Counterfeit components invade the Chinese market, will they also end up in your devices?

Counterfeit components invade the Chinese market, will they also end up in your devices?

Counterfeit components invade the Chinese market

The Epoch Times reported that a lot of fake chips have recently flooded the Chinese market, the largest manufacturing center in the world. As a result, these components could arrive in other markets as China exports finished products, so potentially you could find items containing non-genuine chips in your hands. The global shortage of chips has already raised the prices of components and electronics, but there is another negative effect that the reduced supply could bring: a wave of counterfeit chips. These products can not only ruin the user experience, but also pose security risks. Fake components can actually work and even achieve the right levels of performance, but depending on how a particular part is built, they could fail after a certain period of use or under certain conditions.

Getting a batch of recycled or defective chips is a big deal for smaller companies that don't have the ability to test all of their finished products, but at least can recall a potentially malfunctioning batch, especially if targeting industries like automotive or healthcare. “The real problem arises if distributors mix good and recycled / faulty components and sell them in one batch,” reports The Epoch Times. Additionally, potentially flawed chips are sold for the same price as fully functional ones, which makes them even more difficult to detect. In many cases, no one will know that some parts are potentially faulty before they fail.

Fake chips have been around for decades. On CPUs, attackers put new markings on chips purchased at retail, selling slower models at higher prices. This kind of fakes were eradicated in the early 2000s when AMD and Intel started flashing CPU models into the ROM of their processors, making it easier to identify reported drives. With chips and components destined for commercial, industrial, healthcare, or military equipment, the situation is slightly different as scammers can sell chips that are untested, unqualified, non-compliant, flagged, recycled, and simply malfunctioning. They can also build parts like SSDs or memory modules from scratch and put fake labels and markings on them.

Big PC manufacturers tend to buy chips directly from manufacturers, then get, say, a notebook containing a fake component is an unlikely scenario. Smaller commercial and industrial device manufacturers buy the chips directly from their manufacturers (or developers in the case of fabless suppliers like AMD or Qualcomm) or from large distributors like Arrow, Avnet, Ingram Micro, or Mouser. These companies sell tens of billions of dollars worth of chips every year and are vital to the industry. But in a world where manufacturers can't get enough chips from their usual partners, they may sometimes have to buy components from small retailers and occasionally they inadvertently (and sometimes knowingly) sell counterfeit chips. Most manufacturers understand the risks and tend to buy from known and trusted sources and test components before using them, but some may take a risk in the current situation.

We use dozens of devices nowadays. that potentially may be equipped with a counterfeit component. Some devices don't play a crucial role, but we use various smart products scattered around the home that could impact security.

Looking for a new PSU to power your next GPU? Corsair RM750X, 750W modular power supply, is available on Amazon.

Malicious Component Found On Server Motherboards Supplied To Numerous Companies

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Powered by Blogger.