US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]

Leave a Reply

Your email address will not be published. Required fields are marked *