[Beowulf] Hacked MBs It was only a matter of time

Ellis H. Wilson III ellis at ellisv3.com
Thu Oct 4 07:43:12 PDT 2018

On 10/04/2018 09:47 AM, Douglas Eadline wrote:
> https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Key snippet:
"The illicit chips could do all this because they were connected to the 
baseboard management controller, a kind of superchip that administrators 
use to remotely log in to problematic servers, giving them access to the 
most sensitive code even on machines that have crashed or are turned off."

My take-away:
This will only impact systems where there is a route between the wider 
world and the IPMI ports on your servers.  That's an extremely terrible 
practice anyhow since IPMI isn't the most secure protocol, so the 
solution should be to cordon off your IPMI network to a separate, 
non-network-attached switch or leave it disconnected entirely if you 
don't administer your machines in that way.  If you've properly secured 
that network you should be sufficiently guarded at least from an outside 
intruder having levers into your system.  Rogue chips on your boards 
could of course always impact the system at some future date in a 
pre-programmed way, but I know of no way to guard against that kind of 
an attack short of vetting each and every board under suspicion on a 
chip-by-chip basis.



Ellis H. Wilson III, Ph.D.

More information about the Beowulf mailing list