Bloomberg claims that China used a tiny chip to infiltrate U.S. companies:
A Chinese military unit designed and manufactured microchips as small as a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.
The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.
The compromised motherboards were built into servers assembled by Supermicro.
The sabotaged servers made their way inside data centers operated by dozens of companies.
When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.
The claims are… incredible:
In emailed statements, Amazon (which announced its acquisition of Elemental in September 2015), Apple, and Supermicro disputed summaries of Bloomberg Businessweek’s reporting. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote. “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote. “We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn’t directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.” The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.
So, once again, US policy is being driven by a fraud? By Fake News? At Bloomberg?
I am going to believe Apple and disbelieve Bloomberg.
We are living in a Dark Age of superstition, delusion and illiteracy. And violence.
Apple, Amazon CISO (and I think implicitly Joe Grand) came out against the story. That’s enough for me.
My prior on Bloomberg: I sample Bloomberg everyday and I can tell where they are politically.
But, yeah, I was snookered in by the story in the first hour, and I still think it’d make an excellent movie plot
Ever look at the traffic hitting on your WiFi router when nothing is happening on your side of the network? I’ve thought for years it’s a bad idea to have our political enemy manufacturing our essential technology. A little code and all your traffic is mirrored to a server farm. Totally plausible. You recall the OPM infiltration by the Chinese? It was discovered during a security demo by a large US technology company. The forensics revealed it had been happening for over a year and no one knew. We only heard about it a year after it was uncovered. Now imagine every piece of technology strewn across the globe that’s made by China. The barn door is wide open.
First rule of computer security is: assume the worst. That tells you where the burden of proof should lie.
“First rule of computer security is: assume the worst. That tells you where the burden of proof should lie.”
When I think of “assume the worst”, I think of every processing unit of any manufacture having baked-in superuser-level backdoors accessible to one or all of a handful of top intelligence agencies and their satellite organizations worldwide; and most of the non-airgapped ones, with Internet access, intermittently transmitting analytics back to their respective mothership.
Is that what you mean?
Something like that.
That’s why I don’t hope to eliminate all risk. Not in this universe. But I do mitigate risk. The fewer computers my private data goes through, the better. No cloud computing for me. Data disabled on my phone, and Wifi off unless needed. No Facebook. No Google. No smart TV. No OnStar. No Internet of Damn Things.
Oh, and I absolutely do not trust China.
And of course I run Linux and browse through Tor. On a rather outdated computer.
The risk I cannot eliminate, that I grudgingly accept. The risk I can eliminate, that I eliminate.
I worked in OS and network software/firmware a while. I know how the sausage gets made, and I know just what sort of sociopaths and meatheads run those R&D companies.
If this is not so and there is no embedded spy chip then why did Bloomberg do this? The article seemed very detailed and wasn’t written as if this was a could be situation. Why would they risk their reputation? Maybe they don;t care about it???
Magic tiny chip aside. I don’t know why China wouldn’t be spying through manufactured hardware and software.
“The fewer computers my private data goes through, the better. No cloud computing for me. Data disabled on my phone, and Wifi off unless needed. No Facebook. No Google. No smart TV. No OnStar. No Internet of Damn Things.”
A fine sentiment. Most of those things I, too, forgo, but some I cannot get away from. I can’t stand desktop GNU/Linux, for instance, though on servers it’s the only game in town, and so if I’m going to trust (for some value of the word) a company for mobile, namely Apple, I figure I’ll have to trust them for desktop also. Tor I have little trust in, though for sociological reasons, not technical ones.
“I worked in OS and network software/firmware a while. I know how the sausage gets made, and I know just what sort of sociopaths and meatheads run those R&D companies.”
Have you written about your experiences?