20.5k unique visitors in the last 3 days

Being Serious About the Bloomberg Chinese Spy Chip Scoop

The risk of supply chain infiltration is real. But is there physical evidence to support Bloomberg's story about Chinese spy tech?

When Bloomberg reported that Chinese spies had used a ‘tiny chip’ to compromise servers belonging to US companies such as Amazon and Apple, my first reaction was: “why should I believe this?” That may have been somewhat unfair; Bloomberg is a respected publication and they undoubtedly went to considerable effort to verify the information provided by their sources. However, what struck me as peculiar about the story is that using a literal piece of hardware means your targets can see the device being used to infiltrate them.

Using hardware, instead of software, would mean anti-spying checks could be performed by someone with almost no security training, so long as they had been shown what to look for. As Bloomberg’s story demonstrates, once the relevant component has been seen, it can no longer be unseen. The USA would possess tangible and damning evidence of Chinese subterfuge. If you possess a physical spy chip, you can photograph it, share copies of it with partners and allies, test it, reproduce it, and pretty much do anything needed to destroy the value of all the hard work that your enemy put into producing it. Once the immediate threat has been dealt with, you also have a useful political tool – you could give every US Senator an example of the chip immediately before the next vote about banning Chinese IT manufacturers, and hence guarantee the extension of the trade war between the countries, as well as ruining any hopes of repeating the ploy again. Nevertheless, I wrote nothing about the story, because it was worth waiting for the relevant parties to respond. They have, and the response has not been sympathetic to Bloomberg:

  • Amazon trashed the story;
  • Apple trashed the story;
  • Supermicro, the alleged suppliers of the spy chip, trashed the story;
  • The Chinese government trashed the story;
  • The UK National Cyber Security Centre stated they had no reason to doubt the aforementioned companies; and finally,
  • The US Department of Home Security agreed with the UK National Cyber Security Centre, saying there was no reason to doubt the denials from these companies.

Because the topic relates to national security, we cannot dismiss the possibility that everyone is being economical with the truth, apart from Bloomberg and their 17 anonymous sources. However, the denials from Amazon and Apple were firmly worded, and they risk having their pants sued off if they were caught lying about something as serious as this. As bad as spying is, the leaders of those businesses will be more worried about billions of dollars being wiped from their company’s share price, just as it has seemingly hit the valuation of unrelated Chinese tech firms.

For all the fuss, you would think there would be one easy way for Bloomberg to demonstrate the truth of their story. They supposedly have seen examples of the chip. That was why they were able to share photographs of the chip on the front cover of their magazine (pictured above). But were these real chips? Some security researchers say Bloomberg were using mock-ups of what the chips might look like.

For all the problems with Bloomberg’s story, which is totally reliant on the claims of parties who are never identified, there is a useful lesson for us all. Supply chains are a real source of risk. It is easy but dangerous to trust suppliers to provide the products they promised – and nothing else. Verifying the goods is hard work. That means incurring the cost and doing the hard work, with no ifs and no buts. Whilst Western firms may seek to keep costs down by relying on manufacturers in countries like China, the financial benefit must be offset by a significant and increasing investment in security.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email