The tech giants, the US and the Chinese spy chips that never were… or were they?

[nir]

On 4 October, Bloomberg Businessweek published a major story under the headline “The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies”. It claimed that Chinese spies had inserted a covert electronic backdoor into the hardware of computer servers used by 30 US companies, including Amazon and Apple (and possibly also servers used by national security agencies), by compromising America’s technology supply chain.

 

According to the Bloomberg story, the technology had been compromised during the manufacturing process in China.

 

Undercover operatives from a unit of the People’s Liberation Army had inserted tiny chips – about the size of a grain of rice – into motherboards during the manufacturing process.

 

The affected hardware then made its way into high-end video-compression servers assembled by a San Jose company called Supermicro and deployed by major US companies and government agencies. According to the report, investigators found that the hack eventually affected almost 30 companies, including a major bank, government contractors and Apple, which had originally ordered 30,000 Supermicro servers in 2015 but had cancelled the order after its own investigators had found malicious chips on the company’s motherboards.

 

Intelligence agencies might be reluctant to draw public attention to supply-chain interference given that they all do it

 

On the face of it, this was sensational stuff. Software hacks are routine nowadays, but hardware hacks are not (though we know from Edward Snowden’s revelations that western intelligence agencies are partial to them). And they are much harder to detect. China has long had a semi-state operation to hack into US tech companies and steal their intellectual property. The idea that it might have gained an unsuspected backdoor into some of the most sensitive and informative servers in the US must have sent shivers down many a corporate and government spine.

 

And although most computer hardware is designed in the west, the vast bulk of the stuff (75% of mobile phones and 90% of PCs) is manufactured in China. So if there was going to be a supply-chain attack, that’s where it had to be done.

 

On the face of it, therefore, the Bloomberg report seemed plausible even if all its sources were anonymous; it is, after all, a reputable journalistic outfit. But then angry rebuttals began to flood in. First, Apple, Amazon and Supermicro issued denials. Apple’s top security officer told Congress that the company had found no evidence to support the claims made in the report.

 

And an anonymous company informant told Motherboard that “none of the most consequential portions” of the original Bloomberg story as they relate to Apple was true. The company did not find malicious chips in its servers, it did not remove or dispose of those servers and Apple did not inform the FBI or frustrate an investigation into this incident.

 

Amazon, for its part, was equally unambiguous: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”

 

Then the UK National Cyber Security Centre weighed in, saying that it had “no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple”.

 

The US Department of Homeland Security said much the same. And Supermicro (whose market value had been halved by the Bloomberg story) stated that it had “never been contacted by any government agencies either domestic or foreign regarding the alleged claims”.

 

In response, Bloomberg reporters stood by their story and even extended it, claiming that a “major US telecommunications company” had discovered manipulated Supermicro hardware in its network and removed it in August.

 

So what’s going on? Clearly, someone’s being economical with the actualité. Seeing what happened to Supermicro’s share price, you can see why the companies might be er, defensive. (And of course, the thought that security might oblige them to relocate manufacturing to the US would blow their minds, never mind their bottom lines.) Likewise, the intelligence agencies might be reluctant to draw too much public attention to supply-chain interference, given that they all do it.

 

Maybe things will become clearer in the next few weeks. In the meantime, the most illuminating contribution to the debate so far came from a Cambridge University researcher, Dr A Theodore Markettos, who conducted a fascinating investigation of a key bit of the Supermicro hardware to see if the Bloomberg claim passed what he called “the sniff test” of initial plausibility. His conclusion: it does. Stay tuned.

 

Source

[DKT27]

I think nothing confirmed or conclusive is going to come out of this. I can be wrong though.

[tiliarou]

The question is why would Bloomberg risk its credibility for this kind of fake (if they are) claims ? So far, there are no evidence on the hardware parts, but why would they make such claims ? Pure manipulation from some shady investors ?

[Jogs]

The companies in the US are finding it difficult to compete with Chinese companies. They are now using dirty tricks to hamper the Chinese companies. We saw same thing with Kaspersky. USA advocated free trade around the world and the companies from US made huge profits by selling goods across the world. But now as they are facing competition so Mr. Trump is trying to put a wall of tariff and also trying to hamper the image to foreign companies. Everybody knows MS and Google collects so much data but the Govt. in USA never says anything bad about them.