The tech giants, the US and the Chinese spy chips that never were… or were they? | John Naughton

A sensational Bloomberg story about a major hardware hack was swiftly denied. But the journalists aren’t backing down

On 4 October, Bloomberg Businessweek published a major story under the headline “The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies”. It claimed that Chinese spies had inserted a covert electronic backdoor into the hardware of computer servers used by 30 US companies, including Amazon and Apple (and possibly also servers used by national security agencies), by compromising America’s technology supply chain.

According to the Bloomberg story, the technology had been compromised during the manufacturing process in China. Undercover operatives from a unit of the People’s Liberation Army had inserted tiny chips – about the size of a grain of rice – into motherboards during the manufacturing process.

The affected hardware then made its way into high-end video-compression servers assembled by a San Jose company called Supermicro and deployed by major US companies and government agencies. According to the report, investigators found that the hack eventually affected almost 30 companies, including a major bank, government contractors and Apple, which had originally ordered 30,000 Supermicro servers in 2015 but had cancelled the order after its own investigators had found malicious chips on the company’s motherboards.

On the face of it, this was sensational stuff. Software hacks are routine nowadays, but hardware hacks are not (though we know from Edward Snowden’s revelations that western intelligence agencies are partial to them). And they are much harder to detect. China has long had a semi-state operation to hack into US tech companies and steal their intellectual property. The idea that it might have gained an unsuspected backdoor into some of the most sensitive and informative servers in the US must have sent shivers down many a corporate and government spine.

And although most computer hardware is designed in the west, the vast bulk of the stuff (75% of mobile phones and 90% of PCs) is manufactured in China. So if there was going to be a supply-chain attack, that’s where it had to be done.

On the face of it, therefore, the Bloomberg report seemed plausible even if all its sources were anonymous; it is, after all, a reputable journalistic outfit. But then angry rebuttals began to flood in. First, Apple, Amazon and Supermicro issued denials. Apple’s top security officer told Congress that the company had found no evidence to support the claims made in the report.

And an anonymous company informant told Motherboard that “none of the most consequential portions” of the original Bloomberg story as they relate to Apple was true. The company did not find malicious chips in its servers, it did not remove or dispose of those servers and Apple did not inform the FBI or frustrate an investigation into this incident.

Amazon, for its part, was equally unambiguous: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”

Then the UK National Cyber Security Centre weighed in, saying that it had “no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple”.

The US Department of Homeland Security said much the same. And Supermicro (whose market value had been halved by the Bloomberg story) stated that it had “never been contacted by any government agencies either domestic or foreign regarding the alleged claims”.

In response, Bloomberg reporters stood by their story and even extended it, claiming that a “major US telecommunications company” had discovered manipulated Supermicro hardware in its network and removed it in August.

So what’s going on? Clearly, someone’s being economical with the actualité. Seeing what happened to Supermicro’s share price, you can see why the companies might be er, defensive. (And of course, the thought that security might oblige them to relocate manufacturing to the US would blow their minds, never mind their bottom lines.) Likewise, the intelligence agencies might be reluctant to draw too much public attention to supply-chain interference, given that they all do it.

Maybe things will become clearer in the next few weeks. In the meantime, the most illuminating contribution to the debate so far came from a Cambridge University researcher, Dr A Theodore Markettos, who conducted a fascinating investigation of a key bit of the Supermicro hardware to see if the Bloomberg claim passed what he called “the sniff test” of initial plausibility. His conclusion: it does. Stay tuned.

What I’m reading

Little British landscapes
A hilarious piece in the of academic research that showed Brexit Leavers preferred “realistic” paintings, while Remainers preferred more abstract stuff. Strange: I thought it was the Brexiters who liked abstract fantasies.

A little too convenient
The New York Times reported in its Week in Tech column on the dangers of using Facebook to sign in to other services. The recent huge data breach means you may be more compromised than you think.

Robot bores
The Automation Charade is a lovely essay by Astra Taylor asking whose interests are being served by raising fears about “the rise of the robots”.

Contributor

John Naughton

The GuardianTramp

Related Content

Article image
How can we tame the tech giants now that they control society’s infrastructure? | John Naughton
It’s hard to see how the ‘platform power’ of the likes of Amazon can be curbed, given that they are running vital cloud services

John Naughton

06, Nov, 2021 @4:00 PM

Article image
It’s almost impossible to function without the big five tech giants | John Naughton
The ‘big five’’s grip on our online world is such that it’s almost impossible to function without them

John Naughton

17, Feb, 2019 @7:00 AM

Article image
Has the revolt begun against Apple's iPad app fees??
The Financial Times strikes the first blow in the war on app subscription charges, writes John Naughton

John Naughton

03, Sep, 2011 @11:06 PM

Article image
Tech giants face no contest when it comes to competition law | John Naughton
Amazon’s acquisition of Whole Foods Market ought to be blocked by monopoly regulators, but as long as they keep delivering the goods no one seems to mind

John Naughton

25, Jun, 2017 @6:00 AM

Article image
How Amazon puts misinformation on your reading list | John Naughton
Algorithms routinely come up with ‘recommendations’ for anti-vax ‘bestsellers’ or juices that can cure cancer

John Naughton

08, Aug, 2020 @4:00 PM

Article image
Wanted in the digital monopoly age – powers to curb the hold of online giants | John Naughton
Analysis by Lina Khan reveals how Amazon exploits outdated thinking about competition

John Naughton

16, Sep, 2018 @6:00 AM

Article image
Why Uber has been taken for a ride in China | John Naughton
Uber’s capitulation to its Chinese rival last week should temper the wishful thinking of Brexit cheerleaders

John Naughton

07, Aug, 2016 @5:59 AM

Article image
If the UK really wants to be a sovereign nation, it should stand up to big tech | John Naughton
The government has come up with a clever new way of regulating the digital marketplace – but will it ever become law?

John Naughton

12, Dec, 2020 @4:00 PM

Article image
Finally US politicians are taking the fight to the tech giants | John Naughton
The House of Representatives’ report is a timely attack on Amazon, Apple, Facebook and Google

John Naughton

10, Oct, 2020 @3:00 PM

Article image
Apple’s plan to scan images will allow governments into smartphones | John Naughton
Client-side scanning, as the technology is called, should really be treated like wiretapping and regulated accordingly

John Naughton

16, Oct, 2021 @3:00 PM