Earlier this week, Bloomberg reported that a major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company. Commenting on this, Chris Day, Chief Cybersecurity Officer, Cyxtera:
Recent news about the potential discovery of a hardware implant involving Super Micro Computer and a major U.S. telecommunications company has raised a lot of security questions about supply chains and downstream risks. The supply chain is always at risk but in this case, vulnerabilities within baseboard management controllers (BMCs) have existed for a long time.
As evidenced by research we conducted earlier this year and presented at Black Hat USA 2018, BMCs can be exploited for malicious purposes, with or without a backdoor implant. Once compromised, we found that it was 100% possible to launch an attack using remote code execution. BMCs, or any system with network access, are vulnerable to attack.
It’s doesn’t require an implant from a nation state adversary. Organisations must protect themselves by practicing defense-in-depth, especially across their supply chain. Additionally, it’s important to isolate systems at the network level. In our research, we were able to mitigate the risk of inbound calls to the BMC and lateral movement using software-defined perimeter solution.