Motherboard spy chips: truth, hoax or conspiracy?
Recently, the IT landscape was shuck at its core when Bloomberg Businessweek reported that mainboards from market leader Supermicro came with tiny spy chips no bigger than the size of a grain of rice. If this turned out to be true, most data centers would be at risk of data theft or computer sabotage. The main potential victims were said to be US cloud service providers with their gigantic databases. And while fierce debate rages on, there's also a political side. So who's deceiving whom?
But first things first: According to Bloomberg Businessweek, Apple and Amazon had already discovered spy chips on motherboards used in their cloud servers in 2015 and had also notified the FBI. Chinese hardware giant Supermicro had manufactured the boards and it was suspected the Chinese People's Liberation Army were behind the attack. Agents had supposedly gained access to manufacturing plants and bribed or threatened foremen before the minuscule chips were incorporated into the assembly process. Servers from Amazon and many other companies were affected while consumer PCs were not. Even though there were no technical details given, everything pointed to a remote access attack.
17 anonymous government sources were said to have conducted extensive investigations and companies reportedly already replaced the affected hardware. Bloomberg firmly believed this story to be true, yet were unwilling to name sources, since the matter was deemed too sensitive. What followed were dementis from all sides. Supermicro, Apple, Amazon, Elemental, whoever was named in the report objected vehemently. Amazon sent Steve Schmidt, chief of information security, into the fight and even the always secretive NSA issued a dementi. Everyone claimed they neither knew of the attack nor cooperated with Bloomberg on the story. Instead of careful maneuvering, we saw definitive statements with no room for doubt. Smells like a hoax - or a huge scandal everyone seeks to sweep under the rug, depending on your reading.
Who'd notice an additional chip? What lends it plausibility is that, for a long time, Apple had been a major customer of Supermicro until business relations c ame to an abrupt end in 2015 when Apple removed all Supermicro motherboards from their servers and severed all ties with the company. The move came as a surprise to the IT industry. For Bloomberg Businessweek, their reputation is on the line and a hoax would be a devastating blow, but it's the affected companies that have the most to lose as a lack of trust would likely result in billions of losses on the stock market or even a sales ban. Insiders believe the affected companies will keep denying the claims until denial is no longer possible, but it hasn't come to that yet. It's hard to predict how customers would react if they knew their cloud-hosted data was read by Chinese authorities. In any case, it would be a serious blow to the reputation of US cloud service providers as secure data havens. If there had been reasonable suspicion, users of Supermicro hardware (still a market leader) would have had to be notified to avoid putting data security at risk in general.
So who lied? At present, I wouldn't want to vouch for the dependability of US government sources. Since Trump came into office, there have been various reports of attacks from Russia or the Far East without substantial evidence presented. Whether it was Kaspersky, who were suspected of industrial espionage, ZTE, whose devices were subjected to an import ban for the same reason, or Huawei, not a single accusation was substantiated with evidence. Many experts consider these actions part of an overall strategy to hamper competition and force foreign trading partners into offering more favorable conditions for US companies. So it's possible Supermicro is the next victim of an unfair trade war.
Supply chains can be long - and insecure
Whatever the outcome may be, the whole affair h as triggered a thought process in many decision makers. Theoretically, it's possible to launch an extensive spy campaign based on hidden microchips. Manufacturing processes and supply chains simply aren't monitored enough to detect an additional tiny chip slipped into the muddle of capacitors, slots and ports. It would be visually undetectable and there's an ongoing debate whether it could ever be found by analyzing data traffic later.
So should we continue to use hardware from a country that, to put it mildly, isn't exactly a close ally and could very well pursue its own interests? What do you think? Genuine story or hoax?