Earlier today, Bloomberg released a report indicating that an unknown component was allegedly added to motherboards manufactured by Supermicro. This component of undetermined function and origin may have been covertly added as a backdoor that would allow an attacker to infiltrate any system utilizing these motherboards. Although Supermicro, Apple, and Amazon have all denied this report, there are sufficient sources cited to take this potential threat seriously.
The scope of the report is limited to the Elemental Technologies motherboard manufactured by Supermicro, used for video encoding acceleration. It is not known whether only motherboards from Supermicro or motherboards from other manufacturers were targets of this or similar hardware backdoors.
During the Liquid functionary server design process, we knew that the threat of compromised hardware was a legitimate concern. To mitigate the impact of potentially compromised hardware, the Liquid functionary consists of a server and a custom isolated key module built by Blockstream; these two devices only communicate through a limited interface that significantly reduces the risk of private key material being leaked.
Precautions were taken to mitigate the impact of compromised hardware by restricting network access to the server, removing unnecessary drivers, reinstalling the firmware, disabling IPMI, and requiring physical access to the machine to perform any updates. The Blockstream key module provides additional validation on any signature it provides to the server. This approach limits the risk of a compromised host machine from impacting the health of the network.
While there is no indication that our motherboards were compromised, we cannot rule out this possibility. In the coming days, we will ship a sample of our motherboards to a third-party security company for extensive examination. This process will take time, but we will disclose the results as they become available.
Moving forward, we are continuing our risk mitigation strategy for hardware threats through a variety of techniques, including:
- Increasing our supplier diversity so that no single compromised vendor would adversely affect the Liquid Network.
- Adding additional validation before signing on the key module.
- Improving the peg-out mechanism to strengthen the defenses against hardware vulnerabilities.
- Introducing functionality to the Liquid daemon to detect unusual behavior that would indicate a bug or compromise of the functionaries, allowing users of the Liquid Network to wait until the situation is resolved.
The possibility of hardware security threats has been factored into the threat model for the Liquid Network. We believe that the Supermicro vulnerability, if independently confirmed and if present on our servers, is mitigated by other aspects of the Liquid security design. At Blockstream, protecting our customers’ security is paramount. We are constantly improving our processes for both software and hardware, and strive to build the most secure systems in the world.