[Update]: Since Bloomberg originally posted their story, every party involved has publicly and repeatedly denied the claims made. This includes assessments by Amazon and Apple, two of the largest companies named as targets of this potential breach. Take the following with a grain of salt.
In recent news, Supermicro is under some heat in the U.S. after multiple reports of its manufactured components containing malicious microchips on their boards. They’re one of the world’s biggest suppliers of server motherboards and does business across the globe. So, what happened that caused this heat? Read on to find out.
It seemingly started back in 2015 when Amazon was seeking the acquisition of Elemental Technologies, a firm which more or less revolutionized the process of how video streams are compressed and formatted. With a rise in demand for mobile streaming, Amazon was looking to fill that demand with its Amazon Prime Video service. Elemental Technologies is known for some big contracts – helping stream the Olympic Games online, sending communications with the International Space Station, as well as funneling drone footage to the Central Intelligence Agency.
As a precaution, and rightly so, Amazon sought the help of a third-party security firm to put Elemental’s security to the test – this is where the tip of the iceberg broke. Having sent several servers to the Ontario, Canada-based security firm, the first pass through inspection uncovered troubling issues that led to a more in-depth investigation. There they discovered tiny microchips embedded on the boards that weren’t part of the boards’ original design in the first place.
Currently, most attacks are all software-based as hardware hacks are tougher to pull off. Distributed denial of services attacks, cross-site scripting attacks, etc., are examples of software attacks but hardware, well, that’s actual and physical manipulation of the components that the software runs on. A hack to this degree, though not unheard of, takes quite some planning to pull off. This form of hack would require intervention into the manufacturing process of said boards, and throughout the supply chain. Two ways of pulling this off are either interdiction, which entails hardware manipulation once devices have finished their manufacturing and are in transit to customers, and the other is being involved from the get-go.
Coincidently, China is estimated to make 75% of the world’s mobile phones and 90% of its PCs. In addition, it is believed that this was conducted by operatives who were part of the People’s Liberation Army. This feat affected almost 30 companies, of which are some big players – Apple, Amazon, and even the CIA. There seems to be some controversy about each company’s awareness of this matter. Unidentified sources claim they were aware but the companies’ official statements deny this.
It is believed that no consumer data was known to have been stolen and that this act was suspected to be more of a long-term siphoning of information over time – specifically for high-valued information on corporate secrets and sensitive government networks.
The implanted chip is said to contain network abilities, as well as the ability to interfere with the operating system installed on it. It was able to reach out online to seek further action from anonymous servers scattered across the globe. Further, there were capabilities to intercept signals queued up in the CPU process line and nefariously alter whatever it wanted. Thus, there was a physical backdoor installed on these servers that allowed virtual access to remote users – scarier still, this stood true even if the servers crashed or were turned off!
Being connected to the baseboard management controller, which is the superchip that allows remote admin access to servers in a problematic state, they more or less had front row access to just about anything. Encryption keys are prone to theft, preventing security updates that could potentially disable the chip, as well as opening new pathways to the Internet to the malicious servers – these are just a few possibilities that are available.
On somewhat of a positive note, paper trails are evident in the physical world. Shipping manifests, invoices, serials numbers; these are all details that allowed U.S. intelligence to backtrack through the supply chain and to the compromised manufacturers responsible. There were four subcontracting companies under the three that Supermicro directly worked with, located in Taiwan and Shanghai. It was discovered that plant managers were threatened or bribed by individuals posing as Supermicro employees or government-connected figures.
Needless to say, Supermicro is under a lot of heat and lost quite a bit of business from some big players in the tech industry. This investigation has been ongoing and is still open.
References
Robertson, J. & Riley, M. (October 4, 2018). The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. Retrieved from https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies