Bloomberg published an interesting article today, about a purported spying program by which the Chinese state injected trojan components into motherboards manufactured by SuperMicro. The claim is that Amazon, Apple and others had been compromised (or at least compromised hardware had been found in their data centers).
Did this really happen?
The Bloomberg report is credible for a few reasons:
- They are a serious news organization.
- They claim to have corroborated the story through 17 separate sources working for a variety of organizations, including the target companies and security agencies.
- The attack vector is technically feasible, though very challenging to pull off.
- The Chinese state, like the American state, has both the resources and motivation to do something like this. Neither China nor the US has the good sense to avoid doing something like this, due to the commercial damage that discovery would cause.
Amazon, Apple and Supermicro all strongly deny the report. That does not mean it’s not true, but it does raise the possibility that some or all of the details are incorrect.
Supermicro’s stock is down 41% today. Ouch. They aren’t even alleged to have done anything wrong – they are just the channel through which malicious or compromised subcontractors injected bad hardware destined for various US corporations. Apple and Amazon stocks are both down about 2% today as well.
Is this attack something new in the world?
In one sense: yes. Injection of malicious hardware components into motherboards is seriously difficult to do and I haven’t heard of anyone pulling this kind of thing off before.
In other senses: no. Injection of malicious components or software into otherwise innocent hardware has been done before, including by the US government:
Bad firmware in hardware products is nothing new. Bad security measures in CPU design are also a serious hardware problem that has been in the news lately:
As a security community, we should all know by now that neither hardware platforms nor supply chains can be blindly trusted.
Is this good for China?
Not at all. Disclosure of this attack means that manufacturers will scramble to move their fabrication to other, less aggressive jurisdictions.
Is this good for the US?
Not really. They have been caught doing much the same thing to in-transit network devices in the past, which has already caused many buyers around the world to avoid US products and services, causing billions of dollars of economic harm. Moreover, the US legal system provides little or no privacy protection to foreign citizens or firms, which likewise causes many foreign governments and corporations to procure products and services elsewhere.
This is one area where government action has the ability to either be benign or harmful, and both the US and Chinese security establishments have put their own, short-sighted, intelligence-gathering priorities ahead of the broader economic interests of their nations, via the revenue streams of corporations in their own jurisdictions. These are smart-yet-stupid governments.
Are we affected?
These malicious chips could be in any motherboard of any computer. Of course, attention will first be on motherboards manufactured by (or really on behalf of) Supermicro, and that’s a lot of motherboards. Hopefully, over the next few weeks, someone will figure out how to detect that a given motherboard is affected and publish that. If and when that happens, we should all crack open our PCs and servers and see if they are affected.
Then what? In most cases, I expect we’ll find nothing and carry on with business as usual. In some cases, we might find compromised hardware, in which case we’ll need to figure out how to mitigate the hardware or quickly replace the tainted machines.
Watch your news feed for an indication of how to identify compromised systems.
Impact on OEMs and future supply chains
Hardware OEMs like Dell and HP and SaaS operators like Amazon and Microsoft need to figure out how to vet incoming hardware. That’s an extremely advanced sort of analysis — I’m not aware of any way to automate it and only a very few people in the world have the required skills. Globally, anyone who procures a large amount of hardware needs to get into the business of pulling a statistical sample of devices out of their supply chain and subjecting them to deep analysis to see if a bad actor somewhere upstream in their supply chain has done something naughty.
This is an expensive process. Are we, as organizations and consumers, willing to pay for that?
Also, where does this leave the Chinese-domiciled OEMs like Lenovo? Do we trust them to do this kind of supply chain validation? What if they are also compromised by their own state? What about Taiwanese OEMs like Asus and Acer? How immune are they from influence, given the cultural and linguistic proximity to China and the fact that almost all of their manufacturing is on the mainland?
This little news story could send big ripples through global supply chains, presumably to the detriment of the Chinese economy.