Digital Podcast

Podcast Episode 115: Joe Grand on Unicorn Spotting and Bloomberg’s Supply Chain Story


Join Now to Share


The Security Ledger Podcasts show

Summary: In this week’s episode (#115), noted hardware enthusiast and hacker Joe Grand (aka “Kingpin”) told reporters from Bloomberg that finding an in-the-wild supply chain hack implanting malicious hardware on motherboards was akin to witnessing “a unicorn jumping over a rainbow.” They went with their story about just such an attack anyway. Joe joins us in the Security Ledger studios to talk about whether Bloomberg got it right. Also, Adam Meyers of Crowdstrike comes into the studio to talk about the U.S. Department of Justice indictment of seven Russian nationals. Adam talks about the hacks behind the charges and what comes next.<br> <br> News Flash: Unicorn Jumps Over Rainbow<br> Joe Grand(<a href="https://www.twitter.com/joegrand">@joegrand</a>) is one of the most noted experts on the security of computer hardware. His work dates back to the mid 1990s, when Grand (aka “Kingpin”) was a member of the Boston-based hacking collective L0pht Heavy Industries.<br> That reputation is probably why Grand was among the experts that two reporters from Bloomberg: Jordan Robinson and Michael Riley reached out to him almost two years ago as they chased down a blockbuster story about a sophisticated campaign by China’s military to place compromised hardware directly on motherboards made by the U.S. firm Super Micro, a supplier to the U.S. military and intelligence sector, not to mention the likes of Amazon and Apple.<br> Grand described for them the advantages of planting malicious hardware directly on motherboards – the difficulty in detecting them, the near-permanent access they afford to attackers skilled enough to place one. But such attacks were beyond rare – more in the realm of mythical. Absent any knowledge of what the reporters had uncovered and stretching for a way to explain how rare and elusive they were, Grand told the reporters that “having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.”<br> [See also: <a class="yoast-link-suggestion__value" href="https://securityledger.com/2018/09/flashpoint-allison-nixon-sim-swapping-coming-identity-crisis/" target="_blank" rel="noopener">Spotlight Podcast: Flashpoint’s Allison Nixon on SIM Swapping and the Looming Online Identity Crisis</a>]<br> Fast forward more than 18 months, and the work of those two reporters, including Grand’s “unicorn” quote finally hit the news stands, dominating conversation in both the technology – and mainstream media for much of last week. It has also generated lots of controversy and open questions about whether Robinson and Riley got it right.<br> In the days since the story ran, both Apple and Amazon – not to mention Super Micro – have issued categorical denials of the facts presented by Bloomberg. Both Apple and Amazon describe multiple internal investigations that failed to turn up evidence of a compromise and subsequent conversations with incredulous Bloomberg reporters to refute the allegations.<br> [See also: <a class="yoast-link-suggestion__value" href="https://securityledger.com/2018/04/podcast-episode-92-uncle-sam-ices-tech-acquisitions-and-rsa-conference-2018/" target="_blank" rel="noopener">Podcast Episode 92: Uncle Sam Ices Tech Acquisitions and RSA Conference 2018</a>]<br> Where does that leave us? To answer that question, we invited Joe  into the Security Ledger studios. He is the founder of <a href="http://www.grandideastudio.com/">Grand Idea Studio</a>, a San Francisco-based research and development firm and a noted expert on hardware-based vulnerabilities. In this interview, Grand says he counts himself as a skeptic on the substance of the Bloomberg report. While hardware implants – done well – may be impossible to spot in a physical inspection of compromised devices, that doesn’t mean they stay hidden.<br>