By now many of you have probably read the blockbuster story from Bloomberg/BusinessWeek called The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies, which outlined a complex and far-reaching scheme on the part of the People’s Liberation Army of China to infiltrate server motherboards manufactured by Supermicro, described by the Bloomberg as the “Microsoft of the hardware world.”
The article alleges that the PLA inserted small components that resembled other innocuous components such as power couplers onto motherboards. No bigger than the tip of a pencil, these components were either placed directly on the board or were so small and thin they were actually sandwiched between the layers of fiberglass on the circuit board. Bloomberg also alleges that the corrupted boards then found their way into high powered servers assembled for companies like Elemental, who had large contracts with companies like Apple and AWS, as well as extensive contracts with US Department of Defense, the CIA, and other government agencies. The chips are alleged to have limited functionality, basically providing remote computers with access to the system and enabling permission for changes to be made to the core operating system.
If it’s true, this would be by far the biggest hardware hack in history and would have far-reaching implications for both national security and the security of the largest corporations on earth (and thus their customers). If you read the news at all, it probably isn’t hard to imagine such a scenario unfolding in the real world, which seems to be in the midst of a cyber cold war as the US reports threats to critical infrastructure from Russian state-sponsored hacking groups, and companies continue to succumb to ransomware and more sophisticated attacks like TRITON/TRISIS malware that specifically targets process safety systems.
Strong Denials Continue While Bloomberg Stands by Its Story
Bloomberg weaves a compelling story, but strongly worded denials from Apple and AWS were issued not long after the article’s publication and both companies continue to deny these claims strongly. Hardware experts began shredding some of the facts presented in the story on Twitter, while some people who were actually used as sources in the article complained that their comments were taken out of context or modified. It doesn’t help that all the sources used in the Bloomberg article were anonymous either, but Bloomberg continues its strong support of the story and won’t back down.
Meanwhile, AWS has acquired the company Elemental. Despite its hardware dominance, the article informs us that Supermicro was delisted from NASDAQ back in August due to persistent accounting problems, and the entities like Apple that were supposedly affected by the hack have, according to the Bloomberg article, since removed all the compromised machines.
Holes in the Story?
One argument that stands out is presented by one particular website called securinghardware.com that points out several alternative ways that hardware components could be compromised, including the infiltration of BIOS chips that control the inner workings of computers. We’ve already seen well-documented vulnerabilities at the CPU and chip level with Spectre and Meltdown. With all the other ways that the bad guys could compromise hardware, why pick the most complicated and convoluted way that also requires complex integration with the hardware manufacturing supply chain?
If you’re an end user in manufacturing or smart cities and infrastructure, what does all this mean? It’s not likely that the PLA looking at your Amazon Prime viewing habits is going to affect your manufacturing process or your power grid, but there are some things you should be thinking about and hopefully acting on. These include secure hardware and software development practices. Most suppliers will be happy to tell you about their development practices, but ARC is seeing more activity in getting these practices validated by third parties with an eye towards certifications like ISA Secure System Security Assurance (SSA).