A security expert working for a U.S. telecom company reportedly uncovered further evidence of Chinese spy chips hidden on computer motherboards, Bloomberg Businessweek reported Tuesday, less than a week since the outlet revealed a massive “hardware hack” discovered in a secretive U.S. government investigation.
The major corporations named in the original report, Apple and Amazon.com, denied that a large number of servers they purchased from major computer supplier Supermicro were contaminated with backdoor security flaws inserted by Chinese military intelligence in the form of tiny extraneous chips. Supermicro also challenged the details of the report, which claimed up to 30 companies that purchased its products were affected, including government contractors.
On Tuesday, Bloomberg News ran a new report that quoted a security expert named Yossi Appleboum, a veteran of Israeli military intelligence who is now the co-chief executive officer of consulting firm Sepio Systems in Maryland. Appleboum said his company discovered tampered hardware at a telecommunications company that was not named in the report due to its nondisclosure agreement with the security firm.
The details of what Appleboum discovered were slightly different from the hardware hack described in the earlier Bloomberg report, but the net effect was the same: the affected Supermicro server was generating unusual network traffic that might have been efforts to connect with remote computer systems controlled by hackers. In this case, an “implant” was found connected to the network cable port on the server.
Appleboum said he sees compromised hardware with disturbing frequency:
The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said.
Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.
Supermicro, whose stock value fell dramatically after the publication of the original report, continues to deny its hardware has been compromised and faulted Bloomberg News for refusing to provide it with copies of the documentation furnished by Appleboum:
Supermicro, based in San Jose, California, gave this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”
According to Bloomberg News, Appleboum has ample technical documentation to back up his findings, but presumably sharing it with other parties would violate his non-disclosure agreement by revealing the identity of his telecom client. AT&T flatly denied it was the telecom company in question, while Verizon, T-Mobile, and Sprint declined to comment on the story.
Appleboum said he has contacts in the U.S. intelligence community who pinpointed the origin of the compromised computer components as Guangzhou, the port city often hailed as the “Silicon Valley” of China. He offered an interesting detail about the specific hardware hack he revealed to Bloomberg News: compromised Ethernet connectors tend to have metal sides instead of the more common plastic construction because they have to diffuse the heat generated by the powerful spy chip hidden inside.
Bloomberg claimed that its report is getting results, as security teams around the world are now “analyzing their servers and other hardware for modifications, a stark change from normal practices.”
The issue is sensitive given the tense state of relations between the U.S. and China, not to mention the danger of stock market and information-technology panic if China’s tight grip on the computer supply chain compromised a huge number of servers in sensitive corporate and government facilities.
The South China Morning Post, which operates out of Hong Kong but is now owned by the mainland Chinese corporate giant Alibaba, reported on Monday that Chinese technology experts are challenging the Bloomberg story by claiming China does not have the technical expertise to create sophisticated hardware hacks:
“It would be amazing for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip,” said Zhang Baichuan, founder of cybersecurity website youxia.org. “The fact is, China’s chip technology is still at a primary stage.”
Tapping into a private server via the hardware would be a complicated process that also requires a degree of luck, said Li Aijun, chipset head at Intellifusion, a Shenzhen-based provider of artificial intelligence technology designed to help police catch traffic violators.
“Implanting a chip to crack [the server] without a trace is not possible as Chinese companies only assemble the components designed by the vendors. The motherboard only works as it was originally designed and implanting a hacking chip would always result in failure as it was not originally [part of the circuit design],” said Li.
Apple issued a statement to Congress on Monday saying it has found no evidence to back up the claims made by Bloomberg News.
“We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns. A compromise of this magnitude, and the effective deployment of malicious chips like the one described by Bloomberg, would represent a serious threat to the security of systems at Apple and elsewhere,” Apple Vice President of Information Security wrote to the House and Senate Commerce Committees.
Amazon challenged the report in similar terms last week, stating it has never found malicious hardware in Supermicro computers and has not participated in the government investigation described by Bloomberg’s sources.