Bloomberg has reported that a tiny chip from China has made the biggest hardware hack ever possible, and it’s all due to an issue that cyber security professionals have been trying to raise awareness about for years. Bloomberg has yet to offer up any solid evidence to their claim besides the statements of anonymous officials and individuals supposedly involved in the process. Amazon, Apple, and China have all given statements contradicting the Bloomberg article, and for now, it remains a game of who said what. Bloomberg is claiming that Chinese factories have been adding additional, tiny, chips to motherboards produced for SuperMicro with the factories adding these chips at the behest of the Chinese government. The chips, while small, have enough space for code that allows them to act as a portal for future use. The chips are just a doorway, and one without any locks on it as hardware is not protected well against code injection.
Supposedly, the chips allow for code to be added to any motherboard they’re on. SuperMicro provides motherboards for the CIA, NSA, the US Armed Forces, Amazon, Apple, and other major US companies. SuperMicro is the supplier of choice because most of their hardware is assembled in the US, but not the physical motherboard that the chipset goes on and this vulnerability has been warned about before. As early as 2010 there were news articles about how the US Armed Forces was using electronics built in China for the guidance systems of its weapons.
China provides essentially all of the electronics used in modern technology, and there isn’t any competition or even the capability to compete anywhere else. The countries that use these products in mass quantities don’t have the resources to produce them at an economical price; China with its large rare earth element reserves and workforce is the only country capable of creating these pieces in any feasible quantity. This opens up any user to a massive security risk as the exact details of a critical, and completely necessary, piece of any electronic is known to a potential attacker: the Chinese government. China, like any government, has a state-run cyber arm that surely benefits from the blueprints of anything produced in China. Indeed, Chinese state-sanctioned cyber activity has been on the rise, and the Chinese Cyber Security Law that goes into enforcement in December is also being seen as a way to exert cyber power.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.