Allegedly, these microchips would give the Chinese military a backdoor to some of the most sensitive information on servers worldwide. If true, this would constitute a security breach of mammoth proportions. It’s a strange tale of high stakes international drama. Indeed, the companies, the Chinese government and even the US government all strongly deny that any of this took place. Bloomberg’s version of events, has already been hotly contested. So, how did this happen? Who was involved? What does this mean for you? Elemental is one of the leading companies in network-level video compression. That sounds complicated, but its smarts are one of the main reasons why you can watch HD videos on your phone. It also compresses video communications for the US intelligence services, notably handling the CIA’s drone footage, according to Bloomberg. Elemental compresses videos for its clients by placing its video compression servers on their internal networks. These servers were manufactured a US company called Supermicro. Bloomberg claims that, despite operating out of San Jose, CA, it has strong cultural ties to China, having been founded by a Taiwanese migrant to the US, and continues to be staffed by Chinese and Taiwanese natives. However, these look like incidental facts rather than anything more substantial. China is the world’s leading producer in electronics. It has been since US companies began outsourcing manufacturing to the cheaper Chinese market in the 90s. As a result, most of the hardware that goes into running company networks and servers is manufactured in China. Supermicro, for its part, outsources its server manufacturing to companies operating in Shanghai and Taiwan. Bloomberg’s report is based on multiple anonymous sources, which it claims are high-ranking US officials. According to these sources, the CIA had been monitoring an element within the PLA which specialized in hardware attacks: This group is suggested to operate in the shadows, using Chinese officials, middlemen and indirectly associated people to the PLA to infiltrate factories. These motherboards would then be sent back to Supermicro, then onto Elemental who would add their code to the servers, and would then be sold to clients including the CIA.
The size of the malicious microchip
However, Bloomberg claims that the US intelligence services were aware of specific potential threats to motherboard manufacturing: Yet, the security services chose to do nothing, as “issuing a broad warning to Supermicro’s customers could have crippled the company” and “it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were. Plus, without confirmation that anyone had been attacked, the FBI was limited in how it could respond.” For context, President Obama and China’s President, Xi Jinping, made an agreement in September 2015, that neither country would conduct cyber theft of intellectual property. However, only weeks after this agreement was announced, the US government was talking to tech companies about the security threat: So why is this coming out now? It’s difficult to say, but Bloomberg claims that it has been investigating the case for over a year, so it might have simply been the result of a tip off, or a leak which has taken this long to fully investigate and understand. Hardware-level hacks, like the one reported in Bloomberg, allow much greater access to the system or network and in this case would have allowed unparalleled access to the data passing through the server: However, it’s unclear exactly what sort of information the hackers wanted to obtain. Clearly, access to major companies servers’ could help facilitate a cyber attack – and experts have warned that China could do this. Access to the US defence and intelligence servers could also be advantageous but, again, we’ve no specific information on what they would do with this data. Crucially, there’s no evidence that any governmental or consumer data was taken. Firstly, it raises the suspicions around Chinese-made goods even further. Following the US government’s ban on Huawei and ZTE devices being sold in the US due to security concerns, this incident would prove that the Chinese government does have the ability to compromise private sector manufacturing. Secondly, given the current trade war between China and the US, this kind of attack would likely cause President Trump to order tariffs on more goods as a result. This would lead to greater price hikes for consumers and, potentially, more US businesses dependent on Chinese-made parts biting the bullet. In November 2017, after we had first been presented with this allegation, we provided the following information to Bloomberg as part of a lengthy and detailed, on-the-record response. It first addresses their reporters’ unsubstantiated claims about a supposed internal investigation: “Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented. No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it.” Clearly, the reliance on anonymous sources is far from ideal, but Bloomberg said in its original article that this was to protect their safety and privacy. But even, if half of the story is true, it’s still a big, big deal. Update: 5 October 2018 Update: 8 October 2018 AM Update: 8 October 2018 PM Apple issued another strongly worded rejection of Bloomberg’s claims in a letter to four US Congressmen. You can read the letter here.
While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more specific than vague secondhand accounts.”
Is Huawei a Genuine Security Threat?Will Tech Feel the Brunt of Trump’s Tariffs?Google is Planning a Censored Search Engine for ChinaKaspersky, Huawei and the Geopolitics of Tech Companies
