It’s been a week since Bloomberg BusinessWeek stunned the world by alleging a mysterious tiny chip was found on some motherboards made by SuperMicro Computers for a company called Elemental Technologies that Amazon was planning to buy.
In that week the dust raised by the controversial article hasn’t cleared.
The chip, “not much bigger than a grain of rice,” was allegedly analyzed by U.S. intelligence in part because servers from Elemental are used throughout the Defence department and the CIA. “Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines,” Bloomberg said. “Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
“The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”
The article also said three unnamed senior insiders at Apple told Bloomberg that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, the story said, for what it described as unrelated reasons.
The article — based largely on anonymous sources — instantly made headlines around the world. And almost just as quickly was denied. Most recently, Apple issued a statement to Congress saying the allegation its servers were compromised “is not true.”
“While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions,” wrote George Stathakopoulos, Apple’s VP for information security. “We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts.”
“Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” the motherboard manufacturer said.
Amazon said it told Bloomberg it was not true the company was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”
Britain’s National Cyber Security Centre said it had no reason to dispute the statements from Apple and Amazon. On Oct. 6 the U.S. Department of Homeland Security also said it has no reason to doubt those statements.
So where does that leave CISOs? “Don’t Panic!” said Johannes Ullrich, dean of research at the SANS Technology Institute.
“Defense in depth is still a valid strategy,” he wrote in a blog immediately after the Bloomberg article hit the world. “The [suspect] component will likely communicate across the network. A network firewall and Intrusion Detection System (IDS) are still valid layers. Let’s just hope they don’t include the same component.”
“While government agencies are certainly worried and are conducting audits of hardware they use, their mission is usually not to protect consumers from such implants. There is no government agency that would proactively screen hardware entering the country to look for backdoors. Instead, supply chain security is the responsibility of the end user. Relationships with trusted suppliers, who themselves use due diligence / best practices in manufacturing are key. As a consumer / small company, there is little you can do to achieve this and it is mostly up to large companies like Apple, Dell, Amazon and such to ensure they are selling safe products to the public. But considering how difficult it appears for Amazon to even police simple stuff like fake Apple lightning port cables, the security of its cloud systems and other infrastructure may suffer as well.”
In an addendum after SuperMicro’s denial, Ullrich added, “Without any additional evidence, it is difficult to decide who is right. Information about a problem like this would likely be highly guarded at Supermicro and only known to a small group within the company. We will have to see what evidence will emerge about this moving forward.”
Online publication Motherboard.com found a lot of skeptical experts. Some said the story is plausible, but lacks details. “Even sources used in the original story are confused about what’s going on,” this article said. “The cybersecurity podcast Risky Business interviewed one of the few named sources in the original Businessweek article, hardware security expert Joe Fitzpatrick, who expressed doubts about the article, and said he had never been contacted by any Bloomberg fact-checker. Fitzpatrick was used as an expert source to comment on the technical details of what Bloomberg described and does not have any firsthand knowledge of the actual alleged hack.”
