From the course: Cybersecurity Foundations

Hardware implants and other cyber FUD

From the course: Cybersecurity Foundations

Hardware implants and other cyber FUD

- [Speaker] In October, 2018, Bloomberg created a sensation by announcing that the Chinese had implanted tiny chips in the servers of an American company, Super Micro Computer. The article reported that the servers were supplied to the Departments of Defense and other sensitive government agencies, as well as Amazon and Apple. In a letter sent to its customers, Super Micro reported that their investigations found no evidence of Bloomberg's claim. Apple and Amazon also very quickly denied the findings and called on Bloomberg to retract the story. Eventually, one of Bloomberg's named sources said that his comments were taken out of context and he actually told Bloomberg that what it had reported didn't make sense. While he had discussed the theoretical feasibility with Bloomberg, he'd never suggested that they'd been used in the Super Micro board. His overall take on the piece is that the technical details were taken from an earlier black hat presentation he'd made and were jumbled. Another hardware FUD was unleashed when the reports started to emerge about two new computer chip exploits called Meltdown and Spectre. The initial reports indicated the vulnerabilities in these chips would leak passwords and sensitive data and could be used to steal data from other cloud users. Another report from a computer consultancy company suggested that the current standards of security in the tech industry means that it was crucial that businesses contacted their highly qualified cybersecurity team to protect against Meltdown, Specter and future security threats. Adding to the drama, CNN reported that a US government backed body warned that the chips themselves needed to be replaced to completely fix the problems. One cybersecurity expert announced Meltdown and Specter were disasters and another stated that Meltdown can be exploited by any script kiddie. It was suggested that the exploits are nearly impossible to fix short of shipping out new processes. As it turned out, firmware patches were shipped quickly and there have been no reports of any successful exploit using the two techniques. Meltdown and Spectre were high on drama and low on real risk, and FUD once more trumped common sense. Not all reports relating to hardware insecurity are FUD. The research has shown here identified flaws in the Trusted Protection module chips from Intel and STMicro, which enabled the extraction of signature keys, breaking the chain of trust for which they form the roots. The researchers have been involved in identifying previous hardware vulnerabilities and are respected in their field. The vulnerability in this case can be readily exploited. For an end user, this particular vulnerability can be exploited via the Target's browser by having it visit a malicious website and it was effective on all versions of Internet Explorer running at the time of the announcement. This announcement was one that was worth taking seriously. Nevertheless, when it comes to sensational exposes regarding cybersecurity, check the evidence before you believe it.

Contents