The Chinese hacking server hardware
You may have heard some pretty scary headlines or stories recently about a Bloomberg Businessweek article. This was about the Chinese hacking server hardware by implanting little “bugs” onto the main electronic boards of the servers. The claims, from several anonymous sources, were that this was happening on a vast scale. The Chinese had infiltrated SuperMicro, a manufacturer of these electronics boards. Every server that was shipped to approximately 30 US companies including Apple and Amazon had this little bug. Photos of a pencil and a little chip were doing the rounds. All very frightening indeed.
Haven’t we heard about this kind of behaviour from China before?
That was my first reaction to this story. Back in 2012, the US Government set out to ban any US telecommunications operator from using equipment supplied by Chinese companies Huawei and ZTE. This was after reports of communications equipment manufactured by them and supplied to US companies, were detected sending large packs of data back to China late at night.
But doesn’t the US do this as well?
Indeed thanks to the likes of Edward Snowden, we became aware that the NSA behaves similarly. In that story, they are shown to have intercepted the shipment of a new communications router. They then implanted some spying capability into it. It was then sent it on it’s way to it’s final destination.
So there’s nothing really new about the Chinese hacking server hardware?
Well this story from Bloomberg has stirred up quite a lot of controversy within the information security community. Apple and Amazon have been quick to categorically state that they have not been compromised. They claimed the story was completely false. Patrick Gray, an Australian information security journalist, interviewed one of the named sources in the Bloomberg story. Joe Fitzpatrick had been quite uncomfortable with the published story. Gray also raised the fact a previous story by the same journalists, quoting anonymous sources, turned out to be false. So he reckons it’s a bogus story.
I personally don’t think China would take the big risk of implanting “spy chips” in the all of the electronics that their own huge manufacturing companies produce. It would be a strange thing to do on such a massive scale as it would be more easily detected. They’ve been more targeted in the past, as has the US, so that’s probably more normal.
Certainly the supply chain is one of the weak points in a product’s creation. That’s how we ended up with Petya/Not Petya and also the compromise of CCleaner.
If you are in a top secret, research and development type operation, then you will need to have suitably vetted hardware, software and physical security experts on payroll or contract to be able to protect your business from these kind of efforts of the Chinese hacking server hardware.
For the rest of us mere mortals, there is little we can do to truly protect ourselves, without going to great expense. We just have to hope we have nothing the Chinese, the US, the UK, the Russians, the Israelis, etc., etc., etc. want. If they want it bad enough, they’ll get it.
Lets be careful out there.