 So, Dramel Hudson, who is standing here, he's taking things apart. Don't worry, not live on stage, but he will give us a proof of concept and some details and functionalities about hardware implants. So the same things that we heard from Bloomberg article talking about Apple and super microcomputers with implants were implanted into those computers. And I'm really excited to see this in action. Please give a warm round of applause to Dramel Hudson. Before we begin talking about hardware implants, just two quick disclaimers. The first from my employer, Two Sigma Investments, as it says on our chocolate bars, this is not investment advice. And secondly, I don't actually know what the story is behind the super micro story. No one outside of Bloomberg and their sources do. But I have spent a lot of time thinking about hardware implants. Starting with the Thunderstrike firmware attack against MacBooks, as well as the Thunderstrike 2, where we were able to get software to write into the firmware on the MacBooks. I've also been thinking a lot about how to defend against hardware implants with things like the Head's firmware for slightly more secure laptops. And also as part of my co-lead on the Linux Boot project, we're thinking about how to protect servers from physical and software attacks. So with all of this concentrated thinking about firmware and hardware attacks, I was really excited when I saw the Bloomberg story back in October. But what really intrigued me was the animated image that they had at the header that highlighted one small part of the board as where the implant was. But what I found really interesting is that is exactly where I would install a hardware implant as they described on the spy bus. A lot of other people in the hardware and firmware security community thought it sounded plausible. Other people pointed out that supply chain attacks come up periodically and they are definitely a concern. Some people thought the attack as described was entirely implausible. And in general, we sort of had a whiskey tango foxtrot moment as everybody scrambled to figure out what's going on inside their machines. So let's step back very quickly and review what the key claims that Bloomberg alleged happened. First, they said that Amazon's testers found a tiny microchip that wasn't part of the board's original design that had been disguised to look like a signal conditioning coupler and that these illicit chips were connected to the base board management controller or the BMC, which gave them access to machines that were turned off. That might sound kind of extreme, but that's actually what the role of the BMC is. That in most servers, the BMC is running any time the machine is hooked up to power and it's connected to the power supplies so that it can turn the machine on and turn it off. Frequently you want to be able to do this over a network, so it has its own dedicated LAN port, but it can also share the LAN port with the main system. Serial over LAN is a really useful way to debug the systems, so it provides that functionality. It can also provide fake USB volumes to allow you to do unattended OS installation. A lot of sites also want remote KVM, so it has VGA, but that VGA support means that it's on the PCIe bus and because it's on PCIe, it can do DMA into main memory. It also is typically MUXed into the spy flash for the host firmware, which allows it to modify it. And on some systems, it's even connected to the TPM, which allows it to circumvent the core root of trust. So with all of this capability inside this chip, it's really unfortunate that they are really not well put together. The head of Azure security says they have no protection against attacks, there's no ability to detect if an attack has happened, and there's no ability to recover from an attack. So having a hardware implant on the BMC is a really big concern. The other claim in the article is that it affected 30 different companies, including Apple, and Bloomberg alleges that Apple found malicious chips independently on their Super Micro boards and went to the FBI about it, and that they then severed ties with Super Micro. This particular claim was interesting because it corroborated a story that had shown up back in early 2017 that Apple had removed Super Micro from their data centers. Apple denied that there was a firmware issue, but it's interesting that perhaps these two were related. The third set of claims is that on some of these implants, they were actually put between the layers on the PCB. And then the most explosive claim is that this was done by operatives from the Chinese People's Liberation Army. With the story, with this many claims and this significant of allegations, we'd hope that it'd be really well-sourced. And for a normal story, 17 independent sources that Bloomberg editors agreed to grant anonymity to, including six national security, two people inside of AWS, and three senior insiders at Apple. It seems like pretty solid sourcing, except as soon as this article was published, everyone denied it. The Director of National Intelligence said they'd seen no evidence of this. Amazon said that they've never found any issues of modified hardware, nor have they been engaged with the government over it. Apple was even more blunt. CEO Tim Cook said, this did not happen. There is no truth to this. And Supermicro wrote a fairly lengthy letter about what they do to protect their supply chain and why they think this attack did not happen. And it's worth going through to look at some of the things that they say that they do to protect their supply chain. They point out that if there's any unauthorized physical alterations during the manufacturing process, other design elements would not match, and those things would be detected. To sort of understand how circuit boards are made, I recently visited a PCB factory in Aguanjo. This is not a Supermicro factory. This is just a holiday photos. So in order to add new vias, they would have to modify the drill files, which would then get electroplated. If they had to add new traces, they would have to be able to subvert the masking and etching process. And any changes to either the drills or the etching on individual layers would be caught by the optical inspection that's done on those bare circuit boards. Additionally, the allegation that things were inserted between circuit boards would require that the lamination process be subverted and the implant somehow aligned into the system. If that implant changes any of the connectivity, the flying probe testers would pick it up, or the bed of nails testers, which checks all of the connectivity of all the traces to make sure that there are no shorts and to make sure that everything that is supposed to be connected is electrically conductive. So it would be very difficult to circumvent the production process at this stage, and it also would be very difficult to contain because the PCB factory doesn't know which customers are going to receive those circuit boards. Supermicro also points out that during the assembly process, when the parts are installed, they have their employees on site the whole time. On my same holiday trip, I also visited some PCB assembly companies and spoke with companies that are using doing contract manufacturing. And they said that they also send their employees to the production line to observe the pick-and-place machines and the reflow and the rest of the surface mount assembly. Their big concern is that if they don't have someone there, the parts that are fed into the pick-and-place will be replaced with either counterfeits or with salvaged parts. I visited the electronics market in Wachan Bay where there are people desoldering e-waste and then sorting the parts into bins and selling these salvaged components by the kilo. And for a few extra from NIMBY, they'll put them on reels for you so that you can save a few pennies on your production process. The other concern that these companies have is not just salvaged parts, but straight-up counterfeits, especially for things that cost more than a few dollars each. The Arduino community was hit a few years ago with a bunch of counterfeit FTDI chips where the internal construction was entirely different. In this case, it caused reliability issues, but you can imagine from a security perspective, this is really worrisome that parts that look identical might have completely different functionality inside of them. Supermicro also mentions that they x-ray their mainboards to look for anomalies. And I wasn't able to take any photos inside a factory that was doing x-rays, but in this Wikipedia photo, we can clearly see active components like this SOIC chip are different from things like the SMD resistors and capacitors. So if an attacker were trying to subvert the supply chain, by putting a disguised component, it could be detected at this step. Another interesting thing in this photo are these inductors that are encased in DIP packages. This is really common in a lot of Ethernet boards, and occasionally people have thought they had some sort of hardware implant when they found inductors in their Ethernet jacks. But it's fairly common, and it shows it pretty clearly on the x-ray. Some other security researchers like Sophia Antoine did an extensive teardown of supermicroboards, including x-ray analysis, and her group found a few oddities, but they didn't find anything malicious. There were no smoking guns. They just appeared to be supply chain type things. You can read her blog post for more details about where they found things that shouldn't have been there but turned out to be just actual signal conditioning components. So supermicro, in supermicro's letter, they keep reinforcing the manufacturing process, that is the assembly process. It's during the manufacturing process. And I agree with them. It would be very difficult to circumvent their security in a reasonable way in that part of the process. But that's not the only place this could happen. We know that national security agencies intercept shipments of computer hardware and then have their tailored access operations open the computers, install hardware implants, reseal them, and then have them continue on their way in shipment. The NSA even has a catalog of hardware implants like this JTAG implant, Ethernet jacks with embedded computers in them, as well as firmware specific ones that target servers, SMM, and then some that can do data exfiltration via RF. So that sort of tailored access operation is really ideal for this supply chain attack because it allows them to contain the exploit to a single customer. It allows them fairly good concealment, as well as good cover, that if it's discovered, it's really hard to attribute where things went wrong. Unlike if you find something inside your motherboard between the layers, you know that had to have happened at the factory. So Supermicro also claimed that this was technically implausible, that it was highly unlikely that unauthorized hardware would function properly because a third party would lack complete knowledge of the design. I think that's inaccurate, both because we know the NSA does it and also because I've done it. Really, all that you need to know is that these are common components. These flash chips show up on all the boards. You can search the internet for the datasheet and find exactly how it's wired into the rest of the system. And the only thing that we need to know to communicate to the BMC is the serial output pin from this component. So the BMC flash is connected over to the BMC CPU via the serial output, and it goes through a small series resistor. And that is where my implant goes in. Mine's a little bit larger than that resistor. It clips onto the board and it has a small FPGA that hangs off side. But it's completely plausible to fit it into something that small. In fact, a modern ARM M0 fits in the space of two transistors from a 6502 from a few years ago. The Moore's law means we can pack an amazing amount of CPU into a very, very small amount of space. So on that 0603 resistor could fit around 100 Cortex M0s, which would be plenty powerful for this system. The problem is we only have those two pins. So ordinarily on the spy flash, you need at least six pins. But we don't have power on ground. So we have to passively power this through the data signal that's passing through it. We don't have the chip select pin. So we have to guess when this chip is being talked to. We don't have the data input pin. So we don't know what addresses are being read or what commands are being sent. We have to reconstruct it from the data output pin. And we also don't have a clock pin. So we have to figure out how to synchronize to that clock. Lastly, we don't have the ability to make arbitrary data changes. All we can do is disconnect the pin from the BMC so we can only turn one bits into zero bits. We can't go the other way around. So with these limitations, we can still do some pretty interesting things. Recovering the clock is actually pretty easy. We can look at the data stream and find the shortest bit transitions from zero one zero or one zero one to estimate what the clock is, which allows us to then reconstruct that data stream being sent to the BMC. If we look at the flash contents, we can see that a lot of it is fairly random noise, but a lot of it is all white, which in this case would mean that it's all one bits. So if we look at the way the flash is organized, we can see there's the Uboot bootloader, and that's executable that's kind of difficult to make useful changes in. The kernel and the root file system are both compressed so that they look effectively like random noise. But the NVRAM region is a JFFS2 file system. And this file system is three megs. It's mostly empty, and all that empty space is FF, which is all ones. So this is plenty of ones for us to work on. Additionally, it has fairly nice headers that we can match on. So when we see these magic bit masks, we know when we've entered different parts of the file system. So given that we can now reconstruct the clock, we can figure out where we are in the file system, this hardware implant can start to inject new data into what was the empty space. So this short file that we put in here is a small shell script, and it is one of the network configuration scripts. So this is where I'm going to try a live demo, and I hope this works. We're running in QMU since I didn't bring a super micro board, and what we have on the left is the flash console, excuse me, the hardware implant console, and then on the right we have the serial console from the BMC. So we can see I just loaded the kernel, and then in a second it's going to, we should see a bunch of traffic. Okay, so the implant is active, it has replaced the data, when that NVRAM file system was mounted, the BMC is now continuing on doing its setup. It's going to load a bunch of device drivers for the video. It pauses here for some reason that I haven't diagnosed because that's not my job, and eventually it's going to configure the networks, and it does that by running that shell script off of the NVRAM partition. Okay, it starts the KVM stuff, brings up some things. All right, okay, so luckily we got to that point without having to fake the demo. In the hardware it's really flaky. My version works about one in eight times, but it doesn't typically cause a crash, so that's actually good for concealment because it becomes now much harder to determine which machines are affected. In QMU because it's emulating it's a little more reliable, but it still looks only two out of three. If we let the BMC boot a little bit further, it actually prints out this message, and if you hit enter, it drops you to a shell with no password, and you can then just run commands as root on the BMC, and that's a lot easier than all this stuff with the spy bus if you wanted to build a hardware and plant against it. I don't know where the serial port is on the Super Micro, but on a different tier one server main board, I was able to probe around with the oscilloscope and locate the serial console for the BMC, figure out it's 115 kilobod, and it has the same code that you hit enter, and you can run commands there. So that's a much easier way to do it. A big question a lot of people have is how would we actually detect this sort of flash implant? A lot of high assurance sites replace all of their ROMs with ones that they flash themselves, but that doesn't get rid of the implant because it's outside of the ROM chip. Likewise, reading the ROM chip doesn't show anything because it's not in the ROM itself, it's outside of it. Even hooking up a logic analyzer to the bus and watching as the machine boots and seeing the data stream coming out of the flash doesn't actually reveal the implant because you would have to put the logic probes on the BGA pads on the BMC itself, and that's a much harder task. Some people think, oh, well we can see the weird network traffic when the BMC tries to exfiltrate the data, but that's only one way for the BMC to affect things. There was a great talk a few years ago at Defcon from Intel ATR where they showed how something that can control the system firmware can backdoor hypervisors and then they gave a use case where a unprivileged guest on a cloud system could read all of the rest of physical memory so it could see all of the other guest memory. So what do we do? The big problem is the BMC has way too many privileges. It's connected to pretty much everything in the system. But the BMC is not our only concern. As White Pork said, our PCs are just a bunch of embedded devices in a trench coat and they all have firmware. In fact, pretty much everything on your system, more complex than a resistor, probably has firmware. And if you have one of those super micro implants, maybe even your resistors have firmware as well. I've found that the firmware and things like the power supplies can be used to gain code execution on the BMC. It's really interesting how tightly connected all of our systems are. And as Joe Fitz pointed out in his Black Heady You talk, these are not multi-million dollar attacks. These are five euro bits of hardware that we now have to really be worried about. I really like the guidelines that NIST has published that suggest that we think about our systems more in this holistic manner. Although they end up rooting pretty much everything into the TPM as the trusted platform module for doing this attestation. And I think we as a community need to do more to use the TPMs. They're actually a really good tool for securing our systems. But they are also potentially subject to their own hardware implants. The NCC group TPM Genie is able to subvert the core root of trust by interposing on the TPM. So a lot of folks are proposing we should move to other trusted execution environments like SGX or TrustZone. And I think these have a lot of promise, especially for trusted cloud computing. There's a lot of innovation in hardware roots of trust going on right now between the Google Titan, which initially was for their servers and is now showing up in all of their Chromebooks. The Microsoft Cerberus chip, which again is the Azure system, they're actually publishing their firmware and the ASIC design so that people can have a little more faith in it and they hope it will become an open standard. And companies like Apple have also gone their own way with the T2. And the T2 is a really amazing chip for securing systems, but it does so at the expense of user freedom. And that gets in the way of what I think the real way that we need to solve this problem is we need to get rid of a lot of these secrets. Counter to what the Supermicro CEO said, having a secret motherboard design does not make you more secure. Things like the open compute hardware I think is a good vision for how we can move forward, that when you buy an open compute server, it comes with full schematics and Gerber files so that motivated customers can verify that the systems that they're buying are the ones that they think they're buying, that all of the components are what they think they should be. I think the firmware also needs more openness. Ron Minnick at Google is my co-lead on the Linux Boot project and we think that Linux in the firmware is a way forward to get a more secure, more flexible, more resilient system. We're working with a spin-off project called Micro-BMC that is using the Linux Boot tools to build BMC firmware. And this is open source. It's reproducibly built. It can work with roots of trust for attestation. It's written in a memory safe language since it's a Google collaboration it's in Go. And more importantly, we've thrown away all of the legacy features that have been a source of a lot of security vulnerabilities in these systems. So did it happen? I don't know. Is it technically possible? I think so. I hope I've convinced all of you that this is definitely a technical possibility that we need to be concerned about. And I hope that the way forward through hardware roots of trust with attestation and more importantly with open hardware so that we know that the machines we're running are running code that we know... the code that we built that we understand and that we can actually have a good chance of being able to take control back of them. If you're interested in more discussion on this and also in open firmware, there's an assembly here in this hall that has a bunch of folks working on Core Boot Linux Boot and a lot of these projects where you can help contribute and you can help also pressure vendors to make this a standard and a way forward for a more secure computing. So thank you all for coming and I really enjoyed the chance to show off my monship of the state. Great talk. Thank you very much, Tramol. We have ten minutes for questions so please line up at the microphones if you have questions and we also have a signalation probably with questions from the internet. So any questions? Microphone number three? Yes. What's your opinion on the TILUS systems? The open PPC-based ones? So the question is about the TALUS Power 9-based systems. Power 9 is a really interesting architecture. It is using an open firmware very similar to Linux Boot called a Petty Boot that moves Linux into the bootloader. I'm a big fan. There's a lot of folks in the open source community who are very excited about it. I'm hoping that there would be more Power 9 systems coming out. I'm also very excited about the RISC-5 systems. I think having open source CPUs is a real way that we can have more assurance that our systems are what we think they are. Thank you. Microphone number two, please. Yes, thanks for the great talk. I was wondering if you just have a scope probe over this serial, because it's just a series of systems which you were replacing. If you just put two scope probes on there and measure the voltage over it, in your situation you would see a voltage change there once in a while. While in a normal case, you would see actually quite constant current. So if you lower the input impedance of the BMC chip, you might already have fixed part of the attack because the output sourcing current of your exploit is probably limited due to the limited supply. You only can store a limit. Do you see a way to actually get more power into your setup, maybe using other power sources other than the two pins, or maybe there's some way of... So the question is about would there be a way to do more arbitrary changes through redesigning the implant? One of the goals was to fit with only those two pins so that a single piece on the motherboard could be replaced. With the dual probe soldering iron, you can pop it out and stick a new one down in a matter of seconds. So yes, if you have more pins where you can get more power from, you can do much more interesting things. But that would require a different set of changes to the motherboard. Thank you. Microphone 1, please. So a lot of the arguments that these implants were not feasible by a supermicroword where you also show the pictures from the FAP that you have to change the etching and the optical inspection and so on and so on. But how probably would you rate the fact that some actor just intercepted the manufacturing files and edited the component already in the file because then all the optical inspection and that would all say, well, that matches what was sent to us, but that is not necessarily what went micro-send to the FAP. So the question is, could someone have modified all of the manufacturing files that went to the factory? And that's absolutely a possibility. But that's also very likely that that would be detected by the supermicrow itself. That in a lot of cases you don't necessarily want to trust the company that is making the product to also test it. You probably want to have a separate company that does random spot checks to verify that the boards are actually being produced to the specification that you desire. So it's certainly possible. And I really don't want to speculate as to the accuracy of that part of the story. But yeah, it would require quite a bit more changes and also would be much more likely to be detected in the spot check. Great. Microphone number two, please. Yes, for a lot of model boards, there are also quite a few components not populated, some of which are on what you could consider sensitive nets. Wouldn't that make it... Yeah, exactly this. Wouldn't that make it very easy to just pop something on there in parallel with one of the components and not have it be detected because the board isn't modified? There is a component there. You have no way of telling whether it had to be populated or not. Supermicrow puts a lot of extra pads on the board. In this one, a particular one, they have both 8-pin and 16-pin flash chip. Pads that are just in parallel together. So depending on which chip is cheaper that day of the week or who knows what, they will populate one or the other. So that's why in this particular photo, having the position of that circle on the data output pin is very, very interesting. Question answered. Okay, so one more question. Microphone number two, please. How far can signing of FIME be a solution to this problem? Signing firmware solves a lot of the issues. However, typically not all of the firmware is signed. Specifically, UBOO is probably going to be signed in a modern VMC. The kernel and maybe the root file system might be signed. But the NVRAM file system in this VMC is designed to be user-modifiable. So it can't be signed by the manufacturer. So this sort of attack would work against a signed VMC just as well. Also, the hit enter to get a serial console attack circumvents any signing. There are things on the host firmware on the XA6, like boot card, that do a really good job of making it harder to get code execution during the boot process. But there have been several CBEs where it has been implemented poorly. So even though signatures, the firmware is signed, people have still managed to get code execution during that process. Great. Thank you, Tremel Hudson. Again, a warm heart of blood. Thank you very much.