back to article Can we talk about the little backdoors in data center servers, please?

Data centers are vital in this cloudy world – yet little-understood management chips potentially give hackers easy access to their servers in ways sysadmins may not have imagined. The components in question are known as baseband management controllers (BMCs). They are discrete microcontrollers popped into boxes by the likes of …

  1. Giovani Tapini

    If an attacker has freedom of movement on your management network

    the vendors may be correct in assuming you are screwed already.

    It is however not straightforward to detect or disinfect from such an attack though, and this could be worse than the attack itself. Potentially rendering the hardware itself a risk and a scratch restore being insufficient.

    It's an interesting vector, and anyone with their management networks exposed to the internet are doing the equivalent of leaving a truck full of new trainers unlocked in the middle of the street... (and that didn't end well either)

    1. mutin

      Re: If an attacker has freedom of movement on your management network

      This vector is known publicly since 2011 when Russian scientist published a paper (originally in Russian) that Intel motherboards' BMCs have malicious hypervisor embedded. Plus, guys at Michigan University had research on that matter published in 2012. So, all about that see our papers and presentations on

      Sorry, too much to repeat all what we published. Enjoy the NEWS of 2011 - 2012 at Rubos, Inc. site!.

  2. onefang

    So we spend so much time and effort securing our rented remote servers, only to have the hardware manufacturers leaving the backdoor wide open. Wonder if I can get a colo to host a box full of abacuses for me?

  3. Mr Dogshit

    "an antiquated NEC CPU core that was popular in optical drives back in the day"

    So what? Don't knock an IC just because it's old. It may be the perfect choice for the job. Plenty of Z80s still in use running vending machines and so on.

    Anyway, iLO2 is obsolete, if you're running beige DL380s with the word Compaq on the front, you've got other problems to worry about.

  4. whitepines

    Servers based on OpenPOWER ship with OpenBMC (Linux kernel + standard userspace), and you can choose exactly what level of network stack you actually want on the box since you get full source and can modify at will (e.g. removing IPMI network support just means removing the package from the build). Try that with your typical closed source x86 or ARM BMC!

  5. sitta_europea

    This is news?

    1. Alan Brown Silver badge

      "This is news?"

      More problematic is PHBs who try to pretend this stuff doesn't exist and "turn it off".

      Except, for the most part you can't, which means assumptions about not needing to firewall/segment/check for these things piggybacking on mainboard ethernet ports are invalid.

  6. Denarius Silver badge


    Best case: So some PHB gets a bonus for reducing costs by dropping isolated management LAN and using a VPN across internet. We all trust VPNs, not.

    Usual case: some PHB/cost cutting designer puts ILOMs on same LAN as everything else.

    Worst case: No-one even knows the ILOM is there with default passwords and accounts. Yep, I also am a pessimist because it is the most rational option. Dont need electrical stimulation, just the irritation of dealing with what passes as modern PMs, bean counters and CEOs and their ilk.

  7. Will Godfrey Silver badge

    Talk about unintended consquences!

    And all in the name of convenience. Maybe it's time to consider using totally dumb hardware, and absolutely no closed software...

    Oh look, a flying pig.

  8. Velv

    Of course, data center managers aren’t stupid,

    True, but how many installs are undertaken by data centre managers directed by properly architected security policies and how many are installed by “the IT guy or girl” who is already run off their feet keeping up with the latest business changes to the company technology. Substantial chance for failed configuration or open access even if only within the company network.

  9. Anonymous Coward

    Thanks for depressing me first thing in the morning, El Reg....

    It's not your fault, its just that in the name of convenience and ease-of-management we have inserted SO MANY vulnerabilities into IT, which was already complicated to secure in the first place due to the myriad of hardware platforms, operating systems, network architectures, outsourced services, internet-facing devices, etc.

    I guess that the prudent thing for an IT architect would be to assume that any technology or management tool that they are not intimately familiar with is probably insecure, and build in layered-defenses in case that probability is born out.

  10. Anonymous Coward
    Anonymous Coward

    upvoted and corrected

    "I guess that the prudent thing for an IT architect would be to assume that any technology or management tool t̶h̶a̶t̶ ̶t̶h̶e̶y̶ ̶a̶r̶e̶ ̶n̶o̶t̶ ̶i̶n̶t̶i̶m̶a̶t̶e̶l̶y̶ ̶f̶a̶m̶i̶l̶i̶a̶r̶ ̶w̶i̶t̶h̶ is probably insecure, and build in layered-defenses in case that probability is born out."


  11. John Smith 19 Gold badge

    "s a lot better in terms of security with firmware that follows secure coding best practices."

    Like f**k

    This stinks of the "Security by obscurity" approach.

    Intels IME looked like a direct cut and paste of both the hardware and the software

    IHMO this, being (in principle) small but highly critical should be written with the very sharpest methods for righting provably correct software.

    It's not running the core load of the processor. Speed is not that vital but minimal vulnerability (I think zero vulnerability is impossible but then again Shuttle software, about 1MB in size, didn't find one during live operation over 30+ years) is.

    I don't see any chip designer or mfg having the skills or the commitment to do that.

  12. David Roberts
    Paris Hilton

    Dumb question

    If you stick chewing gum in the onboard ethernet port(s) does that mitigate, albeit with the loss of remote management facilities?

  13. mutin

    Really OLD NEWS at RedHat

    Well, it has been University of Michigan research around 2012 about problems with system management software, and Russian Scientist found spyware hypervisor in Intel motherboards BMC around 2008, and we talked about all this stuff twice at DeepSec 2014 and 2016... So, hwy it is a NEWS? People, search Inet for news and read what was published. Well, see all related research and presentations at

    Enjoy the article about malicious hypervisor embedded in Intel motherboards in English. Nobody knows that Intel has spyware in its management software, or at least had?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022