Listen to this article now
On October 4th, Bloomberg Businessweek published an article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies.” In the piece, Bloomberg outlines how the Chinese are believed to have secretly implanted tiny command-and-control chips right into server motherboards – motherboards used by dozens of US technology companies the likes of Apple and Amazon. I suggest you read the entire report before reading on.
“Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.”
Here are some takeaways you might find helpful:
1. Did it happen?
So far, no other major news outlets have independently verified this story. Before rush down that rabbit hole, we should remember to be cautious, and take all news reports that haven’t yet been independently confirmed by other news organizations with a grain of salt. It is possible that Bloomberg was sold a false (albeit convincing) bill of goods. I am not saying that it is what happened, but I want to raise that possibility because it is still exactly that: a possibility. Why would anyone push a story like this if it weren’t true? The most obvious answer is the rising tension between the United States and China. If someone wanted to exacerbate those tensions and inject national security elements into an otherwise mostly economic dispute, they could do worse than this story.
Apple and Amazon, at least so far, deny that the attack took place. Depending on where your instincts lean, you may be tempted to see this either as an indication that the hack reported by Bloomberg did not, in fact, happen, or you may see it as a natural reaction from compromised companies trying to protect their reputations, their stock value, and their bottom-line.
China’s denial of the attack is irrelevant.
2. If this operation is real, is its impact being exaggerated?
Assuming that this happened, we still don’t know just how many servers were impacted, which servers were impacted, where those servers are, and to what extent they were impacted. For all we know, the chips’s capabilities may be far more limited than the article suggests, and more detectable to IT security sweeps than initially reported. I have a difficult time believing that a widespread network of compromised servers communicating with unknown outside servers would evade Amazon, Apple, and the US government’s cybersecurity infrastructure. It isn’t impossible, but it seems unlikely, especially at scale.
This type of scheme seems more to me like an attempt to plant sleeper switches onto servers that would allow a hostile third party to more easily launch attacks on said servers than a scheme to extract massive amounts of data and information from servers. I may very well be wrong about this, but again, I find it unlikely that large packets of information mysteriously leaking out of secure server facilities all over the US would evade detection.
3. If this operation is real, could it be worse than Bloomberg suggests?
Let’s flip the script now and consider that the attack may impact far more than just server motherboards. Consider the size of the chip and what it is allegedly designed to do: Allow a third party to remotely control a device (much like an IT professional can access devices remotely IF he or she has permission to do so).
A chip of that size could easily be implanted inside a smartphone, allowing a third party to, for example, access your camera and microphone at will and without your knowledge. It could also give a third party eyes on your screen, your texts and emails, and so on. This may be part of the reason why Huawei and ZTE have run into friction from the US government and other governments as well. But that isn’t all. Any device with an internet connection could also be affected: Security cameras, smart speakers, laptops, smart vehicles, WiFi routers, and so on. These chips could already be embedded in millions of connected devices, from those in your pocket to switches controlling critical systems at power plants and air traffic control centers (to say nothing of systems used by the Department of Defense and various Intelligence Agencies).
Moreover, it is unlikely that such an operation would be limited to the United States. If it is real, I would expect to see these chips turn up in Canada, Europe, and all over the world.
4. If this operation is real, it could trigger a significant technology supply chain overhaul.
If all of this turns out to be true, and China really did covertly implant thousands (or even millions) of command-and-control chips into motherboards and other devices, the tech sector’s supply chain may find itself forced to exit China, Taiwan, and Singapore. As extreme as this outcome may seem, the gravity of the situation may call for it. It is also entirely possible that, within the scope of mounting strategic tensions between the US and China, the US government may begin to move towards trying to ban certain categories of Chinese-made technology components and products, citing national security concerns.
The US technology sector may also, of its own accord, decide to start shifting some of its contract manufacturing to other parts of the world not under the influence of the Chinese government.
5. It is still too soon to know what happened and where things will go from here.
All of that being said, right now, we have far more questions than answers. For starters, it makes sense to wait and see if the story is independently confirmed by other news organizations before getting too bent out of shape over it. Second, be on the lookout for follow-ups from counterintelligence and law enforcement agencies in the US and abroad. If this operation is real, we will be hearing much more about it before long. Third, as explosive as Bloomberg’s report is, it may only be the tip of the iceberg.
To be continued.