In perhaps one of the most audacious and worrying revelations in the battle for privacy, it’s been found that the manufacturing supply chain for a number of servers has been compromised. A Bloomberg investigation reports that servers made in China’s technology hub have been tainted with the installation of a tiny chip that can siphon data. At least 30 major tech companies are affected in the sophisticated nation-state attack.
The Bloomberg investigation says the “seeding attack” required a deep understanding of product design and the manipulation components at the factory which produces hardware sold by hardware maker Supermicro. It was first identified by Amazon who carried out an independent review that was part of the due diligence around a project to create a secure cloud service for the CIA. When some anomalies were detected, a more detailed look discovered the rice-grain-sized chip that allowed an unauthorised party to create a “stealth doorway into any network that included the altered machines”.
The U.S. investigators concluded that operatives from China’s People’s Liberation Army inserted the chips during the manufacturing process.
The tainting of devices in order to conduct secret surveillance isn’t new. US intelligence agencies intercepted routers from Cisco, without the company’s knowledge while in transit to customers so extra hardware could be installed.
As a result of the investigation over 30 companies have been implicated including major banks, government agencies and Apple – which as issued denials that their servers were affected.
Bloomberg’s investigation is focussed on US customers of Supermicro but the potential for this to spread further does exist.
It’s important to note that while Bloomberg investigation explicitly names Apple and Amazon, both companies have issued vigorous denials that their servers were compromised.
Amazon has said:
Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.
Apple’s denial is just as strong:
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
With so much of our technology manufacturing concentrated in a relatively small region of a country that has a history of animosity towards parts of the Western world and a highly developed technology-intelligence capability, it hardly surprising that this may have happened. The repercussions of this discovery are likely to be wide-reaching. The loss of local manufacturing capability is a hot ticket political issue as it pertains to employment. But perhaps the risk and national security issues will prove to be a bigger incentive in developing on-shore manufacturing capability.