How worried should you be about Chinese spies planting backdoors in your computer?
On Thursday, Bloomberg dropped a bombshell story claiming China has been secretly adding tiny microchips to server motherboards manufactured in the country in an effort to spy on US companies like Amazon and Apple.
According to security researchers, the supply chain attack outlined in Bloomberg's reporting is plausible. The only problem is the lack of evidence. So far, no one has released details of this Chinese spy chip. Nor has anyone ever publicly reported finding it.
It hasn't helped that Apple, Amazon, and the manufacturer of the motherboards, Super Micro, have all vehemently denied the reporting in Bloomberg's news story, sparking confusion over how real the threat is. That could mean one of two things: Either Bloomberg's story is wrong or China has managed to pull off this supply chain attack for years, undetected.
Whatever the case may be, security researchers are hopeful they'll get to the bottom of the mystery in the coming weeks. Many have been digging through and analyzing the server motherboards from Super Micro, with the goal of finding any unusual activity or actual presence of a secret spy chip. However, if the hidden backdoor is real, chances are China used it selectively to prevent detection. The chip itself also wouldn't be easy to find, according to Joe Fitzpatrick, a researcher at SecuringHardware.com.
"With hardware access, there are plenty of ways to backdoor a server," he wrote in a blog post, outlining the threat. "Someone knowledgeable could quickly pick out a dozen well marked places malicious firmware could hide on a board and dozens of more components large enough to contain a capable implant inside them."
The attack described in Bloomberg's reporting suggests that the spy chip was designed to exploit the Baseboard Management Controller (BMC) onboard the motherboards. This controller is quite powerful; it can let a remote administrator control the computer and modify the existing firmware on the system for malicious purposes. According to Bloomberg, Chinese spies used this access to open a back door into company servers and take over their processes.
"Almost no one that buys servers bothers to look closely and fully understand the BMC firmware image in their systems, so this would likely have remained undetected by end customers," said Ian Pratt, president of the cybersecurity firm Bromium, in an email.
That said, there is a way you could detect the presence of the chip: it would eventually need to "phone home" to the Chinese spies by communicating to them over the internet. IT administrators with full network monitoring on their servers would've noticed the suspicious traffic.
"This communication with the (command and control) server is vulnerable to observation, and is quite likely how the implant was discovered — rather more probable than someone spotting the tiny extra chip," Pratt added.
Nicholas Weaver, a computer scientist at UC Berkeley, said he expects we'll see "independent confirmation of this attack within a few weeks," given that Bloomberg claims close to 30 companies were targeted. "Corporations are going to start testing their Super Micro servers for unusual communications or internal connections — and if anything is discovered, at least one analysis will probably be made public," he wrote in a blog post.
- Hacker Using MikroTik Routers to Eavesdrop on Internet Traffic Hacker Using MikroTik Routers to Eavesdrop on Internet Traffic
- US Charges North Korean for WannaCry, Sony Pictures Hacks US Charges North Korean for WannaCry, Sony Pictures Hacks
- Facebook Finds No Evidence Third-Party Apps Were Hit in Hack Facebook Finds No Evidence Third-Party Apps Were Hit in Hack
Also, if the threat is real then US authorities, such as the National Security Agency, should be alerting potential victims. After all, the attack is no longer a secret, he said. But both the NSA and the FBI have so far declined to comment on the alleged supply chain threat.
On Friday, the UK's National Cyber Security Centre also casted some doubt on Bloomberg's story. "We aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple," it said in an email. "The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us."
What happens if the chip is found? It'll underscore a key vulnerability with US industries outsourcing their electronics manufacturing to China, a risk that the security community has been warning about for years. So don't be surprised if the Trump administration uses the incident to ramp up the ongoing trade war between the two countries. This past week, US Vice President Mike Pence called on US companies to avoid doing business in China if it means handing over valuable technology to their local Chinese counterparts.