Hardware Implant Panel

[Joe F.:] We've got this Bloomberg article that just dropped. So if you haven't read it, there is this article about "the big hack". And both Joe and I are quoted in that article and our quotes are used to talk about the possibility that there's this itty-bitty tiny chip that the Chinese government has implanted on a bunch of super micro motherboards and it has infiltrated 30 companies in the United States. Which is all a very interesting and entertaining story, but many of us are hardware people or technical people who get really excited about the capability and what's possible. And I myself am very excited when I hear descriptions of these things like, wow, we could do

this, we could do this, we could do this, we could do this and now we have a proof of concept and very frequently encounter people who take the words that I say about a proof of concept and think that this is the next attack and it's actually happening. Sometimes there are more conspiracy theorists than others, but this is just a really interesting thing because it ended up in a mainstream media news article that had some pretty significant impacts on the industry. So Joe and I decided that the best way we could respond to this is to turn this keynote slot into a panel. We have a couple people from Portland and beyond that are knowledgeable about the stuff that

happens. So we kind of lured all together. And then we thought well we need someone to moderate the panel and we both thought that there really is no one better than Kim Zetter to come and moderate the panel if we could just convince her to get up here to do it. So thank you very very much Kim Zetter [ Applause ]

I've had the privilege of getting to know her meeting several times at conferences all over the place. We've talked several times. She has been working on technical journalism for 15 years? Quite a while. And election security for over ten years. She had an excellent- was it the New York Times magazine cover story? or was it- Yeah, so on election security earlier this month. And she's kind of a person we thought would be best to do this and she said yes, so she's here. [Joe G.:] I think it's it's safe to say too that Kim is one of the few journalists that we actually trust [ Audience Laughter ] and that's saying a lot given, as you'll see,

when we talk about this article. She's been around and you know, yeah, thank you for coming. [Kim:] Joe just has to say that because he spent last week bashing all journalists. [ Audience Laughter ] And I got pissed off at him about it, so. [Joe F.:] So without further ado- I was gonna say one more thing I can't remember what it was, but maybe I'll just interrupt- Oh, lightning bolts are still here. So, Kim here you go. [Kim:] Did you want to introduce the panel? [Joe:] Okay, shall we start with Jason and come back this way and just tell us about yourself and what your experience with Hardware implants and hardware might be. [Kim:] Yeah, so the format here is we're

just going to go down the panel. I have them introduce themselves describe a little bit about the hardware hacking they do and then we'll jump into the article. And we don't want to spend a lot of time bashing the article, just examining sort of what are the fallacies and what are the possibilities and then broaden that to all of the hardware hacking. [Jason:] Hi, my name is Jason Meltzer I guess this is always the biggest existential question when you get shoved in front of a group of people "How am I going to describe myself today?" So, for the last two years I've been working with NCC groups hardware and embedded security practice. We look at a lot

of, whether it's from mobile devices to server hardware, for a lot of companies, a lot of embedded security stuff that goes into even servers. One project that I can talk about that we just recently actually published a public report on was the encrypted backup feature that's in Android P. There's a feature that that allows Google to have the backup encryption keys tied to your lock screen lock knowledge factor that Google never has access to any of this data. They brought us in and we looked at all of all of the hardware that underpins this. This includes the what Google calls publicly as the Titan chip. So this is the kind of stuff that I've been in for the last few years. Previous to that I was a security

researcher at Intel doing CPU core or internal security stuff, microcode stuff and then before that lots of other system security stuff. But that's sort of where I come from.

[Mike L.:] Hi, I'm r00tkillah, or Mike, and I started in embedded hardware and software and built little embedded things and then I drifted around in development and into software security et cetera. I kept running into people who would say that hardware adversaries are out of scope like when they hook up hardware it's game over and that kind of pissed me off. For lulz I just make hardware implants to show that we're thinking about the hardware security threat model wrong. I work on the Intel Red Team and we do adversary modeling and it's fun. [Mickey:] My name is Mickey. I work for a small company that does hardware and firmware security called Eclipsium. I had a lot of experience looking at motherboards and working with Mike.

Recently I've looked at a lot of super micro boards and it's a very, very fun topic. [Kim:] Found anything interesting on any of those? [Mickey:] Maybe I'll tell you about it later. [Mike G.:] I'm Mike Grover, _mg_ on Twitter. Recently I've been playing around with usb-based implants, like implants that go inside these cables. Kind of a focus on doing it with really common and really cheap implant hardware, just a fun constraint. [Joe F.:] I'm Joe FitzPatrick- [Kim:] Hold on a second, can you expand on that a little bit more? [Mike G.:] Yeah, totally. Yeah, so I made the implant in this cable, for instance. The demo has been HID attacks were it pretends to be a keyboard and types

really fast on your computer. So, yeah, you'll plug in this to your laptop, it'll charge your phone and it'll also type on your computer for you. I've got a few other ones that are USB based. Whether, you know, kind of emulating networked things like that, so [Joe G.:] What about your exploding one? [Mike G.:] And an exploding one too just for fun. Yeah, if you could find a thumb drive that explodes I may have created that. [Joe F.:] So I'm Joe FitzPatrick. I did hardware security previously at Intel, but in the past several years I've worked a lot reproducing things from the ANT catalog which I found to be really fascinating. All these Hardware implants and what was the big learning key

element from the ANT catalog was that these Hardware implants are used to give software access and then it becomes a software problem my experience at hardware is like oh I'm a hardware person I have Hardware background I can do everything in hardware but no we do stuff in software I've built JTAG implants, I've built PCI Express implants, I have applied these implants to industrial control systems, to embedded devices to PCs, all as demos and proofs of concept. I've never seen a real implant aside from like counterfeit bypass devices. No one's ever shown me one. So, Joe, have you ever seen one? [Joe G.:] I have also never seen one but I've seen a lot of your examples and the ANT

catalog is actually interesting because what you guys have done with the NSA Playset is sort of like using off-the-shelf consumer stuff you haven't had to create you know ridiculously tiny complex systems. My name is Joe Grand, I have, I make- I feel really old. I've been hacking on things since 1982 I'm a professional electrical engineer so I have production manufacturing experience, but I've been in the hacker world for that whole time since I was a little kid. I just love designing things I love breaking things and just sort of a I don't know always kind of a curmudgeon and kind of skeptic when it comes to a lot of things. For this particular article Joe and I

are both quoted but I do I should mention since I'm wearing a hat, which most people never see me in a hat. I had quoted about this implant as being so- actually wasn't even about this implant the quote was this general quote about how hard it is to actually find if there even is one that exists a real good state-sponsored hardware implant that's a secret, you know secret thing that's actually physically done on the board if it's that good then it would be like seeing a unicorn jump over a rainbow hence my hat, if you can see it in the back. I had this made at the county fair a few years ago before I gave the quote. It's not exactly the unicorn jumping over the

rainbow but it's as good as the guy could do. So I figured I'd wear it today. But yeah, so hardware hacker and engineer.

[Kim:] So, the Bloomberg article. So the Bloomberg article is actually very lengthy, if all of you have read it, but there's only one line in it that actually describes in any kind of technical term of what's happening here. There are actually two articles. There was a first article that talks about the hardware implant on the board and then the second article that came out like the day after a week after. Here's the one technical line in the article sorry okay so officials familiar with the investigation say the primary role of implant such as these is to open doors that other attackers can go through. "Hardware attacks are about access" one former official puts it. "In simplified terms, the implants on Supermicro hardware manipulated

the core operating instructions that tell the server what to do as data moves across the motherboard", two people familiar with the chips say. This happened at a crucial moment as small bits of the operating system were being stored in the board's temporary memory enroute to the server's central processor, the CPU. the implant was placed on the board in a way that allowed it to effectively edit this information cue injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects. So, I just I want to throw it out to the panel you know the the the article has received a lot of ridicule. But you've all sort of said

in one way or another that the capabilities are not implausible. I want you to reconcile those two issues, that the article itself is implausible but the capabilities are plausible. [Joe F.:] That is an interesting technical description, because any of us who are familiar with like the inner workings of things those aren't words that we use to describe how it works. Those are words that a journalist would use to describe something to a mainstream audience. So we can't interpret that sentence literally. We have to interpret it through a filter designed for a mainstream audience. That said, what its describing is modifying instructions, changing the sequence of instructions. It reminds me a little bit of the wording in the Wassenaar arrangement

about the expected path of execution. Basically what I hear is this is how exploitation happens, right? We do something external to modify how things execute. It's hard to extract any technical detail about what's going on. When we get over to the more low level hardware side where we talk about hooking things into the system and wiring them up and the overall capabilities. Like can we have something that goes and modifies memory in a system? Yes, we have technical ways to do that. We can use PCI Express DMA attacks. We can use debuggers to do that. When we talk about interrupting the CPU, do we have it? Yes, built into every CPU is debug features that let you halt

execution and change what it does. And these are things that are documented or not documented and if you're a state spectrum actor you have access to that documentation. None of the technical details are implausible, but what really gets me is the combination of all of them in a strange way. Anyone else want to add to that?

[Joe G.:] I guess a little bit of backstory too, so this article came out less than a month ago, a few weeks ago. Joe and I had both been contacted by the journalists nearly two years ago. So this article is not something that just came out like you know this new investigation they've been working on it for a long time. What we came to realize is the journalists were independently contacting us basically asking sort of these somewhat technical sentences that didn't exactly make sense like, "What could you do with something the size of a grain of rice on a motherboard?" or this, or that. Very vague sort of things and neither of us ever actually knew the whole story of what was going

on, but we didn't realize this until after the fact. That they were bouncing our responses off of each other to find something that seemed to make sense. So I think the article, and I haven't talked to the reporter since and I won't, because I spent enough time trying to educate them in the first place, but it just, it seems like he had maybe been fed something and then started down this path. This sort of domino effect of like well Joe said this, Joe said this, some other guy said this. Trying to piece together something. So it doesn't technically make sense as like a technical person would read it. But somebody from the outside and this is sort of where the danger is

is that somebody who isn't technical is gonna read that and go "oh my dog, we're gonna blame China, we're gonna blame all these bad things" and the whole thing with hardware implants and what this article is really focusing on is the danger of offshore manufacturing and untrusted facilities in hostile territories but hardware implants can be done anywhere along the lifecycle at any any manufacturing facility it doesn't have to be offshore it can be in the United States it could be down the street because there's a million ways to do it along the way. So it's just, I think the article was very unfair and especially to the to the public sort of very misleading in a way

that now we have to deal with the ramifications of that. [Kim:] But why is it misleading if you're saying that the capabilities are there, that everything it's describing doing is possible and it's raising awareness for looking for hardware implants, it's raising the issue of hardware implants. What's the problem, exactly? [Joe G.:] I think raising awareness is great so being able to say here's a potential problem. Here's an attack vector people haven't looked at before and raising that to the mainstream is good. If there are no hard facts it's misleading. So speculation is different if the article was like "we think this happened. This could happen. We think maybe this happened." but they're basically presenting it as here's you know even

the picture. Who's wearing the shirt? So this shirt. Oh it's on the screen. Yeah, so, that picture with the pencil and that little thing on top was in the article without a description of saying this is what we think an implant would look like. There's no mention. People thought that picture which was in the article was the actual implant discovered. But it wasn't. The pictures they show of where the implant could be on the motherboard, where it zooms in, that wasn't real either. It's a lot of- from a high level it's good. [Kim:] But they do have sources saying, um not on the record, I mean they're anonymous sources, we, they do have sources saying that

they've seen the implant. They've seen reports of people who found the implants. I'm still not convinced by you guys. What wrong with this article? [Joe G.:] Oh, I will also say Joe and I were contacted to speculate on where in the image that they could show in there was the actual thing because they're 17 anonymous sources didn't show them an actual picture. [Mike G.:] It would be interesting to dive into the implausibility of this, because while there's potential in doing it the way it was presented, but the practicality. There's so many other approaches and it might be worth distinguishing the different ways in which is plausible whether it's hardware attacks versus software firmware cetera and I think

those become more practical. [Kim:] Anyone else on the panel? [Joe F.:] Mickey, Mikey, Jason do you have any ideas of how you would do it that wouldn't involve nearly as much hardware? [Mickey:] How much money you got? [Audience Member:] Nation States. [Mickey:] nation-states. So if we think nation-states. Ok, so it's really hard to talk about this topic without going super technical, but if we consider nation-state that has like a budget look at the ANT catalog. What was the the cost for- [Kim:] Just to make sure, does everyone in the room know what the ant catalog is? Is there anyone who doesn't? The ant catalog was leaked to Der Spiegel back in 2013 or 2014. It was basically a catalog of the NSA's

implants spyware toolkit. It was, as I recall, technology from 2008, but it wasn't leaked until around 2014. So the state of the art we presumably were a decade on from that but it was quite sophisticated, the catalog. [Mickey:] Yeah, keeping that in mind, a decade old technology in a catalog that has implants on it that the cost of each goes I think at least fifty thousand dollars per unit and you can buy them in packs. So if you have like 1.2 million dollars you get a set of 50 or something like that. [Kim:] This was an actual catalog it was a sales ordering catalog for spies. [Mickey:] There are cheaper options, right? But if we're thinking about that and then moving our minds 10 years in the

future with the technology we have today and thinking about, for example the nanometers then when manufacturing versus nanometers now you can do a lot of things in a really small package if you have a lot of money. Now, let's say you have the capability and the money. You have an implant. You still have to find the place on the board to put that implant that gives you capabilities. Now it's really hard to find a place on the board to give you multiple capabilities and that's why everything is possible, but you'd have to adjust a few things in the way. If you're a nation state and you have spies and you've infiltrated the supply chain there's so many ways you can do this I don't even know where to

start. But let's say you just have an implant. [Joe F.:] So there's lots of ways to do it, [Mickey:] Yeah. [Joe F.:] But do any of the ways you would do it involve making a custom chip, putting it on a board in a place that doesn't make sense in a package that you would never find on a motherboard? [Mickey:] When you say it like that. [ Audience Laughter ] No, it's just a red flag. Yeah, I would totally do a fake package. [Kim:] And why would you do it at the manufacturing plant? Why not do interdiction? [Mickey:] I wouldn't do it in a manufacturing plant, but that's a different discussion. You don't want to know how I would do it.

[Kim:] We do actually, we do. [Joe G.:] A lot of the discussion online and like this question is, well maybe the article is not right because they're doing it as a hardware implant and not a software or firmware one, but I'm not sure that's the right way to go because it could possibly be a hardware one. I don't know why they would do it, right? But maybe there's a reason if they're doing, maybe they're maybe they already have checks in place during manufacturing to check the state of firmware so they have to do it after firmware to be manufactured before you know as it's loaded to the BMC in in powerup but not during manufacturing, or something like that. There might be a reason.

It seems completely ridiculous to any of us, but we also don't know the whole story if it was hardware and if so there are plenty of ways to hide it, right? It's just like if it was done right, it wouldn't have been discovered and since we haven't seen pictures we don't know if it's been discovered, so, there might be a reason to do it but we just don't. We haven't seen anything. There's no proof at all. No proof, no packet captures, no nothing. [Mickey:] Also, there's so many usual suspects in this chain. In a motherboard you can name a lot of companies that are involved in manufacturing components to any motherboard from any manufacturer. So

it's all based on trust. So if you trust the OEM that gives you the component, that's good. But if someone infiltrated that one you can't tell. [Kim:] So, have any of you ever found suspicious malicious, let's say, implant on a motherboard? [Mickey:] No, I've never seen anything- I've seen dumb designs, but I've not seen maliciously, a malicious implant. Except what Mike did. [Joe F.:] I've seen counterfeit bypass devices. So you have, let's say a router that's an 8 port router but its the same board as the 16 port router. And you go and you solder on eight extra ports and you put this bypass circuitry on there that bypasses the DRM the manufacturer puts on them. So you sell this. You buy a

$1,000 8 port switch, you solder some components on and you sell it as a $3,000 16 port switch, right? So it's malicious. It's someone doing this to swindle, to make money, but it's not a spy implant It's the same, it would be the same hardware, right? it would look exactly the same and if you didn't know what you were doing you saw this? That's what people- there was a post on reddit a few years ago someone who found an eBay purchase it had one of these things on it and it was pretty certain that it was a bypass, a counterfeit bypass switch not an implant, a spy implant. [Joe G.:] Yeah, that was on reddit, was that the Cisco router?

Someone bought one they and it looked a little bit physically different than the other one that they bought and they open it up and there was this hardware implant on there. It was like an inch an inch square with no silkscreen markings on it just this horrible soldering job down onto the board, but a huge discussion. You should search for Cisco implant reddit. Tons of people trying to figure out what it was and what we what we think it is because there's only two connections plus power and ground and I had actually talked to a few people that had slightly more insight than we do about what it might be and they were thinking it was bypassing, but basically a feature

upgrade, so during powerup and I don't know if this is true for real, but during powerup the system's gonna check a serial number the state of something so this implant is gonna modify that to basically give it a different serial number or a different key or whatever needs to be to unlock the features that are already existing on the board. I think another good thing to think about sort of Hardware implants in the real world would be like mod chips on game consoles right those are like intentional hardware implants where we're putting them there or somebody's putting them there to, again, maybe be malicious because they're bypassing some security mechanism they probably aren't spying. But it's that's like a real-world

hardware implant that I think everybody has seen. As far as like malicious intentional ones on boards I've never seen it in my entire life of tearing stuff apart and talking to people and I would love to I'm just dying to see something. You know, credit card skimmers are another implant and I've seen those right those exist we know those exist, but other stuff I'm just dying for somebody to send us pictures or something because we really want to see one. Otherwise we can only speculate or kind of share what we would do, but not know what the adversary is really doing. [Kim:] At the end of the table there, we haven't heard from you guys. [Mike L:] So I think it's kind

of interesting to think about mod chips. Where in the the console market the adversary that's implanting hardware is definitely in scope into their threat model. This is exactly what they're afraid of. It's a cat-and-mouse game. Whereas in the server motherboard business, this seems to be something that we don't talk about and is generally thought of as outside of the threat model. [Mickey:] I just want to add something. I don't think we'll ever see an implant like the one suggested. Alright, with the gaming and modding communities, the user can sense to know that there is something on it. He accepts the fact there's something there, I wanted there because I want to play all my games. When a malicious actor tries to add a component, a malicious

component, to a board the user should not know. So you shouldn't you should be able to detect it unless the malicious user knows how to. [Kim:] Well the interesting thing and the way that they described that it was detected was the traffic going out to the server. [Mickey:] That's another discussion

Are we going to talk about that point? [Kim:] Yes I'm asking you about it. [Mickey:] I'll let Joe start. [ Audience Laughter ] [Kim:] So, I guess we're getting into the issue of like how do you detect, unless anyone else wants to continue on- [Mike G.:] I'd like to add one more point to the practicality. with, for instance this little thing, right? In terms of practicality here this is mobile. It's not the system itself. It comes with the human aspect. Therefore it kind of makes sense. Doing a hardware implant on the physical system itself, there's a lot more complications and, look, we don't know the whole complexity the intent and the constraints they had here we're just

talking generally as a general approach. But it's it's a lot easier to go at the firmware or the software level even even this it immediately hands off the software it's like okay it's infected now it's in the system then it's done. That is where it's much easier, it's much more flexible, you're in the user space when you you're at the hardware level there's some so many more constraints and anytime something changes on that hardware, a flash update, your hardware implant may therefore break and potentially catastrophically, to the point where somebody notices that it is implanted. And you don't want that, especially when it's at a large scale when it's coming from the source. And you have a lot less control of where it ends up.

[Kim:] Before we get into the the detection, there was a second story that came out from Bloomberg afterwards and it seemed to be a follow up to the first story, but then it was talking about something different. This one was by a guy from Sepio Systems Yossi Appelbaum, who said that he found this on a telecom, didn't identify the telecom. And the way that they discovered it was unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector. So in the first story they were talking about this implant on the motherboard that then communicates. It calls home to this malicious server and apparently all of the implants were calling out to the same server because supposedly some

Intel source then got access to this server and they were seeing what systems were communicating with it and that's how they were able to determine that about 30 companies were affected by this. So, let's throw that to the panel and talk about that method of discovery and other methods let's say the plausibility of that first and then in general how you might discover an implant. [Mickey:] Okay, I'll start. If I take your description literally and I think about it for a second that sounds like a BMC. So that that's, if you don't know, BMC stands for baseboard management controller. It's a separate subsystem that is located on most servers. Allows companies to manage their fleet of servers.

reset them, install operating systems, it's a completely separate stack of operating system on a motherboard. Some of them share a network port with the motherboard. It's described like the BMC was contacting somewhere and that sounds like a firmware or software kind of exploit than the hardware one to me. [Joe G.:] I just want to add a little backstory to that particular article and then someone can talk more technically about it. So yes a modified ethernet connector sounds like a totally different description of the implant than the first one. This particular company, this second article, we don't know if that article was was meant to be a you know was in the works at the same time as the first one and this sort of brings into

into fact the whole questionable ethics I think around this this article when the first article dropped that weekend I got an email from a company somebody at a company named Sepio and they said hey Joe I saw you in the Bloomberg article I'd like to show you how we're securing hardware. And I got a million emails that day or that weekend so I just blew it off and then when the second article came out, Sepio Systems was featured in the article. I was like, huh? Did they reach out to Bloomberg after the first article to say they have a solution to this problem and this is a great way that they can now also convince the journalists you know to write about it? So the second article

to me seemed like not an intentional follow-up, but a follow up to maybe try to bolster their first article and come out with something of saying look implants are real, so you should trust our first article. Here's a company that specializes in securing or detecting implants so it must be real, So the whole thing was just sort of shady and the fact they were providing a service and the fact that they just cold-call reached out to me. It didn't sit right, but again you know from a functional perspective hacking an ethernet connector and implanting that's a great place to hide because it's huge, right, and you could do something in there and add add stuff with within the

connector itself, but there was some technical inefficiencies I guess would be a word of that article too where they're saying that you know the this particular physical Ethernet connector that was detected was was plastic instead of metal or no metal instead of plastic so the metal you know it act as a better heat sink for any of the processing power implanted inside of it additionally. Which must be why it's implanted and oh and the end the way it was detected was not just ethernet traffic it was the current power consumption measured based on I don't even know I'm not even a try to make sense- [Kim:] It said unusual communications and that's all it said.

[Joe F.:] Sepio Systems sells a service where they can detect your maliciously implanted ethernet ports. They claim to have found these ports, but they can't tell you any details about how. They claim they do this by doing analog signatures and stuff like that sounds like side channel analysis. Side channel analysis is complicated. These journalists are translating and so that description is a translation of some detection mechanism they use to detect anomalies using side channel analysis. [Kim:]This is how the journalist translated it. They talk about the Sepio software detected the implant "One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions

but also analog signals, such as power consumption, that can indicate the presence of a covert piece of hardware." So they're not saying that the power consumption was one of the ways that this particular telecom implant was found, but they're talking about Sepio's capabilities and how they might find an implant. [Joe F.:] Yeah, so great great marketing piece. [ Audience Laughter ] [Kim:] Can I just add one other technical detail about this particular ethernet connector? "The tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server which allowed it to

bypass security filters." [Jason:] What joe said earlier about these things being presented in a language that is fairly generic super high level that you have to look at these things through that lens of interpreting. Okay, well this is sort of what they meant. This is sort of in in the realm of very high extremely abstracted possibility. I think that that's partly where we start to get into like, "for whose benefit is this article?" and then the follow-up article which definitely kind of reeks of opportunism. If that wasn't already in the works, there's no actual evidence that's been presented. There's sort of like a somewhat pseudo-plausible technical mechanism, which we all here have experience with and that I don't think is in any dispute whatsoever. We can all

sit down and think of hundreds and thousands of different ways of back dooring stuff either whether it's intentional implants or we haven't even talked about bug doors, which make actually adding something kind of irrelevant, but that we have to ask like well who's benefiting from this article and what does this article actually- what information and what are people supposed to do with it? I mean almost nobody deals with server hardware anyway. They have no idea how to interpret this and what to do with the information. So they've presented no real hard evidence that anybody who's willing to stand up and actually put their credibility on the line that they're not that isn't selling something. So, you guys want to

talk about for who's benefit? [Joe F.:] One question. Mickey, Jason, you guys know BMCs better than than I do. How difficult is it to make servers show up as to network devices that were a single port. Is that like a core feature of some of these BMCs maybe? [ Audience Laughter ] [Mickey:] That's exactly how it works. [Joe F.:] So there's a question "is there anybody who's done research on BMCs and knows details about how things like this can work?" And yes there are, and yes they have. [Mickey:] We have one in the audience. [Joe F.:] Do you want us to say your name or do you want us to not say your name? Say hi to Jesse. Come talk to him later.

[Mickey:] That's Jesse. [Joe F.:] Sign up for a volunteer position while you're talking to him. [ Audience Laughter ] [Mike L.:] I think like we need to think about when we talk about this detected network traffic and it's it's sort of hinted that this is an implanted hardware that is making network traffic and some kind of side channel, which is not necessary at all. You can, through the BMC, you can make network traffic through the implanted hardware talking on the same buses is the BMC. You can also make network traffic and like there would be no network detectable side channel signature of that that would be indistinguishable because it's sent by the same ethernet controller so like that didn't really those two details

don't really go together. They don't make really make a whole lot of sense to me. [Joe G.:] Well here's a question related to detection not being a network or software person but a lot of the discussion is you know there's a detected of the hardware implant because there has to be some command and control or something. Yes you can generate traffic, but from the people I've heard in the network world that are looking for these things now and spending a lot of time doing it they seem pretty confident that any irregular or malicious sort of network traffic they would be able to detect because intrusion detection in all of that world of detecting network stuff is

so good and I don't know if you agree with that I only know that I've read you know stories of hacks I remember what what exfiltration it was of like Sony or some company where there was like some huge amount of gigabytes of data being exfiltrated straight over the network and no one detected it. It seems unlikely you know sometimes companies might not even detect a few bytes being sent but what I mean do you think even if it's a hardware implant could it be detected properly in a software approach in networker is there just too much ways to hide? [Mickey:] I want to answer that with a question to you. Would you do a hardware implant that talks over the network?

[Joe G.:] Probably not. [Mickey.:] Exactly. [Joe G.:] I would do one that would exfiltrate data in a different way not over the network so it wouldn't be detected and then we get into covert channels through you know EM or RF or optical or whatever. [Joe F.:] You bring up the example is Sony getting gigabytes of data exfiltrated but we're not talking about Sony we're talking about Amazon and Apple. Their jobs are maintaining farms of servers they are really good at this they're probably the best in the world and the other 30 companies on it list are probably up there. When you have a cloud service you have a bunch of systems that are running other people's code and you're very careful about what

you do. When you're building your network when you're building a server you have a box around everything right and if you're not trusting the software on the system or the operating system- [Audience:] Are you asserting that they are really careful about their-

[Joe F.:] Thank you for catching me on that maybe my wording was optimistic so when you are threat modeling a data center you have a box around each server. You are already suspicious of strange traffic coming out of it. You're suspicious of strange traffic coming out of the BMC. Whether or not they do a good job of detecting that or not is in question, but this is the job they're supposed to be doing. So I assume without information that companies who are doing this on huge scales are doing a better job than smaller companies even Sony is a much smaller company who just has their own little like 30-some gigabyte exfiltration problem. [Mike G.] I just want to add so in the scenario where there is an

additional network interface popping up. That's the equivalent of having a whole new machine just suddenly pop up in your network that is the loudest way from a network analysis standpoint to approach this so, even just basic IDS stuff is going to catch a whole machine suddenly showing up in your network. [Audience:] No it won't. [Joe G.:] Everyone's saying no. [Audience:] So the counterpoint that, if you're infrastructure is all VMs you're creating and destroying VMs constantly. [Joe G.:] So the comment was if you have virtual infrastructure with a bunch of VMs you're creating and destroying VMs all the time so if one pops up in there you may not see it, but what about even from a lower level like again I don't I don't delve into any

network stuff but it seems like with exfiltrating data from a hardware perspective there's so many ways. Aren't there ways within network traffic to just change some bits of a flag or something that would go undetected and someone could still do for command and control? It's not infeasible that network traffic could get through whatever detection mechanisms. It's just is that maybe just maybe unlikely?

Yeah, once you know once you know where to look. That's what the article is saying they've detected it. we should have PCAP, yes. [Joe F.:] My mistake is...

my error is speaking beyond my expertise which is the hardware side of things and my thought is once we get to the network level there's no difference between a hardware implant and software and then they already have these mechanisms in a software world they may not be perfect, but they're gonna find things in cases. When we detect something and we detect it and isolate it there's no reason we can't come up with a PCAP, an Indicator of Compromise of what this thing does. If we detect it, if we find it, if it exists. We don't have that. We have nothing to look for right now so when you get down to the question of like what do we do

about it which is kind of where you try to direct the conversation like we don't know what to do in response to this article because we don't know what the attack was that we can detect. [Kim:] So maybe you don't know specifically this one, but what would be the advice then to people in data centers and CISOs and CTOs in general about this issue of implants. I mean, okay, not this one specifically maybe, but- [Joe G.:] I feel like we have to be careful I mean I feel like this is not a not a new attack vector for us but potentially a new attack vector for other people and I think we have to sort

of we don't want to go out there and scare everybody with this. We need to be kind of a voice of reason like we try to do with every other attack that comes out but I think and Joe and I and probably some of the other guys too, and probably a lot of people in here have gotten questions about what do we do in relation to this and you don't want to totally discount it because it is a real threat but it's also like we talked about there are lots of other ways to do it. What I've been spending time doing with CISOs and things is not scaring them but saying it's a possibility. You're relying on commercial you know off-the-shelf hardware you're

dealing with manufacturers all over the world you're trusting all these different things along the way yes things could happen. Is it likely? Not as likely as somebody compromising firmware or phishing your employees or something. So I think it's mostly what I've just bringing it to light and saying yes it exists. Is it likely? No. And then they have to deal with you know they have they understand their business to understand like what what do they actually- do they need to go deeper in that way or can they just you know now be aware of it but maybe not spend a lot of time on it. [Joe F.:] I think Matt King I quoted him he he said to me like if you're not, sorry, if you don't have hardware attacks

in your threat model but watching the wording if you don't have hardware attacks already in your threat model this is the wake-up call to do it and that's what you need to do. You need to worry about the next generation. You need to worry about talking to your suppliers about supply chain security tearing apart a few motherboards looking for little white chips is not gonna help you. It's a waste of time. It's a waste of money. But having that conversation with your suppliers if you've never had it before? This is why you need to have that conversation. [Mike L.:] And I think that it's also the same sort of detective control things that we've been talking about for a long time. You need to

think about the possibility of a compromise BMC and what that BMC can reach. If you have a flat BMC Network, one BMC can reach all BMCs, that might be something to look at again. [ Audience Laughter ] [Kim:] Does anyone want to add to that because I want to open up to questions from the audience if there's nothing else to add. Okay, does does anyone have any questions? Let's take from here first and I guess I'll have to repeat the question so everyone can hear. [Audience:] Going back to what Jason said about "who's benefitting from this?" It's all well and good for us to talk about it and make fun of the Bloomberg article and so forth, but we're not the audience for this article.

The audience for this article is the general public, who has already been trolled and swayed on a lot of stupid things. In Facebook and so forth. They've upped their game now to Bloomberg, but it may just be, to what extent do you think we're just doing this to sow more FUD in the system? [Joe G.:] There was an article that came out. So the question in a nutshell is basically who's whose benefit is this article for and there's been so much FUD, fear, uncertainty and doubt, in the media. What's the point that we're not the main audience it's the the rest of the world is the main audience and what are the real reasons? We don't we don't fully know but there was an

article that came out about Bloomberg reporting a few years ago and I don't know if this is still true that apparently Bloomberg journalists get bonuses based on how they move the markets so how the markets are influenced based on their articles. The stock of Supermicro dropped 40-something percent when the article came out and it's been coming back up so a great time to buy, maybe. Yeah so they're sort of that theory maybe you know maybe it's just unethical reporting people have said well you know with the whole Trump China tariff thing the article came out it's just the right time another China bashing thing and that's why I mentioned it doesn't have to be China you know implants could happen anywhere

but yeah maybe it's used for political ammunition. The fact that the article has been in the works for so long is sort of like well maybe maybe not but yeah you just don't you don't really know the motivations and but when I read an article that uh that Dan Gere had sent me from Michael Crichton from 2002 I think he was giving a talk and I don't exactly I remember where it was but he was basically saying, you know from a technical perspective if you're a technical person and you read a technical article you go oh there's all these problems with it this journalist doesn't know what they're talking about but then you go read the rest of the paper and just assume all the other

journalists about things you don't know about our correct, but it just puts this weird lens on things of once you realize that something you read from your world is wrong it makes you question everything else too so I don't know I don't know the motivations I from one hand though I do you know to maybe not to Bloomberg's credit but the emails. It seemed like the journalists were actually like generally interested and excited about this like they found something and I think maybe there was some piece of technical incompetence and being fed information in a way that they thought they were doing this amazing service when in reality it just confused the hell out of

everybody. [Kim:] I do want to just add from a journalist perspective that this story is sort of at the Nexus of two of the most difficult things for a journalist to cover, and that is national security, classified information. Because you got sources that aren't necessarily going to be able to give you the whole picture but they'll give you pieces of it and you may have different sources in different areas will give a piece here, a piece here, a piece here and your job then is try and pull this all together in a viable way and a plausible way. Attach that, the technical issue where you've got two reporters who don't necessarily have a background in technology don't have a good track

record in covering technology and so you have two possible problems here with where you're going to run into issues. Anyway, open it back up to the to the audience and take one from over here? Yeah. [Audience:] Aside from the BMC, are there other areas on the motherboard that would make a tiny bit more sense to take advantage of to perform malicious activities? [Joe F.:] So are there other places you would build something in? Other places that would be easier and more effective to do this? When I read the article and I see the details and put them together with full information what this tells me is I²C. I²C is a two-wire interface. It connects a lot of low-level sensors and things on a

motherboard and it's very easy to build a little four chip thing that speaks I²C and talks to all these devices. It's simple. its low-power, it's very well understood and it connects very important things in the chip. I've seen systems that have I²C routed in ways that let you have debug capability of chips on the board over I²C. I've seen systems where you know you can write software that will be able to communicate over I²C and tell devices to turn on and off features on the board. Power ranges on the board. Clocks on the board. So we do have a lot of potential for things like this but again that's not what the article was telling us about. Maybe you guys want to add to that? [Jason:] Little things, I mean, TPMs are a great

one. I actually don't work for NCC group anymore I resigned on Wednesday, but so I'm not shilling for my former employer, but on of my colleagues, we did a gig on some server hardware that a company was deploying and remote data centers and one of the things that we started poking at was there was like the TPMs on a lot of servers are on some sort of expander card or daughter card that's just entirely removable it's this little extra card you have no idea what's on what's what's on this little daughter card like all things like that we found a whole bunch of bugs in all of the in all of the software that speaks with the TPM both

in UEFI and in things like tboot for doing measured in the tested boot as I'll look at the chipsec people and stuff like that what I want when I say this because those guys helped me fix those bugs, but that's where like, as joe says, there's all all sorts of different kinds of peripherals that speak on different kinds of busses, especially the I²C stuff. I²C- [Jason:] Wait, hold on so you're saying, so Jason, you're saying TPM trusted platform module I'm being sarcastic a part that's supposed to be providing hardware security for a motherboard can be man in the middle then tampered with? so basically the attempt of the motherboard world to try to have something secure can be tampered with because it's over I squared C or over

something else right? [Jason:] Maybe I'll take this opportunity to make a bold claim and say that basically a physical attacker wasn't really in the threat model for TPMs at all. [Joe G.:] But they should be. [Jason:] Well, yeah. it very much should have been. So this is changing and this is things that the TCG or the Trusted Computing Group that manages all the standards that that go into things like TPMs and stuff like that define what they are. I mean, they are aware of this and they are today are trying to fix it. [Joe F.:] it used to be that physical access like the actual ability to touch the system and manipulate it and attack it that's only in the threat model for game consoles

and then we've added phones to that it's the most part. We don't have that threat model built into the past 60 years of building computers right. We have cases where suddenly we realize it is in the threat model where we have the flipped laptop over and reprogram the BIOS because you stole someone's laptop and you want to bypass their login password stuff like that evil maid attacks. Evil maid attacks or this like hey we need to consider physical attacks on laptops and now this is hey we need to consider physical attacks on server. So we need to look at our threat models we look at our planning process in our design process and realize hey is physical access

something we need to be concerned about or is it more realistic for us to build more secure software and have this constraint and say hey this server must not get physical access by anyone including anyone in the supply chain [Joe G.:] That's actually that's an interesting point because even most chips that are out there if you've worked with with designing a low-level Hardware there including the TPM any interface on the board there's very few cases where there's actually protection of data in transit or any encryption or any authentication. The chips themselves don't support it because going back to physical access was never a threat. The problem is, even though physical access is now a threat, there still aren't solutions for that

and there won't be for a while. Until the chips themselves have enough security built in where doing Hardware interdiction or Hardware implant is gonna make it way harder you know engineers aren't gonna implement security on their own it's just not going to happen. So everything's in the clear including TPM including I²C including SPI the LPC bus the the POST bus like all this stuff is totally open and any of those could be implantable whether it's gonna have the same result as the Super Micro which presumably was about the BMC we don't know but there's lots of places to implant because things are just everyone's talking in the clear on the boards. [Mike L.:] Well I think it's kind of

interesting to look at D TPM because like the hardware threat model of the D TPM is like well we have the secure element which is you know all all fipsy and it keeps your secret, but it's not within the threat model to say like oh I could make an evil TPM that has different properties or does something else. It's all about does this thing have the security does this little element have the security properties that you assume it has. [Joe F.:] Mike can you tell me a little more about people's assumptions of hardware security items and whether they should trust them or not implicitly? Like YubiKeys? Are they good? I think they're an improvement. [Mike L.] You know we we don't trust software because we can

inspect it we know it's made of crap. So what we need is we need something immutable, something perfect and wonderful like hardware and we don't want it to be crap so we want to make it so we can't inspect it. So it must not be crap because we can't inspect it and therefore everything is good. Unfortunately the world we live in now is that we have people who wanted to make hardware who didn't learn how to write software that now write software that makes hardware. [Joe G.:] don't you have some of those pieces in your little pouch? [Mike L.:] I do have some Doobie keys. It's just like a YubiKey except for it has the opposite security properties of a YubiKey. Instead

of keeping your secret deep inside and being unwilling to have it extracted even by an advanced adversary, every time you plug it in it just sprays it to everybody. [Joe F.:] Luckily it doesn't look that much like a Yubikey. [Kim:] Let's take a question over here. [Audience:] So, Jason or Mike said something i think that is pretty- The future is we're all not using hardware. Businesses, right? Nike's shifting over to the cloud. Like their entire infrastructure, right? So no one's having a conversation with their hardware manufacturers. It's Apple and Amazon that are having discussions with their hardware manufacturers.We're down stream from that. [Kim:] Did everyone hear the question? [Joe G.:] Yeah the cloud is just other people's

computers, right? The big companies aren't manufacturing their own, they're just using somebody else's service and you're just now trusting that the provider of that service is talking to the manufacturers and doing things properly and yeah you're there there's risk along the way. There's Turtles all the way down, or something. I don't know if that's the right saying, but it sounds good. [Joe F.:] The question was about when everybody's going cloud what power do we have we just have software we don't trust the hardware. If we look at phones right the iPhone you've got one model that is like every single iPhone it's the same they build the security qualities in and it's identical for every one. When we have a situation where every single company is having their own

hardware server and they're buying from a different manufacturer and all this stuff. There's a huge realm of what's possible and what's breakable and it's just the effort for security goes into one model of one server and it is less efficient. When we go to the model where we have these cloud providers right. Apple, Amazon, Google. They're gonna put the effort into unifying their architecture instead of putting all this effort into securing one model that's you know they sell a million servers they put all the you know 10 times the effort because they're selling 10 million servers so there is benefit there to having this homogeneous ation and having this you know offload this like you know people don't know how to handle Hardware issues they're having

trouble with software she's why we're going to cloud so I think there's a potential that these companies are gonna have a better grasp of this and after some news maybe they will put more effort into supply chain security I think we're headed in the right direction but we're not there yet that's for sure. [Kim: ] Yeah, go ahead. [Audience:] I'm really interested in the journalism aspect of this story. I'm interested in your opinion about was this article appropriate to have ever been published to begin with given they rely solely on anonymous sources? What would you advise to people communicating with journalists about technical stories? Would it make sense to have published the second story that had far more technical details

so that we wouldn't spend a whole bunch of time just talking about what- reading the tea leaves in the article? That kind of stuff. [Kim:] Did everyone hear the question? Okay, so just quickly he's wondering like should the article have been published at all or how should have been done differently should have been followed up with a more technical article? I don't think that they could do a more technical article, because I don't think that they had the capabilities in staff for someone to do it. I think that the, so, it's tough. They're citing 17 and not anonymous sources that's a lot of anonymous sources but we don't know the quality of those sources and they're

saying top-level intelligence officials. We have to trust what that means. When you're a journalist and you're trying to give someone anonymity you're trying to give them distance from their knowledge of something because you don't want to say top official in the White House because that's too narrow, right? So you want to broaden it and make it as broad a description of this expert as you can so someone can't really identify them. So top Intel official can be multitudes of many things, right? they're saying that the investigation is done by counter-intel of FBI, so that maybe could narrow it. These were maybe top FBI counter-intel officials, we don't know. That you know it's a problem for other

journalists I there was a really great quote in The Washington Post done by their media writer who said good journalism should be able to be reverse engineered other journalists should be able to follow up the story I mean we often see that right? You get a story let's say the New York Times breaks a story about warrantless wiretapping, from the Bush administration, in 2006 and it's immediately followed up with other stories from the Washington Post and from other outlets who then go to their sources and they're able to confirm this. No one else is able to confirm this in part because there aren't a lot of details that you can pick up on, but even the detail of a manufacturing

plant in China a chip found in Supermicro there are enough really specific details in here that every journalist should be able to go back to their own intel sources and say what's up and we all got blank stares. We don't know. So I don't want to dismiss the article entirely. The plausibility is there, of implants. I agree with Joe that maybe there were wire crossed and they got information from here that they combined with information here combined with information over here and it's sort of a conglomeration of mud in the end. With some concern still. [Audience:] How do you protect yourself in journalism from sources who are pushing- [Kim:] Who have an agenda. Every source has an agenda. Joe has an agenda. Everyone on

this panel when they speak to a journalist has an agenda. You can decide whether or not their agenda is is benign helpful to the reader or malicious or political or whatever, but every source has an agenda. That doesn't make them a bad source. You just as a journalist, your job is to know what the agenda is and the work around it. Is the agenda that they're trying to pull one over on you? Well you don't rely on one source right you want to get multiple sources and weigh information against each other. But yeah, everyone has an agenda and so you have to figure out- and even a whistle blower right? Everyone always says whistle blowers are disgruntled workers. That

doesn't disqualify what they have to blow the whistle about. So it doesn't matter if someone's agenda is a negative if it's a revenge payback whatever. What you want to focus on is the journalist is the information is it is it viable information? Can you confirm it? That's what it comes down to. [Joe G.:] I think to go along to answer Jared's question in relation to that is every source might have an agenda, but every journalist has an agenda. Alright, so that's the thing to be careful of is- these journalists might have already had an agenda of what they want to do using us and using anonymous sources as a way to get there, but to answer Jared's question about how how can we talk to

journalists which is a totally you know we could have an entire session on how to talk to the media, but I remember something as a kid being told no matter what a journalist asks, you can always answer with what you want to say. so they could ask a completely separate question and it's like if you're pushing you know futel or whatever it is you can always answer regardless. I believe in this and say it. It doesn't mean they're gonna take it. If it's on film it's more likely maybe they'll use it if you keep repeating that or they just won't use you at all. But if it's if it's in written you just you just try to do your best to push again

your agenda the way that you're trying to educate them but just remember that they can always use that in different ways and we've had that experience through the L0pht with- MTV really screwed us one time of, we thought we were feeding them the right information and then they took it and pushed their agenda and so sometimes you don't know, but you just have to be careful of what you say. [Kim:] Does this panel go to 10:30?Because we're now at 10:30. Ok, we have some more time. Let me take a question over here and then come back to the middle of the room. Is there anyone over here? OK, back to the middle. [Audience:] Why didn't Supermicro come up with a circuit diagram and say this is the chip it's nothing offensive or bad on it?

It wouldn't have had their stock price crash so bad. [Kim:] But you're assuming the chip exists. [Joe G.:] Or the location of where where it was or something I don't know I mean let's assume in do you release your schematics to prove a point? Depends on how you know, I don't think they're open-source hardware so they might be a little tentative and in doing that or maybe it's gonna try to show if they're defending it that much maybe they appear guilty or something. [Mickey:] Yeah you release your IP it's just you lose money. It's thousands of hours goes into developing these schematics per product line and you don't just go here you go look at all my secret stuff. [Joe F.:] And if you-

[Audience:] And a follow up would be, would it be possible to buy a Supermicro board off of ebay and see what the heck chip is? [Kim:] I think everyone in the country has been looking at their Supermicro boards so, you don't have to go to ebay to get one. [Jason:] You keep assuming that that chip exists. It's a fictional example. [Joe F.:] It's like the golden ticket on the chocolate bar. [ Audience Laughter ] Except there are no golden tickets. [Joe G.:] But supposedly there's golden tickets in every single one. [Joe F.:] Yeah, so let's buy them all. [Kim:] Let's get another question, yeah. [Dean:] So back to the journalistic integrity kind of stuff. [Kim:] I didn't realize that I was going to be on the show. [ Audience Laughter ]

[Dean:] I do kind of feel like there at least is some, like a little bit, of value the lower technical poorly sourced articles because we have had situations where there's anonymous sources saying this stuff and then you have NSA officials dismissing it, which then inspire people like Mark Klein to then dump documents, who then inspires Manning, who then inspires Snowden. [Kim:] Sure, yeah so you're talking about something entirely different here. You're talking about, It's often good to have an unofficial anonymous source hang themselves. to actually take a quote from someone, get it out there in the public so that the real people who know the real information can come back and counter them we had that with Clapper, right? So Clapper goes in to testify towards the

Congress and says that, and the question to him is does anyone does the NSA connect to dossiers collect information on any Americans and he goes on record and says absolutely not and what do we get in response we get Snowden dumping documents saying oops so we actually are. So there is value in journalists reporting anonymous sources that maybe are getting information wrong or are misrepresenting it and that does open the way from it for people who sources who ordinarily wouldn't go to a journalist they absolutely would never talk to a journalist and they see something like that like Snowden never would have gone to a journalist they see something like that and that's the motivation to set the record straight. Question

in the back? Yep. [Audience:] I realize a lot of this is speculation so maybe answer as you're able and you may not even be able to speak into it as I think its maybe more of a supply chain question. In speculation, if this chip existed, where in the supply chain would you be able to put that onto the board would it be at any point in the supply chain? I have a little more though. Specifically asking, would you be able to ensure it's delivery to the source that you're targeting, because working with the military, I've never worked with hardware, but I've worked with software. I know that there are several things we have to do to verify

before we put something into the wire. It's to control where it's going to go. Because the last thing you want is a chip like this getting into places you don't want and with consumers and sources you don't want to happen. And so, where in the line would they have to be able to identify and guarantee where this is going to do something like that? [Joe G.:] From a hardware perspective talking about the story they say that it that this implant was seated on to the board meaning that it was implanted not as an extra add-on module but as an extra chip or within a existing chip on the board so that would have had to be done by the manufacturer

which is actually they say was a subcontractor first Super Micro so one of many contract manufacturers building stuff. That would have been in the part you know parts acquisition stage and we know even within the military there's like I think I'm not gonna quote the number because I can't remember it but some huge percentage of parts are counterfeit or bad in some way because the government requirements anyway you have to buy components that aren't manufactured anymore so you have to go through these parts distributors that are harvesting parts from old things. So you have questionable supply chain even before parts get to the factory. The article itself had said that that some Chinese official had pressured somebody within the factory to implant the part

but yeah you could you could get the parts beforehand, but when they're implanted on the board I would I mean the way that I would do this is you know the engineers who are designing the system even if there's a hundred of them working on the motherboard when it's when it's going through the actual initial pre-production stage sort of prototyping in pre-production stage people have their eyes on everything right they're looking at everything they're testing everything so an implant at that stage would be detected fairly easily by the engineers or by the test engineers or manufacturers but once the system goes into production I know personally and anybody who's designed hardware can probably attest to this is once something's in production you don't

you don't really look at it again, right? You maybe do a spot check once in a while to make sure your quality is still good but the engineers who designed it aren't looking at it anymore. Then it's just manufacturing. So I would say after pre-production once the system goes into production is when it when a rev could be made maybe they just call it an engineering change order of a vendor change and then slap that in and the and then maybe there's no the test procedures are not written to look for it because they're written for the for the version before that so I think there is a way to get it in but again it's all

you know why? [Joe F.:] The article specifically says I think the wording is Supermicro excelled in the industry because they provide unmatched customization or something like that so basically if you're buying ten million servers and ten million boards and you tell them exactly what you want and then they go and they make those 10 million boards all at the same time and like Joe said there'll be some qualification testing and everything but then when it's time to make 10 million boards they're just knew them all at once right and that's its assembly you're already getting a machine to put all these components on the board you know what's really easy is swapping a reel out right you swap a reel out of 2,000 resistors with 2,000 implants and that's

where you do it right and it's swapping a reel and if it looks the same you're not gonna pick it up visually if it functions the same you're not gonna pick it up. So speculating, this is all speculation, right, that's where you do it that's how you do it and that's how it happens and that's how it doesn't get detected. So it's not it's not like magic that they know that like oh well I'm gonna do this board and roll the dice and there's an odds that I'll go to the United States and maybe it'll go get sell to Apple it's like okay there's an order for 10 million boards or ten thousand boards I don't know the numbers

and it all goes down and all the way at the factory they know exactly where this this lot is going on the way out. [Mike L.:] But this also points to the difficulty in making something like that. You need to be able to provide an implant that does not measurably impact the reliability or the performance of the item and you need to be really sure of that because that is the way your operation is going to get burned is when things start going into RMA at unusual rates and that's when people start investigating. Return, when the people start returning em they start investigating why is this happening? The people who designed the board are the people who start investigating.

[Mickey:] Even if you, let's assume you have a perfect implant and undetectable no RMAs, it's amazing. You still have a target and the farther back you go in the production to implant your chip, it's a shotgun, right? The closer you are to the barrel the more precise you are and the barrel being the the source of the implant. If you put it in the reel, like Joe suggests, you're gonna hit everyone who gets the board if you want to be more you need to involve more humans in the process and exposing more people in an op gets more risky from getting discovered. [Joe G.:] Could this be why the ANT catalog is showing physical things

that you can add on after the device has been manufactured because you're targeting one person instead of selling chip level things that could be implanted during supply chain? [Mike L.:] Or maybe interdicting packages? [Joe G.:] Yeah, that's right. [Kim:] Yeah, question, yeah. You. [Audience:] So I'm listening to this and I know that there's an application issue and security issues with the Internet of Things, and I have looked into that a lot, but all of a sudden people are going to be carrying things around that maybe have wireless access and they may be able to scan things and how does that impact and how do you speak to a public where this is also the situation?

[Mickey:] I'm gonna say something before Joe says something. So quickly, all those IOT devices they talk to we're looking into the future, near future of 5G everyone's gonna have something to talks to something, but all of those fan out to a server somewhere. So if you want to look at the threat model for specific devices it's it's more individual person personal targets more individual specifically, but when we talk about implants you don't go into this effort and investing millions of dollars for something like this. You go into I want everything. I want everyone's data. [Joe G.:] But what about for the stuff that MG is working on right? So consumer level 199 things you can buy on

dealextreme that are a cable, or what you think is a plug that has a GSM you know audio receiver spy thing that's not a hardware implant like a network style thing but it's the practicality is there and people anytime you buy something from an untrusted even on Amazon now an untrusted source because if it's not sold and delivered by Amazon even if it is you don't know, right? Everything's coming and could be modified and what do you have picked you have pictures you want to talk about that? [Mike G.:] I just wanted to add that on that exact topic there are things for like ten bucks on Amazon GPS tracking cables and stuff like that hot

mics that you can just light up remotely. So yes, there are malicious individuals that can leverage the type of power that we're talking about here and that's certainly worth talking about certainly a very different topic that we could go into. [Mickey:] That's on your attack model [Mike G.:] Yeah. [Kim:] So we only have time for one more question and you've already asked a question so I can't take you [Audience:] So as we add hardware attacks to our threat model what are the mitigating security controls? Is it software, hardware or some combination of the two? [Kim:] Repeat the question before you answer it. [Joe G.:] No one wants to answer cuz that's a really hard one. So the question was

assuming we build in hardware attacks into our threat model, what are mitigating factors we can take. [Mickey:] It's all about detection I think my opinion is if you if you have if you have a hardware implant, mitigating it would be a pain, but detecting a hardware implant from software will, it's a tough question like Joe said it demands a lot of creativity. Let's call it like that. That's it depends on each case each Hardware each scenario and what controls does the software have and how much trust can the software put in those controls. [Joe F.:] There's a lot of talk in the software world of people want to build perfect security and we realize it's not possible. So what we look at is

the cost of attacking versus the assets you're defending and when we talk about things in the hardware world was the same thing we have you know things that you can do make sure your keys are on a chip but then it's not resistant to chip level invasive attacks and side-channel attacks. These things get more expensive very quickly. They go from things that you can attack one device and break all of them to attack just one device and you only break that device and it's destructive in the process. So looking at what mitigations you can put into place whether they're chip level whether silicon level whether the board level and what the cost of an attacker is gonna be over time that's

that's really the way to balance it, that I know is possible. [Mike L.:] And I think it goes back to like our trust model and our threat model. You have to have a trust anchor somewhere and if you know really where that trust anchor is then you can build mitigations. The problem is that we have where we think the trust anchor is and then all these other things that we're implicitly trusting that we don't really think that we're trusting. [Kim:] And with that I think we'll have to wrap up thank you all for coming and join me in thanking the panelists for this great discussion. [Joe F.] Thanks very much Kim for coming all the way up here to join us for this panel.