Is China Really Planting Chips to Spy on the the world?
Last week, Bloomberg published an article claiming that China has been implanting chips to infiltrate US companies. It alleged that the technology company Super Micro Computer Inc., was producing servers which had been compromised by spy chips that were hidden in the motherboards. These servers are being used by some of the globe’s biggest tech companies, posing grave dangers to our online world.
The article took the mainstream media by storm, after all, it was a story about China spying on us, something that’s sure to drive up the clicks. The report was certainly alarming as the 30 or so affected companies included Apple and Amazon. Despite the interest that this article has generated, there are a few key issues with Bloomberg’s reporting.
No Solid Evidence
Huge claims require large amounts of evidence to back them up. If this story is true, it’s terrifying and will have huge ramifications. However, not a single shred of solid evidence has emerged after more than a week.
The story claims to be based off interviews with 17 anonymous sources, including “past and former senior national security officials”. Yes, it’s important for journalists to protect their sources, but for security compromises this significant, you would expect at least someone to be willing to attach their name to it, at least in the wake of these events.
If these chips were as widespread as claimed, then surely someone would have found one by now. Perhaps a company whistleblower willing to break rank, or one of the many security researchers who do this for a living.
The lack of documentation is worrying, especially as it seems that even the Bloomberg reporters couldn’t get a hold of any photos. The huge graphic that accompanies the story is just some illustrated GIF that supposedly shows where the chip should be.
The lack of evidence has made many security experts sceptical of the claims, including Kim Zetter and Robert M. Lee.
The Follow Up Reports
Bloomberg has published several additional articles which seem to try to add weight to this initial bombshell. One of them “New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom”, alleges that a U.S. telecom company has found hardware that had been tampered with that originated from Super Micro Computer Inc..
The problem with the article? The expert that they quoted, Yossi Appleboum, claims that the issues that were discovered were actually in products from a range of vendors, not just Super Micro Computer Inc.. While the article does acknowledge this towards the end, it is much more heavy-handed towards Super Micro Computer Inc. than Mr Appleboum’s own comments imply.
The Denials
When something this big happens, we expect denials. Companies and governments never want to own up to their mistakes or oversight. Often we get a no comment, or a very non-committal response that has been finely combed-over by lawyers.
This time, it’s different. Both Apple and Amazon have released strong rebuttals denying the contents of the Bloomberg story. The denials are far more forceful than you would expect, with Apple stating: “In the end, our internal investigations contradict every consequential assertion made in the article – some of which, we note, were based on a single anonymous source.”
On top of this, both the U.S. Department of Homeland Security (DHS) and the U.K. National Cyber Security Centre (NCSC) both deny that they ever launched investigations into the Chinese spy chips, which is a pivotal claim of the article.
Sure, all of these organisations have reasons to lie if Bloomberg’s claims do turn out to be true, but if they are lying, these strongly worded responses are digging them into a much deeper whole which will surely result in litigation and heads rolling.
What’s Really Going On?
While this article severely criticises Bloomberg’s claims, it is not its intention to deny that some kind of hardware spying could be happening. Spying is happening every day, and undoubtedly compromised hardware is facilitating widespread eavesdropping. In the case of SuperMicro, there may be some truth to what the reporters are saying, but we simply need more facts. It’s important to remain sceptical until we receive concrete evidence of what is actually going on and why it is happening.
On a more positive note, the Bloomberg articles serve as a reminder of just how cautious we need to be about our overall security. At the moment, our supply chains for computer hardware are completely out of our control, which brings about a number of security risks.
Is the solution to ban all technology from China? Probably not. But we should definitely be taking the opportunity to discuss how we can secure our hardware, along with what checks and balances we need to have in place. If you’re worried that your business’s hardware could be compromised, contact the team at Gridware for an assessment.