It’s the nightmare hacking scenario that the spy world has been warning about for years and it may have already hit some of America’s biggest tech companies. Bloomberg reported on Thursday that a covert Chinese military unit was caught slipping modified microchips onto motherboards used by the likes of Apple and Amazon. The chips, barely the size of a grain of rice, were designed to allow spies to snoop on the data moving through the servers wherever they are installed.
“What this article does is take all of those scenarios from science fiction and puts them in present day. And now we have to all update our risk calculus that we keep in our heads,” Dave Aitel, a former National Security Agency research scientist and CEO of Immunity Inc, told The Daily beast.
The hacked boards were sold by Supermicro, a major international supplier, and used by Apple and Amazon. All three companies have denied any knowledge of malicious hardware, but Bloomberg says a number of national security officials confirmed the incident, which reportedly affected 30 different companies in all. Bloomberg’s sources detailed exactly what the government found on some servers turned over in the investigation.
Slipping hacked hardware devices into a commercial supply chain is the kind of problem that former NSA and CIA director Michael Hayden has called “the problem from hell.” The Defense Department and intelligence community have been warning about it and trying to gin up mitigations for well over a decade. Despite the years of warnings, dealing with the threat still isn’t easy.
Part of the problem is that computer hardware manufacturing has increasingly moved offshore to countries like China, which has invested heavily in stealing classified data from governments and intellectual property from private companies. Beijing’s prominence in the sector is no accident. The Chinese government has singled out the semiconductors as a strategic growth area is heavily subsidizing the industry to make China and its exports a world leader. But even when American companies design the chips, manufacturing is often outsourced to foundries overseas, adding another vector for mischief.
Amazon, according to the Bloomberg story, detected the Chinese spy chip during a security audit of the motherboards. The stowaway device was hidden on a motherboard used in a video processing server, disguised to resemble a cheap commodity component. It was a lucky spot for Amazon, but the problem for the rest of the private sector is that examining millions of hardware components they use in data centers and other operations just doesn’t scale.
Another big challenge is that hardware supply chains are incredibly complex, with a myriad of different suppliers sourcing components from each other.
“Even if a big company like Amazon found something, being able to track it down to what your problem really is in your supply chain is almost possible,” Aitel said. “You can’t just go to your first vendor and say ‘hey, here’s something.’ You have to go all the way down to that sub-sub-sub supplier.”
As difficult as they are to detect, implementing hardware hacks like the one reported by Bloomberg is no walk in the park either.
That’s because the complexity in hardware supply chains cuts both ways. An adversary has to ensure her trojan chip makes it onto the right circuit board, used by the right company, and installed in a part of the network that touches the data she’s after.
And there’s always a risk that the silicon spyware will inadvertently disrupt the operations of the systems they’re installed in, leading to discovery. “This is an issue with all hacking and implants. You have to be great at quality control—so much better than a normal supplier would have to be,” Aitel said.
While the discovery of trojan hardware is a rude awakening for the private sector, it comes as little surprise to the U.S. government. The Defense Science Board first issued a report in 2005 warning of the risk that “untended design elements” could be inserted in chips “as a result of design or fabrication in conditions open to adversary agents.”
To counter the threat, the Defense Department created “trusted foundry” programs for known and trustworthy suppliers of components installed in sensitive classified systems. But that solution won’t work in the larger world. The demand for components in the private sector is too great to be met by a small circle of closely scrutinized suppliers.
“This is one of those problems that private industry can’t really address,” Aitel said. “The level of sophistication is beyond that which an Apple or an IBM should reasonably be expected to protect themselves against.”