The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

NightShade

Sharpshooter
Special Hen
Joined
Apr 24, 2013
Messages
4,116
Reaction score
1,812
Location
Guthrie
News is coming out from some of the cited sources in the article that it's all BS.

https://www.zdnet.com/article/secur...chip-hack-investigation-casts-doubt-on-story/

A ton of the information is brought into question and my guess is someone figures that the BMC chip is at blame. That chip allows remote access however you would have to have internal network access to even make it a viable hack I would imagine that most large corporations physically separate access to the IPMI function from the general network. Not to mention that the supposed hack is more related to out of date software on the IMPI interface rather than a hardware hack.
 

NightShade

Sharpshooter
Special Hen
Joined
Apr 24, 2013
Messages
4,116
Reaction score
1,812
Location
Guthrie
Nope, they took the researchers information that applies to all boards that have BMC or IPMI controllers for datacenter bare metal access remotely and applied it to only SuperMicro. For anything that is out of date or setup in an insecure method someone can easily cause problems and hack the boards. However physical separation of the the IPMI port from the general data port mitigates the majority of that issue. I can't comment on how a large datacenter would do things but I would not want to have the IPMI ports connected to ANY of the ports that transfer data to the internet. Physical separation of both networks will cost a little more in the short run but is a huge security gain in the long run. Plus all it ends up being is an extra switch and a little extra cat5 cabling and honestly if you were connecting the ports up to begin with it's not even an extra switch since you would need another switch for the ports to be in use anyway. The other option is setting up vLan which is still pretty secure in it's own way.

https://www.servethehome.com/yossi-...-positioning-his-research-against-supermicro/


For those who do not understand what IPMI is https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface will explain it. But basically it allows a user to manage a server as if they were sitting in front of it with a tool and an ethernet connection. This allows you to literally do ANYTHING that you could do physically sitting at the computer and in some ways more since you can remotely mount ISO's and load the operating system. I have it and use it from time to time when I check on my FreeNAS. To turn off access I can simply unplug the Cat5 Cable. Some systems will however default that if a cable is not plugged in to the dedicated IPMI interface that the first LAN port will allow access. In my case since I am not using the built in LAN ports for data transfer but instead have a 10Gbit fiber card this is not an issue.

However, like for any other management interface, best security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN restricted to trusted Administrators.

My router uses a similar IPMI port and while I am using the LAN ports it doesn't matter since when I acquired the board the IPMI function was damaged. The only way to even hook up a monitor is to insert a video card of some sort and even using the tool while it will connect there is nothing else available, could not even power cycle the board. Hence the reason why the purchase price of the board was refunded. I didn't figure out until afterwards that the board was still semi functional however as a router I only need access to it if there is an issue or I am initially setting things up. Otherwise management is done through a web page.

All I can say is I have two Supermicro boards and set a system up for my father and step-daughter using Supermicro boards. The BS that Bloomberg is crapping out is custom built from a bull's rear end.
 
Joined
Dec 9, 2008
Messages
87,599
Reaction score
69,798
Location
Ponca City Ok
News is coming out from some of the cited sources in the article that it's all BS.

https://www.zdnet.com/article/secur...chip-hack-investigation-casts-doubt-on-story/

I would imagine that most large corporations physically separate access to the IPMI function from the general network. Not to mention that the supposed hack is more related to out of date software on the IMPI interface rather than a hardware hack.

When I was at the power plant, we upgraded our control system to a new ABB software, serial number 1 and 2. Double firewalls and absolutely no access to the internet. It was and is a stand alone system that can't be hacked.
 

Latest posts

Top Bottom