When Bloomberg reported that Chinese spies had used a ‘tiny chip’ to compromise servers belonging to US companies such as Amazon and Apple, my first reaction was: “why should I believe this?” That may have been somewhat unfair; Bloomberg is a respected publication and they undoubtedly went to considerable effort to verify the information provided by their sources. However, what struck me as peculiar about the story is that using a literal piece of hardware means your targets can see the device being used to infiltrate them.
Using hardware, instead of software, would mean anti-spying checks could be performed by someone with almost no security training, so long as they had been shown what to look for. As Bloomberg’s story demonstrates, once the relevant component has been seen, it can no longer be unseen. The USA would possess tangible and damning evidence of Chinese subterfuge. If you possess a physical spy chip, you can photograph it, share copies of it with partners and allies, test it, reproduce it, and pretty much do anything needed to destroy the value of all the hard work that your enemy put into producing it. Once the immediate threat has been dealt with, you also have a useful political tool – you could give every US Senator an example of the chip immediately before the next vote about banning Chinese IT manufacturers, and hence guarantee the extension of the trade war between the countries, as well as ruining any hopes of repeating the ploy again. Nevertheless, I wrote nothing about the story, because it was worth waiting for the relevant parties to respond. They have, and the response has not been sympathetic to Bloomberg:
- Amazon trashed the story;
- Apple trashed the story;
- Supermicro, the alleged suppliers of the spy chip, trashed the story;
- The Chinese government trashed the story;
- The UK National Cyber Security Centre stated they had no reason to doubt the aforementioned companies; and finally,
- The US Department of Home Security agreed with the UK National Cyber Security Centre, saying there was no reason to doubt the denials from these companies.
Because the topic relates to national security, we cannot dismiss the possibility that everyone is being economical with the truth, apart from Bloomberg and their 17 anonymous sources. However, the denials from Amazon and Apple were firmly worded, and they risk having their pants sued off if they were caught lying about something as serious as this. As bad as spying is, the leaders of those businesses will be more worried about billions of dollars being wiped from their company’s share price, just as it has seemingly hit the valuation of unrelated Chinese tech firms.
For all the fuss, you would think there would be one easy way for Bloomberg to demonstrate the truth of their story. They supposedly have seen examples of the chip. That was why they were able to share photographs of the chip on the front cover of their magazine (pictured above). But were these real chips? Some security researchers say Bloomberg were using mock-ups of what the chips might look like.
If you're hunting for malicious chips on Supermicro motherboards based on gif Bloomberg published w/ its story – the gif isn't based on a real find; it's an illus made by a designer based on speculation by hardware hackers about where chip might be placed https://t.co/3mcEpaVU7n
— Kim Zetter (@KimZetter) October 5, 2018
For all the problems with Bloomberg’s story, which is totally reliant on the claims of parties who are never identified, there is a useful lesson for us all. Supply chains are a real source of risk. It is easy but dangerous to trust suppliers to provide the products they promised – and nothing else. Verifying the goods is hard work. That means incurring the cost and doing the hard work, with no ifs and no buts. Whilst Western firms may seek to keep costs down by relying on manufacturers in countries like China, the financial benefit must be offset by a significant and increasing investment in security.