Hardware Hacking

LunarMist

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
If Spock were still alive he'd say "fascinating."
 
Handruin

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,924
Location
USA
I wouldn't even know what I was looking for on both of my Supermicro systems to find such a tiny SoC on it assuming it was surface-mounted and not in the layers of the PCB.
 
Chewy509

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,357
Location
Gold Coast Hinterland, Australia
And the thing is, this could be happening with any ODM/OEM supplier... Supply chain infiltration is a major concern for those in the infosec field (esp at gov/mil levels).

Additionally, wouldn't it be easier/less detectable to hack the firmware of the BMC to provide those remote functions (since that's what a lot of BMC's are used for), than to include a new SoC on the motherboard?

And in this reporting I haven't seen a lot from Supermicro either?
 
ddrueding

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,728
Location
Horsens, Denmark
Yup. There was a time when I'd say that I'm glad I work for a company too small to be the target of such things. But we were recently the target of a legit hack. I can't go into details beyond that we contacted the FBI and that there was someone from the outside who managed to escalate to admin privileges on multiple machines. It was bad. If you do IT for small-medium sized businesses, don't think you can't the target of such things.
 
Chewy509

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,357
Location
Gold Coast Hinterland, Australia
ddrueding said:
If you do IT for small-medium sized businesses, don't think you can't the target of such things.
Click to expand...
I don't know what it's like in the US, but here in Aus, there has been a significant increase in going after "soft" targets, especially small companies that deal with large sums of money but won't have internal IT or even dedicated IT budgets, eg small legal firms, small real-estate agents, etc.

Pretty easy to hit one of these, steal some banking details and/or credentials for email accounts and perform man-in-the-middle style attacks... If using Office365 or GSuite, can't recommend enough to force the use of 2FA for all access...
 
Handruin

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,924
Location
USA
Chewy509 said:
I don't know what it's like in the US, but here in Aus, there has been a significant increase in going after "soft" targets, especially small companies that deal with large sums of money but won't have internal IT or even dedicated IT budgets, eg small legal firms, small real-estate agents, etc.

Pretty easy to hit one of these, steal some banking details and/or credentials for email accounts and perform man-in-the-middle style attacks... If using Office365 or GSuite, can't recommend enough to force the use of 2FA for all access...
Click to expand...

You may be surprised even with 2FA that people get taken for phishing. I really enjoy the podcast Reply All from Gimlet media especially their episode on "#97 What Kind Of Idiot Gets Phished?". They did a segment on this if you're interested to see how medium and small businesses can get hit hard even with 2FA. I still agree it's important to add a 2FA but it's still breakable. Their podcast is worth a listen.
 
sechs

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,709
Location
Left Coast
No security is unbreakable.

We can only try to make it so difficult as to not be worthwhile. And the weakest link in any security scheme are the people.
 
You must log in or register to reply here.
Top