China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

China crisis?

China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

There’s an old saying, “the truth will out.”

It might take time, but the facts of a situation will eventually be discovered.

I certainly hope that’s true of the extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.

Those compromised servers, according to the report, were manufactured by San Jose-based SuperMicro, and could allow the People’s Liberation Army to remotely take over the computers from the other side of the planet.

The Bloomberg article is lengthy (running to almost 5000 words), and claims to have been confirmed by 17 people with knowledge of the attack - including current and former senior national security officials, and insiders at Apple and Amazon. Certainly it’s true that none of these individuals are named in the report, but Bloomberg is well-respected and it’s hard to believe they would spend months investigating a story like this without vigorous double and triple-checking of its facts.

And yet, the main companies concerned have issued vigorous denials.

Amazon described the Bloomberg BusinessWeek report as “erroneous”:

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

Apple has also said that there is no truth to the claims in Bloomberg BusinessWeek:

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

The Cupertino-based tech giant concluded by ruining many a conspiracy theorist’s day, declaring it has not been forced by the authorities to keep schtum about any security breach:

…we are not under any kind of gag order or other confidentiality obligations.

And spare a thought for SuperMicro, the manufacturer of the motherboards, whose share price reportedly fell 50% after the report was published. In a press release, they refute the article’s claims:

In an article today, it is alleged that SuperMicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. SuperMicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

So, what’s the truth?

Has Bloomberg BusinessWeek got its facts wrong, and allowed an over-enthusiastic imagination to conjour up a hacking plot where none existed? Is it likely that Apple and Amazon would publish such strong denials if they knew they might be caught out? Are the technology companies gagged by agencies who don’t want China to know that their plot has been rumbled?

It’s frankly a mystery. And unless someone can come up with physical evidence of a malicious chip on a motherboard that can be analysed independently by a security expert, it’s difficult to know how the story is going to be confirmed 100%.

What is undoubtedly true, however, is that the supply-chain presents a significant threat to many organisations. When you buy computer hardware, you don’t necessarily know which companies have played a part in the manufacture of all its components, or whether there might be something nasty lurking inside. I have no doubt that the Chinese PLA would have great interest in hacking into companies through compromising the supply-chain, but that’s equally true of many other countries as well.

The major difference is that China is where so much of the world’s technology originates - the temptation to exploit that manufacturing lead most be enormous.

We’ll just have to wait to find out what has happened. Fingers crossed, the truth will (eventually) out.

Tags: , , , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , ,

6 Responses

  1. Adrian

    October 5, 2018 at 2:50 am #

    Of course a trivial condition of any government gag order would be to publish a notice that you’re not under any sort of government gag order, so the existence or non-existence of such notices is a moot point

  2. etaoin shrdlu

    October 5, 2018 at 10:26 am #

    I believe the survivors. Um… who are they in this case?

  3. Arnold Schmidt

    October 5, 2018 at 3:34 pm #

    Bloomberg’s allegations don’t make any sense. First of all, putting tiny little chips that do something nasty onto thousands and thousands of motherboards is just asking to be discovered. Second, putting chips on boards for purposes of monitoring or reprogramming the hardware is totally unnecessary: the paper “Stealthy Dopant-Level Hardware Trojans: Extended Version” by George T. Becker shows how simple it is to muck around with the doping and pinouts of transistors when manufacturing ICs. This can be so well hidden that anyone, not aware of the changes, will find it almost impossible to detect. I’m sure the Chinese have read this paper, so why, if they want muck around with our computers, would they do something so obvious as to add unknown parts to the boards, when they can make counterfeit chips themselves that can not be distinguished from the real thing. My take on the conspiracy theory is that this is a deliberate effort by people in our own government disparage Chinese-made electronics in some misguided attempt to put more pressure on them to make tariff and other pricing concessions.

  4. Hardly Chinese

    October 5, 2018 at 9:24 pm #

    My take on the conspiracy theory is that this is a deliberate effort by people in our own government disparage Chinese-made electronics in some misguided attempt to put more pressure on them to make tariff and other pricing concessions.”

    That statement is a bit naive and fairly predictable from folks who believe everything is about benefitting some corporate interest.

    Instead, consider whether this is a thrust or parry in an ongoing battle between countries engaged in a battle for power below the surface.

    Of course, perhaps you are just a Chinese agent…

    • mark jacobs in reply to Hardly Chinese.

      October 8, 2018 at 10:01 am #

      And China has just kidnapped Interpol’s head honcho. WW3 with China, anyone?

  5. Chris Pugson

    October 6, 2018 at 8:53 am #

    Authoritarian China is probably incapable of suppressing its collective urge to spy. It constantly spies on its own people in its addiction to surveillance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.