I just thought the interesting sort sure about what you think about it and whether it's something that is easy to do or always

possible the original article alleged that

Certain servers being supplied to companies were being

doctored for developers with extra Hardware being added so that they could then be used to

Exfiltrate information from the companies. The report seems to have been discredited quite heavily by

Other parties whether it actually happened or not. I don't know. I'm not seen any of the servers

I'm not a hardware or cyber security expert but it's certainly an interesting question to talk about

Well, what would you be wanting to do? And why would you want to say perhaps do it in?

hardware

So, I've got a server motherboard here so it's a standard machine but often servers come with extra support to make them configurable

So this is an Intel Xeon

Processor and this is a for management control when installing lots of servers

You will put them in racks of places in your data center

you've got

Necessary storage cooling and things and one of the things you don't have to do is when something goes wrong

You need to reboot your machine to have to sort of find out where the machine is

Turn it off and on again plug a keyboard and monitor in it to do any sort of maintenance on it

So what modern servers do is they have these chips on there which generally computers in their own?

Right and they enable you to connect to the machine?

Even when it's switched off and do certain things with it, like turn it on turn it off and even interact with it

So I've got a machine at home with all of these things in and if I just bring it up

I'm now connected to it and it's got those things so I can look at the sensors see what the fan speed is

I've got options to turn it off. Turn it up. Turn it back on again reset it

On some of them I can either

reflash the

BIOS or the UEFI in this case and generally managed to the server and to the full extent that I can actually

Bring up effectively a virtual console a virtual keyboard and display

as it's done here where I can interact with the machine so I could

Login put a ISO image of a CD or a DVD in there and install the operating system

Why would you be wanting to do this?

And why would you decide to do it via hardware rather than just getting someone to run some malware?

And so we need to sort of clot back and think about this. So the alleged what's happened, is that the third party?

Needed this decided they wanted to infiltrate

Hackney computers Hackney computers made up an identification with actually be the company's live-in go to see should be

Animals were harmed in making this completely absurd Hackney computers that ordered I say

Several thousand servers and so because when you're building that menu it's going to be a special order

so, you know probably who they're going to and the

The story goes that an extra chip was inserted onto the motherboard of those machines that were destined for

Hackney computers, I fully believe that it's possible to do this

I think there's enough ways. You could connect things and actually what we want you to do

We want you to get our code running inside their

environment now if you think about a traditional

companies where they traditionally lay out

Their data centers and their networks is that you'll have a perimeter firewall around things to stop things getting in

It's a bit like the old fashioned medieval castle right once you're inside the castle wall

you've got a moat around it and the drawbridge of the trough was just pulled up then you can't get in but if you've got

someone inside already

Perhaps is away by a shining light shooting an arrow over the walls that they could communicate

One possibility is that they've added a little bit of extra code

Into the board management control and that ship contains that extra code and then they've got a machine

Ok

Very low powered one on the inside of the network

While that forward management control of the BMC is likely to be on a network which is limited in what it can connect to

It's probably likely to be able to connect to other board management controllers on the same network

And of course as we've seen you can connect to the board management controller

You can then log into the machine. So one potential

thing is that they

Use the board management control in the same way that we might put a Raspberry Pi or the cheap computer on the network

And then we can use it as a staging pose to connect to other things these board management controls that can also

Do things like flash the BIOS? And so it's potential that actually this is used as a sort of a

Staging post to actually attack the machine itself

And again, I think you would we have to assume that they didn't actually know what was going to be running here

They could probably hazard a guess at the operating system and unlike the board management controller

That machine probably is likely to be able to connect directly out to the internet perhaps to download software

updates and things so normally when a machine is running you have

different modes a CPU can be executing in you have a

Sort of mode where the machine has access to everything and that's where your operating system works and depending whether you're on

x86 and armor six eight thousand machine it might make me known as

ring zero kernel mode supervisor mode

But at that level you've got full control of the hardware the machine if you can do that you can then stop it being seen

By people using the machines you can hide it sort of rootkit as it tends to be known

but you think I'll probably get it running as

Supervisor mode and there's two ways. You can do it one. You can find some sort of exploit

Some part of the operating system that isn't well written so that you can get it tricky to start running your code

And so that's where you see the sort of exploits

things you find some way of tricking the software to do something that didn't intend to do make use of that to

Take control of the system

The other option is that you just get the code loaded in the place. It's the operating system

So you modify the operating system itself when this machine shipped to hack me computers

Then pack free computers will install that operating system of choice and see what you can't modify that then

But how does that operating system get loaded off? Well that gets loaded off disk by another program called the bootloader and

The bootloader is a program on the disk

which gets loaded by the bios or the UEFI and the bios of the UEFI depending on the machine is on an EEPROM on

The motherboard which can be flashed by the board management controller

And so you can see another potential way that you could hack the machine is that you say, okay

I'll put some hardware on the machine which modifies the board management controller

to

modify the bios of the ufi to modify the bootloader

after it's been loaded because the voice has the permission to do that at that point to modify the operating system after that's loaded to

Embed the malware

I want to get executed and so it'd be a nightmare to be over because he running software

Which modifies software which modifies software?

Which modifies and I think I've got the right number of levels of indirection there

Actually, there is another way you could potentially trick things there in that

We talk about ring zero being the lowest level but actually when we've added support for virtual machines and hypervisors is now a ring

Minus one as it tends to be referred to and so it's potentially possible that you could actually get a hypervisor

running before

Anything else on the machine and so the machine was running in a virtualized environment that they didn't know about

So that's another potential way of doing it and again you then have access to be able to scrape memory and find

things that were the software you can put it on let it run delete it and

It's as if it was never there type sort of thing with the hardware

You can't really get into the dead center necessarily and take all the chips out that you've put in there

So you probably will make the chips look like they're meant to be there like they're something else or hide them

So the way a modern printed circuit board is constructed is a printed circuit board that Scott several layers of fiberglass sandwiched together

With traces of the tracks of the circuit running through them

So you got the top layer and the bottom layer but often several three or four layers inside as well

These only got six layer PCBs and things

the story goes that actually now the chips are so small that they're embedded between the layers of the printed circuit board so that actually

You wouldn't necessarily notice it. I think you'd want to design your

Hardware exploit still make it look like it was meant to be there

it's only if you had sort of one with it and one without it that you perhaps

Noticed that there was something odd about that machine

Detecting it would be difficult. I mean the stories

They've been sort of suggested are that they're detecting it mainly through odd network access

And so again that suggests what the software is doing it is connecting just other machines that I was not expected to

either inside the company or outside the company and

accessing things in a way that you wouldn't expect you to do and that is probably your sort of best bet for

Detecting these sort of things is all these machines doing what you want them to do

And the best way to do that is to sort of monitor your network and run software

Which is sort of learning what's expected traffic and non expected traffic and liking things because obviously if you've got a huge data center

Thousands of machines in it spotting the needle in the haystack

Is a tricky problem so they may not connect directly to a server and upload it all

But it may well be that they just do a domain name lookup on

Certain domains depending on certain bits of data being there. And so and that's enough to tell people that actually ok

This machine here is just that requested a specific domain that

Doesn't exist

that means that it's found what we asked it to look for and we've just returned a specific IP address perhaps that says go and

Destroy all the machines at Hackney computers or whatever is you wanted to do

Which means that we don't tend to use it very often horse is much further up the list

So a correct and batteries further up the list as well. I mean, we all have phones we talk about batteries all the time. So

If you hypothetically picked for words that were in the top 500 then suddenly the search base is 500 to the power 4