Did Chinese Spies Really Put a Chip in It?

Written by

Back in 2015, Amazon took such a liking to Elemental for its software-defined video solutions, that Amazon Web Services (AWS) announced on September 3, 2015, its intention to acquire Elemental. Fast-forward three years, and Bloomberg has reported that China planted microchips inside the servers used by Amazon and other companies.

If Chinese spies did infiltrate the supply chain of servers and insert microchips into those used by Apple, Amazon and other US companies, including government agencies, Amazon, Apple and China's ministry of foreign affairs claim they had no knowledge of it. 

As for the servers in question, Bloomberg reported that an investigation began more than three years ago after Amazon discovered a microchip on the motherboard of AWS Elemental’s servers that were reportedly assembled by Supermicro Computer Inc., which has subcontractors in China. Amazon disputes Bloomberg's report that the company took its findings to authorities, setting off alarm bells across the intelligence community as Supermicro has hundreds of government customers.

The discovered chips had reportedly been inserted at one of the factories in China and enabled attackers to create a backdoor into any network. “This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get,” Bloomberg wrote.

The chips reportedly subvert the hardware on which they are installed, draining data while also delivering new code, as does a Trojan horse. Yet, according to Bloomberg, there’s no evidence that suggests the companies’ data – or that of users – was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure.

In response to the breaking news, Apple wrote, "As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Supermicro when we updated the firmware and software according to our standard procedures."

"We are deeply disappointed that in [Bloomberg's] dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed."

All parties referenced in the Bloomberg story make similar claims. “While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic, nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue," Supermicro said in response to Bloomberg's report.

Commenting on the risks of supply chain security, Ross Rustici, senior director, intelligence services at Cybereason, said that threats often do come from a complicit insider, "whether it is at the factory, a transportation agent or customs official. This makes creating a tamper-proof product extremely costly; the number of safeguards and other mechanisms required would drive up the cost of the product beyond market viability."

What’s hot on Infosecurity Magazine?