If this bombshell report in Bloomberg Businessweek (porous paywall) is true, then China has pulled off a feat of hacking so incredible that one expert describes it as “like witnessing a unicorn jumping over a rainbow,” or, if you prefer, “black magic.”
- According to an ongoing U.S. investigation, which dates back to 2015, a Chinese military unit implanted microchips “as small as a sharpened pencil tip” on server motherboards made in China. In reporting the details of the investigation, Bloomberg Businessweek cites “six current and former senior national security officials,” as well as multiple anonymous sources who worked in or with the companies involved.
- The chips are really, really small — click here for a picture of one next to a penny — and were “unlikely to be detectable without specialized equipment.”
- These tampered motherboards were then sold, unwittingly, by Supermicro, a San Jose–based company that is one of the world’s biggest suppliers of server motherboards for data centers.
- Elemental Technologies, a startup that uses Supermicro motherboards, then sold the chips to the CIA, Apple, Amazon, and nearly 30 major American companies.
- In 2015, Amazon and Apple both inspected their chips and found the unexpected implanted microchips, and Amazon was the first to alert authorities and provide them access to the sabotaged hardware.
- U.S. investigators believe that the tiny chips have the ability to “create a stealth doorway into any network that included the altered machines,” and that they are designed to give China “long-term access to high-value corporate secrets and sensitive government networks.”
- Apple severed its relationship with Supermicro in 2016, but that is “a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident” — that link is to a separate Bloomberg report where Apple acknowledged that it had found “malware downloaded from Supermicro’s customer portal” in 2016.
Amazon, Apple, Supermicro, and the Chinese government have all strenuously denied the hardware hacking allegations, according to a follow-up report from Bloomberg Businessweek. Here are some selections from their statements:
- Amazon said: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems. Additionally, we have not engaged in an investigation with the government.” (This version of the statement is cited by Reuters.)
- Apple said: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
- Supermicro said: “We are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.”
- The Chinese foreign ministry said: “China is a resolute defender of cybersecurity… Supply chain safety in cyberspace is an issue of common concern, and China is also a victim… We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”
Nevertheless, as the investigation wore on, U.S. officials reportedly came to believe that “the security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet.” And despite years of research into tampered hardware detection, “no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged — or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem.”