èƵ

Hackers can make computers destroy their own chips with electricity

A feature of server motherboards intended to allow remote updates can be abused to trick the machines into damaging themselves beyond repair
A server on fire
A remote hack could make servers fry the chips inside them
canjoena/Getty Images

A flaw in the control systems of server motherboards means they can be tricked into revealing sensitive data to a hacker or even destroying themselves.

A computer’s motherboard, or circuit board, hosts many of its key components and allows communication between them.

and David Oswald at the University of Birmingham, UK, have found a feature in the Supermicro X11SSL-CF motherboard often used in servers that allowed them to upload their own control software. This can subsequently compromise encryption and even damage central processing units (CPUs) so they could never be used again.

Previous hacks targeting computer hardware, such as , have used methods known as undervolting or overvolting to alter the voltage supplied to a processor at a key moment, such as when it is encrypting data. This means errors creep in to calculations and can leave encryption weakened, allowing hackers to extract sensitive data.

Chen says the pair’s approach builds on these techniques, and allows the same data extraction, but also finds a new remote way into machines. Chen and Oswald have figured out that the baseboard management controller (BMC) on the motherboard – a small, self-contained computer that monitors chip temperatures, cooling fan stats and power supplies – has a flash memory chip that can be remotely updated with new software.

By writing their own code and modifying the firmware of this chip, they were able to take control of the BMC and then issue commands to parts of the motherboard that supply power to its CPU. By sending voltages well above the maximum 1.52 volt limit for the chip, they were able to destroy it within seconds.

Two CPUs were tested to destruction before the pair decided to stop for “environmental and financial” reasons. Chen says this type of research gets expensive quickly.

Due to the increasing complexity of motherboards, there are likely to be many more potential attacks that could be used, says Chen.

“You can verify the security status of single components like the BMC, but because motherboards are becoming more and more complex, there are more and more components installed on them. A very large amount of effort needs to be put into security, especially as it’s a hardware, firmware and software issue,” he says.

Supermicro declined a request for comment from èƵ. But when the researchers disclosed details of the flaw to the company, it announced it has and has fixed the issue in its existing motherboards – by updating the BMC software in much the same way that the researchers did. New motherboards from the company aren’t affected by the flaw.

Reference:

Topics: Hacking