] thread
This is worrying yet not surprising. Until security is a core tenet this will continue.
> Supermicro Servers Can Be Easily Backdoored After All

The implication that the Bloomberg article is correct is false. The Bloomberg article specifically spoke of the a small chip inserted. This is about the firmware.

And even worse, of course you can backdoor a system when you modify firmware. Why is that news at all?
Title is highly misleading. Outright dishonest.

Their argument is essentially: If you can remove and repogram a network connected micro-controller (specifically the BMC) you can introduce a backdoor.

Which is both obvious, and has absolutely nothing to do with Bloomberg's claims.

I'd strongly recommend the mods change both the link and title to the original eclypsium source:

"The Missing Security Primer for Bare Metal Cloud Services"

https://eclypsium.com/2019/01/26/the-missing-security-primer...

You don't need to remove the microcontroller. You can reflash it using a utility, and the researchers showed that IBM was not resetting the BMC firmware between clients on that bare-metal server.
Correct. The recent news is that companies who lease bare-metal often don’t do a good job cleaning up after previous tenants’ BMC modifications. Currently this is happening at least with an IBM platform where they’re leasing Supermicro hosts. It could just as easily be happening with another hosting provider leasing another company’s hardware.