13 comments

[ 4.7 ms ] story [ 43.2 ms ] thread
> “This is nation-state stuff, absolutely crazy in its sophistication. Kaspersky discovered it, so there’s no speculation as to the attacker.”

Okay, I’m obviously ignorant so help me out here... Who is apparently guaranteed to be the attacker in Schneier’s mind? USA? China? Israel? Russia?

Obviously USA - it's always USA vs Russia/China/Middle East. Ukrainian/Russian war certainly isn't helping.
There's definitely not enough information to reach this conclusion. The hardware exploit for example uses registers that shouldn't even exist on the chip. That smells a lot like a supply chain attack, which would make China a prime suspect as well.
Why do you believe the registers shouldn't exist rather than them being undocumented/test registers?

Having worked in the semiconductor industry, this is pretty common.

I cannot even begin to imagine how anyone could insert registers into a chip. First of all, the chip is made by TSMC and it's not like Apple give them their HDL files. TSMC will just get a GDS file which is basically just a file with a bunch of polygons defined. I would go as far as to say that it's impossible to do it at that level given the complexity of chips nowadays.

> Having worked in the semiconductor industry, this is pretty common.

If this is true, why are they implying that it would require inside knowledge? If you understand these might exist, would it not be possible to find these registers via brute force?

Can you explain why you think this is a Chinese supply chain attack?

The chip isn't fabricated in China. The fab doesn't have access to the HDL source code so no one can just code in malicious registers. They'd need modify something like the chip mask precursor I think. I'm not a chip fabricator so I don't know enough to say this is impossible.

I explicitly said there is no evidence to make any such conclusion and merely provided an equally likely alternative lead.

>The chip isn't fabricated in China.

Not if you ask china. Though at this point I wouldn't be surprised if all major players have people on the inside.

> equally likely alternative lead

You provided complete speculation. Definitely not an equally likely alternative.

In what sense was the other lead anything but complete speculation?
The nation state in question seems to have blown its cover and revealed their secret backdoor by deploying it across so many devices. When you consider the value of something like that and the inevitability of eventual discovery if you use it so widely this seems a bit of an odd choice for such a sophisticated actor. It makes you wonder if they had other backdoors they use for higher value targets.
For those that usually skip reading the actual article, or only stop at the article and don't read the comments - I can recommend the comments as worthy of your time, especially those of "Clive Robinson". Technically savvy and very well versed in the ways and means of the security services.