On 4 October, Bloomberg Businessweek published a major story under the headline “The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies”. It claimed that Chinese spies had inserted a covert electronic backdoor into the hardware of computer servers used by 30 US companies, including Amazon and Apple (and possibly also servers used by national security agencies), by compromising America’s technology supply chain.
According to the Bloomberg story, the technology had been compromised during the manufacturing process in China. Undercover operatives from a unit of the People’s Liberation Army had inserted tiny chips – about the size of a grain of rice – into motherboards during the manufacturing process.
The affected hardware then made its way into high-end video-compression servers assembled by a San Jose company called Supermicro and deployed by major US companies and government agencies. According to the report, investigators found that the hack eventually affected almost 30 companies, including a major bank, government contractors and Apple, which had originally ordered 30,000 Supermicro servers in 2015 but had cancelled the order after its own investigators had found malicious chips on the company’s motherboards.
On the face of it, this was sensational stuff. Software hacks are routine nowadays, but hardware hacks are not (though we know from Edward Snowden’s revelations that western intelligence agencies are partial to them). And they are much harder to detect. China has long had a semi-state operation to hack into US tech companies and steal their intellectual property. The idea that it might have gained an unsuspected backdoor into some of the most sensitive and informative servers in the US must have sent shivers down many a corporate and government spine.
And although most computer hardware is designed in the west, the vast bulk of the stuff (75% of mobile phones and 90% of PCs) is manufactured in China. So if there was going to be a supply-chain attack, that’s where it had to be done.
On the face of it, therefore, the Bloomberg report seemed plausible even if all its sources were anonymous; it is, after all, a reputable journalistic outfit. But then angry rebuttals began to flood in. First, Apple, Amazon and Supermicro issued denials. Apple’s top security officer told Congress that the company had found no evidence to support the claims made in the report.
And an anonymous company informant told Motherboard that “none of the most consequential portions” of the original Bloomberg story as they relate to Apple was true. The company did not find malicious chips in its servers, it did not remove or dispose of those servers and Apple did not inform the FBI or frustrate an investigation into this incident.
Amazon, for its part, was equally unambiguous: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”
Then the UK National Cyber Security Centre weighed in, saying that it had “no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple”.
The US Department of Homeland Security said much the same. And Supermicro (whose market value had been halved by the Bloomberg story) stated that it had “never been contacted by any government agencies either domestic or foreign regarding the alleged claims”.
In response, Bloomberg reporters stood by their story and even extended it, claiming that a “major US telecommunications company” had discovered manipulated Supermicro hardware in its network and removed it in August.
So what’s going on? Clearly, someone’s being economical with the actualité. Seeing what happened to Supermicro’s share price, you can see why the companies might be er, defensive. (And of course, the thought that security might oblige them to relocate manufacturing to the US would blow their minds, never mind their bottom lines.) Likewise, the intelligence agencies might be reluctant to draw too much public attention to supply-chain interference, given that they all do it.
Maybe things will become clearer in the next few weeks. In the meantime, the most illuminating contribution to the debate so far came from a Cambridge University researcher, Dr A Theodore Markettos, who conducted a fascinating investigation of a key bit of the Supermicro hardware to see if the Bloomberg claim passed what he called “the sniff test” of initial plausibility. His conclusion: it does. Stay tuned.
What I’m reading
Little British landscapes
A hilarious piece in the of academic research that showed Brexit Leavers preferred “realistic” paintings, while Remainers preferred more abstract stuff. Strange: I thought it was the Brexiters who liked abstract fantasies.
A little too convenient
The New York Times reported in its Week in Tech column on the dangers of using Facebook to sign in to other services. The recent huge data breach means you may be more compromised than you think.
The Automation Charade is a lovely essay by Astra Taylor asking whose interests are being served by raising fears about “the rise of the robots”.