Acreto Security

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! 

HTTPS is not Security. It's Privacy – and one of six fundamental security imperatives. Listen to the audio article by Acreto to find out more.

5G is coming! 5G is coming! But in the 4G LTE era where access is lightning fast, what is driving the push for 5G?

4G networks is a technology from the 2000's with
one primary intent -- to enable mobile devices to take advantage of
apps. In order for the apps, app stores, streaming and other services
to be successful, mobile devices need to just plain work. This means
they must work transparently, reliably and consistently for users to
interface and interact with their apps and content. 4G solved the
problem with 2G, which was data unusable, and 3G, that at best was
used for email and some browsing in a pinch. To that extent, it has
been a resounding success.

However, connected devices have seeped into
everyday life in a low-key and transparent way. So much so that the
prevailing industry mantra is that "IoTs are coming". In
reality, IoTs arrived long ago. Today, mobile phones are ubiquitous.
So ubiquitous that the mobile phone market has all but saturated.
However, IoTs that are perceived to be "coming" number
twice that of mobile phones today (16 billion vs. 8 billion).

Just think about how many smart devices are in
your personal life already. All the smart TVs, smart thermostats,
smart door locks and video doorbells, and more. Today, some version
of anything and everything comes with an IP address. Tomorrow,
everythingwill just be assumed to have an
IP address. IoTs are used for measurement, reporting, monitoring,
content dissemination, cost management or performing a variety of
functions. And in many instances, technologies are IoT enabled due to
plain old peer pressure. Everybody else is connected and we have to
keep up with the Kardashians.

Today, things that matter are connected - and
there are a lot of things that matter. And we are well on our way on
the trajectory for “connected everything” to be the
standard.

The exponential growth of connected devices has
strained our communications infrastructure beyond its breaking point.
This has driven the complete exhaustion of IPv4 addresses, which has
forced unwilling network operators to fast-track transition to IPv6.
Moreover, network operators have realized that much like IPv4, the 4G
LTE network is cracking under the burden of connected devices.

In reality, 4G just can't keep up with the scale
trajectory and performance demands of IoT technologies. One of the
key factors for 4G is that it is not decentralized enough. As
decentralized as 4G networks are, they are still too centralized for
the continuing increase in the volume of IoTs.

There are three missing infrastructure elements
that have to mature in order to fully support the scale, form and
function of 21st century Internetwork of Everything.

• First, Scale - Comparatively,
  enterprise technologies are like a gorilla, emphasizing static
  tools, however, IoTs are like a swarm of bees. Completely manageable
  in small quantities, overwhelming in medium quantities and
  suffocating at full scale.
• Second, Form - In
  comparison to autonomous and network-centric technologies, IoTs are
  distributed and operate on many different public and private
  networks with dependencies on remote third-party operated
  applications and management.
• Third, Function - Today's
  standards-based technologies can be used in a variety of roles.
  Inversely, connected technologies are often small and resource
  limited, single-function devices that perform micro-functions.

Connected devices, IoTs, cloud-enabled
technologies or, whichever other name they may be referred to as,
operate at a radically different scale, with radically different form
and function characteristics. Ultimately, they demand a radically
different technology infrastructure altogether.

The Internetwork of Everything requires
each and every device, server, cloud, desktop and anything else that
makes up the Internet – no matter how small – to have a unique
identity. Today we primarily use the IPv4 addressing scheme. IPv4 has
a maximum capacity of 4.2 billion addresses (4,294,967,296 to
be exact). However, consider that we have over 8 billion mobile
phones alone, and another 16 billion IoTs in use today, not to
mention all the computers. The world has turned to tricks like
Network Address Translation (NAT) in order to compensate, but these
are just band-aids that are currently straining at the seams.

IPv6 has been around since 1994 and in contrast to
IPv4's 4 billion addresses, it sports 3.4 x 10 to the 38th
power addresses – or 340 undecillion, 282 decillion, 366
nonillion, 920 octillion, 938 septillion, 463 sextillion, 463
quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million,
211 thousand and 456, to be exact. Its support for the next
generation of IP addresses is adequate for the massive scale of IoTs
– but, this also makes it more complex to configure. Many
technologists have not had the "muscle memory" experience
they have developed with IPv4. However, there are no IPv4 addresses
left.

Because of this, technologists are pushing to
implement IPv6 on all their networks. All the major players have
already fully implemented IPv6.

Anecdotally, IPv6 is said to have as many IP
addresses as we have grains of sand on the earth, which should serve
us well in supporting the massive expansion of IoTs to near 50
billion in the next few years.

5G, as its name implies, is the 5th Generation of
mobile networks. It has several advantages over previous generations
of mobile network tech including scale, performance, and availability
as well as demands on its constituent devices.

Believe it or not, the highly decentralized 4G/LTE
networks are not decentralized enough to support IoT and connected
device platforms. It all comes down to density. The sheer number of
IoTs are driving a level of density that can best be described by an
"IoTs per square foot" model compared to today's devices
per base station cell area.

Making some broad, yet reasonable, assumptions,
the average 4G/LTE cell tower today supports an area from a few miles
up to 10 square miles. Each cell tower is supporting several thousand
connections at up to one gigabit per second of data throughput. The
number of mobile phones and IoTs in any cell area is starting to
outpace the maximum connection or bandwidth capacity of the towers.
At this rate it won't be long until portions of the infrastructure
are fully saturated.

Another factor that needs to be addressed is
frequency spectrums. Currently, most mobile networks operate within
the 700Mhz (Megahertz) to sub 3.0Ghz (Gigahertz) frequency spectrum.
This sub 3.0Ghz spectrum is also becoming saturated, and will soon
not be able to support the spectrum needed to support the volume of
connected devices.

This though, is where 5G networks really shine. 5G
operates using a greater number of cell towers with smaller coverage
areas each with the capability to support a greater number of
devices. 5G also operates at much higher frequency ranges – from
3Ghz to 30Ghz. The additional range buys much more capacity for
existing carriers as well as providing more operating room for
additional more nuanced carrier networks. More carriers means more
competition driving lower prices and more specialized service
providers supporting specialty technologies.

There is also more capacity and intelligence built
into 5G. It uses cognitive techniques to distinguish between mobile
and static devices to determine the best methods for content delivery
to each network subscriber. 5G offers robust performance that meets
or beats network bandwidth only available via fiber optic networks
today. 5G has been tested in a lab up to an astonishing 1Tbps
(Terabit per second) while still maintaining a real-world practical
performance of 10 to 50Gbps.

5G's scale, capacity and performance is a
game-changer.

Aside from adequately scalable addressing and
communications infrastructure, securing all of these distributed and
diverse platforms that use them is another challenge that has to be
overcome. Realistically, the combination of 1) unique identity for
every individual technology that IPv6 provides, 2) the enhanced
communications capacities and capabilities of 5G along with 3) the
support for many to many communications that the combination of IPv6
and 5G offer, makes security not just important, but an imperative
necessity.

Today's security models are not adequate for the
new generation of infrastructure. The challenge is that a whole new
security model is necessary to support the IPv6 / 5G new generation
of communications. 

On-device security is not viable because the sheer
volume and large variety of unique and purpose-built technologies
that need to be secured create an uncontrollable hyper-fragmented
jumble of security tools. This creates a patchwork quilt of security
tools that organizations have to acquire, implement, integrate,
operationalize, manage, troubleshoot and refresh. A complete
non-starter!

Network security tools just don't support mobile
and distributed technologies -- the very thing that 5G enables. This
is like trying to fit a square peg in the security round hole.

Then there are the cloud-based IoT security
companies. Securing distributed platforms from the cloud is very
viable, except that almost all IoT security cloud plays are what is
referred to as "You're Screwed" technologies. They
are notification oriented technologies that collect logs from devices
and analyze them to determine malicious behavior. Once malicious
behavior is detected, they notify administrators who have to manually
respond to each incident. This approach is reactive and not
sustainable at scale.

IPv6, 5G Networks and IoT Security are the
critical trio that have to work cohesively and effectively at scale
to serve as the enablement platforms for a more prolific use of
Internet-of-Things.  A shortcoming in any one of these areas
translates to shortcomings in the overall solution. Today, IPv6 is
well established and though not ubiquitous, it's close, and there is
clarity on how to get it there. 5G is very much well on its way and
the telcos have already started their 5G rollouts. Security still
remains an unanswered challenge.

Acreto recognizes the weakness in today's available security options and has developed a platform from the ground up to work hand-in-hand with IPv6 and 5G networks to empower and enable the Internet-of-Everything. Learn more about Acreto's platform on our website here.

Also on our website, you can find links to the American Registry of Internet Numbers' (ARIN) notification to network providers of IPv4 address exhaustion, as well as another letter on how to deal with IP address depletion from the Number Resource Organization (NRO).

Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app.

About Acreto IoT Security

Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Why We Did This – Facebook’s New Product: You.

In a number of confidential strategy sessions with
the Acreto Advisory team, led by Bob Flores, former CTO of the CIA,
we set out to identify a number of potential mid to long-term threats
that we should monitor. In studying the challenges that come with
securing and adopting IoT technologies, and based on the complexities
of how they operate and the dependency model that is established
sociologically, we realized that Facebook, Google, and other similar
tech giants are starved for data points.

“It used to be that analysis of large amounts of data was limited to the biological capacity of the person. Computers didn’t used to have the processing power nor the algorithm and data sciences that they do today. Now, that’s not the case. The fact of the matter is that all these social media companies are data-starved. The more data points they have, the more they can absorb. There is no overload capacity for these social giants.”

Babak Pasdar, CEO and CTO of Acreto

Given recent events, and since we had one of the
foremost experts in data collection in the world with us, when
conversation turned to Facebook, we honed in on their data collection
platform, where they are now and where they are heading in the
future. We uncovered enough in that meeting to warrant a deeper dive
into the Facebook machine. We studied the company, their practices,
their history, their technology and even the psychology of its
management team. We uncovered a lot of information and the more we
uncovered, it made us want dig more. Through extensive research
exploring investments, patents, acquisitions, market positioning and
even management’s comments, we uncovered data that we thought was
concerning.

Pasdar explains, “We first became professionally interested in Facebook when we realized they have pinned their strategic future on IoTs. Where once Facebook’s information sources were limited to a handful of devices like computers and phones, with IoT integration they can collect much more granular data from hundreds if not thousands of sources.”

Part of what makes addressing this challenge
difficult is that the social media companies have features and
functions that people want, and that they have built social
environments that have become 21st century meeting grounds. These
platforms are where the global community meets. All of the data
points that IoT devices represent are a factor that can be difficult
to overcome because there are these functionalities that may be
highly desired or necessary for the social media perspective as it
relates to people and our attitude towards ‘connecting’ with
others. It’s really an all or nothing thing to have these features.

What we’re doing, first and foremost, is
identifying the problem. We are also offering organizations and
consumers a balanced choice so that they can share the information
they want to share, they can utilize the services of the platform in
the granular way they desire to share or engage, and they are
empowered and able to not give away the data that they want to
protect or keep private.

Facebook has proven it can be a kingmaker. Despite
the company’s public relations lines, it’s clear that every party
and every politician, for any seat, will engage in Facebook hacking.
We define Facebook hacking as utilizing publicly available resources,
along with coercion and manipulation of people, technologies and
process to gain advantages. Advantages that can be for a cause, God,
pocket book, or country. Facebook hacking is not just limited to
politicians, but also extends to adversaries including those who wish
physical and economic harm upon others. The stage has been set for
compromising and manipulating entire communities.

When thinking about securing IoT devices, we think
like hackers do. How do we break it or steal it? How do we manipulate
it or prevent it from functioning? How do we destroy it? These are
the questions we can ask.

Hacking is not direct or simple. Many times,
hacking involves a complex orchestration of multiple components that
typically has many permutations. When thinking through this, we
realized first, how integral IoT devices are to social media, and
second, the impact they have on privacy and on how we live our lives.

If Facebook and Google can know as much about you
as they do today with just a handful of devices such as your
computer, your phone, or your watch, picture how much they would know
about you and how they could manipulate you – and how they could
manipulate societies, economies, or even democracies – when they
have thousands of highly granular data points for each
individual they track.

Facebook’s reach is astounding. The organization
collects a constant stream of data from one-third of the world’s
population, and have their roots nestled in half of the world’s web
sites.

In Acreto’s Facebook Dossier, the team makes the
case for Facebook as spyware and a personal information trafficker.
Along with the dossier, Acreto is announcing new technology
specifically designed to protect and prevent direct and indirect data
leaks to Facebook and other data collection platforms such as Google,
among others.

Facebook’s New Product: You.

Overall, the dossier
explains how Facebook is intrusive for users and non-users alike.
Most notably of recent events, the Cambridge Analytica scandal
revealed a vast, deeply intrusive analytics manipulation with
Facebook at its core. The extraordinary amount of private data
collected from Facebook was used to target conservatives during the
2016 US presidential election. The information gathered from multiple
testimonies to US and European legislators and regulators shed light
on Facebook’s IoT strategy and sets the stage for intrusion of
privacy of historic proportions. Nothing is more illuminating about
Facebook’s strategy of data collection than their recent
acquisition of Onavo, dubbed a “mobile data analytics company”,
but in actuality, a ‘man-in-the-middle’ masquerade to collect,
store and analyze all user communications for Facebook’s use,
benefit, and profit.

Facebook came, Facebook saw… and Facebook
continues to conquer: this time, your IoT devices.

“Cambridge Analytica is the canary in the coal mine to a new Cold War emerging online. Soon the so-called ‘Internet of Things’ will become the norm in American households. Algorithms will soon be driving our cars and organising our lives. This is not just about technology today, we have to seriously consider the implications for tomorrow. To put it bluntly, we risk walking into the future blind and unprepared.”

Christopher Wiley, Cambridge Analytica whistleblower

Cambridge Analytica and its parent company, SCL
Elections, used a suite of political psyops tools in more than 200
elections around the planet. The vast majority of the targets were
third world and underdeveloped countries, many without the resources
or knowledge to defend themselves. These efforts were in preparation
for their biggest effort to date: The US 2016 Presidential Elections.
As we have rounded the corner for the 2018 mid-term elections,
Facebook and their capabilities loom large, especially when there is
no buy-in from the topmost echelon of political leadership.

Your data is no longer your own. Facebook wants it all and they want it now to weaponize their most valuable product — The User.

To read more about Russian nation state hacking of the US Elections and how cyberattacks come together, check out a two-part collaboration between Acreto CEO, Babak Pasdar, and former CTO of the CIA, Bob Flores, here.

Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app.

About Acreto IoT Security

Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

This is Part 1 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’.
Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security.

In a recent blog, Babak Pasdar highlighted a Bloomberg report that claimed China had embedded hardware spy chips on servers from Supermicro. Supermicro provides data-center servers used by many companies from small startups to the likes of Amazon and Apple. Bloomberg claims that the spy chips were discovered by a security auditor hired by Amazon AWS. This audit was part of an acquisition due diligence of Elemental Technologies, a platform specializing in multi-screen video processing.

Bloomberg claims that Amazon and Apple are among the organizations impacted by the alleged Chinese spy chip. And one-by-one they have all denied that the story has merit. However, Bloomberg, a model agency in news reporting, has refused to offer any additional information or alternatively to pull the story.

There is a lot about this story that doesn’t pass the smell test. If Supermicro servers have been compromised, it is a huge story. Though not a household name like Dell or HP, Supermicro is one of the top data center server platforms on the market. It is considered to be a good product with global availability at a fair price.

In the article, Bloomberg makes a pointed accusation yet offers evidence that at best is vague. In the previous blog, we asked several questions:

1. Who was the Security audit company that discovered the spy chip?
2. How did they get access to schematics to do chip by chip validation of the hardware? Schematics that in any scenario would be considered trade secrets.
3. If the spy chips were secretly installed by a Supermicro contractor as the article claims, who QA'ed the hardware and why was the chip not discovered during the QA process?
4. Given the emphatic and detailed denials by both companies and the U.S. government, why has Bloomberg not released more detailed data to back up their claims?

The implications are that China has backdoor access to countless systems, hosting applications and data, impacting thousands of companies and millions of individuals. The integrity of corporate, government and critical infrastructure is at stake – as well as personal data for large swaths of the population.

Bloomberg provided very little detail, and what they did provide was at best vague and not evidence-worthy. Based on the information they did provide, the industry take-away is that this vulnerability is via the server’s IPMI interface. IPMI is an always-on IoT embedded in a server to manage the hardware, even if the server is powered off.
As presented, the IPMI platform can theoretically be manipulated to function as a back door, providing access to the server’s network, system memory and the system bus. You can learn more about this in Pasdar's previous blog on this issue on our website.

Having said that, for Bloomberg’s vague spy chip explanation to work, you need a Supermicro motherboard with an on-board IPMI, and then many, many, many things have to line up for the compromise to work.

First, an Internet accessible IPMI connection with stateful outbound access is needed -- something no self-respecting organization with even a moderately experienced infrastructure team would have. The chip Bloomberg presented in their article is just physically too small to store and execute the necessary code to fulfill its purpose, so it would also need to connect and download software from an external server. Hackers will never use an external server they own that references back to them. It would lead authorities right to them and there would be no plausible deniability. The server is most likely another compromised system on the Internet. Moreover, the external server's address isn't hard-coded into the chip. Compromised servers are disposable since the compromise may be discovered and addressed at any point – or the system moved or decommissioned.

If this occurs, the entire effort of the compromise would be a complete waste. A process like fast-fluxing or something similar would be used to enable the spy chip to connect to an ever-changing botnet network of external servers. Fast-fluxing was specifically developed to control botnets without compromising the bot-master's identity. It is a technique where the spy chip and the external server would meet to communicate at a particular fully qualified domain name (FQDN) at a particular time. Many Different FQDNs spanning many different domains may be used to deliver content to the spy chip based on the then valid compromised IP addresses hosting the malware.

The spy chip then needs to integrate into the server's OS, on-the-fly, during the boot process. This requires injecting the appropriate code for the specific OS used on the server. The OS could be one of dozens, if not hundreds of possible options since the Supermicro B1DRi motherboard that Bloomberg claims is compromised, is certified compatible for many different OSes and associated versions. This includes 32-bit Red Hat, SUSE, Ubuntu and FreeBSD as well as many versions of 64 bit Red hat, Fedora, SUSE, Ubuntu, Solaris, FreeBSD, Centos and Windows. Further, it also supports multiple hypervisor versions of VMWare, KVM and Xen Server, not to mention Amazon AWS's proprietary hypervisor. Each one of these OSes needs a different code. Even each version of the same OS may require an altogether different code to be injected into the compromised system. Consider how quickly the spy chip would have to act to intercept local boot code, determine the OS brand, distro and version from a smattering of code flying on a computer's bus, perform the fast-flux operation and fetch the appropriate compromise code from the appropriate server.

All of this -- which is a lot -- needs to happen for the spy chip to work.

Next Up: Bloomberg Spy Chip – Bullshit? Part 2: Let’s Break Down the Claims.

Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app.

About Acreto IoT Security

Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

This is Part 2 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’.
Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security.

Now let’s break down Bloomberg’s claims further. In the article they present a graphical image of a Supermicro motherboard and strip away components until the spy chip can be seen. The motherboard they present is a Supermicro B1DRi with an AOC-GEH-i4M add-on module. As shown on the Supermicro web site, the B1DRi is designed to host up to two Intel E-2500 v3 slash v4 CPUs and up to 256 Gb of 288 pin DDR4 memory and can be mounted to a sled with its own hard-disks. However it is not a standalone server and needs to be mounted in a Blade Enclosure to function.

The enclosure provides power, hosts a network switch and most importantly has a shared IPMI management board plugin. If the spy chip works through the IPMI, how can Bloomberg show the spy chip placed on the motherboard, when the IPMI for the board is an external module in the enclosure?

It looks like the IPMI must be individually linked to each server blade to manage that blade. The IPMI IoT is an external module plugged into the enclosure and to be used, it needs to be individually assigned to each of up to 16 server blades in the enclosure. If that is the case then there is a 1 in 16 chance of compromising a server and even then, it would be opportunistic and inconsistent depending on which blade the IPMI may be set to manage on boot.

Now – let’s discuss the chip Bloomberg presented in the article. If the insanity of the logistics to effectuate this hack is not enough to make you call Bloomberg’s story Bullshit, then their presentation of the spy chip should. The chip presented IS NOT A SPY CHIP, it is an RF Balun. A standard, off-the-shelf Surface Mount Device (SMD) that converts between balanced signals and unbalanced signals, hence the name Bal-Un. If you look at the Stesys or Farnell websites, they are two of the many component providers who sell them. You too can have one for a mere $1.67.

And if the pictures were supposed to be mere examples of what a spy chip might look like and the type of motherboard it could be embedded on, they certainly did not present it that way.

Also, consider that a motherboard is an incredibly complex piece of equipment. These types of motherboards need to be extremely high performance and extremely compact at the same time. This makes them extremely dense. They are almost always multi-layer boards where traces connecting the various electronic components exist on as many as a dozen different layers. And these systems are delicate, their operation requires the various electronic components to operate harmoniously. Frankensteining hardware to the system would be at the very least — challenging.

The majority of people within a company involved in R&D, design, procurement, manufacturing and testing of the motherboards are often sequestered into groups with access that is limited to specific functional domains. Very few people have complete access to the designs and schematics for the entire board. And this almost never includes subcontractors or some small security company out of Canada doing technical due diligence for a mundane acquisition. Furthermore, the people charged with manufacturing are typically not the same people who do quality assurance (QA). The job of QA is to test every permutation of every function. We have to believe that QA’s most fundamental tests would catch something as overt as communications where the spy chip tries to identify, fetch and inject packets on-the-fly.

The number of people that would need to be turned or paid off would be staggering. As many as 30 – 50 people would need to be engaged throughout the supply chain spanning multiple companies and countries. An amateurish and incredibly messy way to run a covert op.

Because of the vague assertions, it is tough to argue definitively that any one aspect of the article is wrong, however when you put it all together:

1. We don’t know of many security companies that do reverse engineering on PCs as part of their due diligence.
2. Schematics are trade-secrets and almost never available for complex multi-layer motherboards. How could the security company have had access to schematics?
3. The sheer number of people that need to be involved in implementing the spy chips is staggering and doesn’t make sense for this type of effort.
4. The QA process, one known to be particularly meticulous, never caught the issue.
5. The ridiculous complexity of the hack where the sun, the moon and the stars have to align for it to work.
6. Not only is this compromise overt and easy to identify, but the vast majority of organizations have built-in defenses against this attack vector — especially Apple and Amazon.
7. The need for an Internet accessible IPMI network.
8. The need for the chip to fast-flux, connect to a remote system and pull-down compromise code while the system is booting.
9. The complexity of pulling a different code set on-the-fly for each of the hundreds of unique operating system and revision combinations.
10. The B1DRi motherboard being part of the blade system without any on-board IPMI, which can only be managed one blade at a time.
11. The vagueness of the charges and lack of any supplemental follow up, while Bloomberg continues to sit silent.
12. And trying to sell us that an off-the-shelf $1.67 RF Balun is a spy chip.

For these reasons, many of us believe the Bloomberg story just doesn’t have a leg to stand on. Bloomberg has made explosive allegations. They have had a drastic negative impact on Supermicro’s stock price — down 50% as of this writing. Their story is barely, if at all, viable. The information they provided was amateurishly vague. Their silence in the face of the backlash speaks volumes. And yet they continue to stand by their story and not recant. Add Bob Flores and Babak Pasdar to the growing list of skeptics.
If you have evidence, then present it and if you were conned it is understandable – but please stand up and own it.

Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app.

About Acreto IoT Security

Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.