Bunnie Huang's tour-de-force explanation of how hardware implants and supply chain hacks work

Last October, Bloomberg published a blockbuster story claiming that some of the largest tech companies in the world, as well as sensitive US government and military systems, had been attacked through minute hardware implants that had been inserted at a subcontractor facility during the manufacture of servers from the world's leading server company, Supermicro.

The story immediately drew forceful -- and unprecedentedly detailed rebuttals -- from many of the companies involved, creating a mystery that is still being debated: if Bloomberg sourced its story as carefully as it claimed, then how to explain all these detailed rebuttals? And if the rebuttals are to believed, then how to explain the dozens of people from different companies and agencies who would have had to collude to trick Bloomberg's reporters into publishing the story?

Enter Andrew "bunnie" Huang (previously), one of our era's greatest hardware hackers (his book on hardware hacking is one of the best technical books I've ever read, period).

Bunnie presented a 45 minute talk on supply-chain attacks earlier this month at Microsoft's Blue Hat conference in Tel Aviv (he pitched the talk before the Bloomberg story broke, but the timing was indeed fortuitous).

I appreciate that 45-minute blocks of time are few and far between for most of us, but this is 45 minutes well spent. Huang walks through several techniques for sabotaging and compromising hardware, and uses his deep expertise in arranging and overseeing electronics manufacture to describe how you could pull these off in the real world, and what difficulties you'd encounter. Read the rest