The component substitution thing is something I had to deal with in my last job. The STB hardware partner quietly substituted an off-brand voltage regulator that was being used to deliver power to a QAM tuner module, but would overheat under normal load. As a result the production boxes (and not the dev boxes!) would mysteriously lose lose tuner lock after being plugged in for about 30 minutes. We chased down all kinds of possible firmware and SOC overheating issues, but eventually I noticed that this one tiny component looked slightly different and was able to prove that it lost voltage when hot. The result was the hardware partner having to send an engineer with a heat gun to stand there and hand-swap 5000 surface mount components in a dimly lit shack on the customer's home island. What a fiasco.
Agreed as to the comments on the Supermicro hack. The implant as described in the BW article made no sense, and given that something appears to have happened, it was obviously one of the other attacks and the friendly government alphabet soup doesn't want to give away methods as if they were that secret. One of the best ways to reduce (or at least shape) the attack surface is to stick to sourcing and manufacturing in the US. Digitally signed reel labeling and tracking should be a common best practice for active components. And caveat emptor to anyone who uses closed source hard/soft/firm/etc. -ware developed in China.
The component substitution thing is something I had to deal with in my last job. The STB hardware partner quietly substituted an off-brand voltage regulator that was being used to deliver power to a QAM tuner module, but would overheat under normal load. As a result the production boxes (and not the dev boxes!) would mysteriously lose lose tuner lock after being plugged in for about 30 minutes. We chased down all kinds of possible firmware and SOC overheating issues, but eventually I noticed that this one tiny component looked slightly different and was able to prove that it lost voltage when hot. The result was the hardware partner having to send an engineer with a heat gun to stand there and hand-swap 5000 surface mount components in a dimly lit shack on the customer's home island. What a fiasco.
Amazingly clear and detailed insights into the supply chain security threat.
Cory Doctorow sent me here, 45 mins well spent. Cheers!
So you were using a China brand "Lenovo" laptop to present security!!!???
Pity this doesn't have more viewers. :(
Agreed as to the comments on the Supermicro hack. The implant as described in the BW article made no sense, and given that something appears to have happened, it was obviously one of the other attacks and the friendly government alphabet soup doesn't want to give away methods as if they were that secret.
One of the best ways to reduce (or at least shape) the attack surface is to stick to sourcing and manufacturing in the US. Digitally signed reel labeling and tracking should be a common best practice for active components. And caveat emptor to anyone who uses closed source hard/soft/firm/etc. -ware developed in China.
Wow! I really enjoy this video :)
if we could merge this into a rave format people might watch. he is kinda hot
In short, everything is terrible and we're all screwed.
Microsoft Israel? Urgh
Great Talk!
Really Blew my mind!📟🤯