The great 'Spy' chip scandal

(Graphic taken from Bloomberg Businessweek).

(Graphic taken from Bloomberg Businessweek).

In the news currently is a potentially far-reaching scandal centred around the addition of a tiny surveillance chip into certain Supermicro server motherboards. Bloomberg Businessweek has broken a story blowing the whistle on a ‘secret’ FBI investigation that’s been running for a couple of years and implications that similar discoveries made but not publicised by both Apple and Amazon in 2015 led both companies to cease trading with SuperMicro and allegedly remove SuperMicro hardware from their datacentres.

So what’s it all about?

In essence, if it turns out to be true, then the Chinese intelligence services have successfully pulled off quite a feat of cyber-espionage by successfully implanting hardware-based malware at the discrete component level into servers, injected those servers into a very particular supply chain (not to mention passing all checks of said supply chain) and ultimately, successfully subverted the US government and almost 30 other companies including a major bank by getting the servers installed into their datacentres!

Whilst the how it could have happened is quite fascinating, the chip itself isn’t that exciting, it runs malware that makes changes to the server OS at boot to allow code to run that would not normally be allowed and in turn allow an attacker to gain access to the OS and the data stored on that OS.

How did they (allegedly) do it?

Adding eaves-dropping devices into bits of equipment is something that has been going on for a very long time (and if Edward Snowden is to be believed it’s something that the US intelligence services have gotten pretty good at), the point is that you take a regular device of some kind and then add a little special something that allows the device to function normally and for you to do your spy thing and listen in or, more likely nowadays, steal data or personal information.

The next question is, therefore, how do you add that special something? The US favour (again according to Snowden) the interdiction approach of intercepting the device before it reaches the target, insert your special something and then leave it to continue its journey, this approach has pros and cons, it’s more predictable as you know when/where the device will be but it’s easier to get caught.

The other approach is to seed the special something when the device is originally manufactured; whilst planting the special something is perhaps easier because you are not as visible, making sure that the right device gets to the right target is far more complex and very difficult to predict – not to mention that you can’t just chuck a new chip onto a server motherboard, it’s got to be deeply integrated so it doesn’t break something else initially or, more importantly when an update is applied and give the game away.

Joe Grand, a well-known hardware hacker has been quoted as saying: “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow”

Joe’s comment whilst admittedly tongue-in-cheek illustrates the perceived challenge and it is suggested that this is exactly what the Chinese spies achieved – you have to draw your own conclusions on the plausibility but circumstantial evidence seems to point at both Apple and Amazon having a very strong anti-Supermicro reaction between mid-2015 and 2016 and removing or distancing themselves from the hardware supplier.

Conspiracy Theory?

I love a good conspiracy as much as the next conspiracy theorist although as I have gotten older I have learned to treat them with a healthy amount of cynicism and this is no exception.

Bloomberg is a reputable media company, they are known for checking and double-checking their sources and they present the story in a very compelling and believable manner. After having read the story the first time I was left thinking that this seemed plausible and we were witnessing an orchestrated cover-up of a very serious mal-hard-ware attack.

Then I was struck by the fact that allegations like this typically go unanswered by the companies involved, they leave us to form our own opinions and eventually things tend to die down, but in this case, there have been denials from Apple and Amazon and claims refuted by Supermicro. The US Dept. for Homeland Security has issued a statement (with which the UK National Cyber Security Centre has agreed) and unsurprisingly China has denied everything.

That Apple and Amazon have come out and said what they have said is striking enough – they wouldn’t come out with statements like that unless they knew they were telling the truth as their credibility would be ruined when the truth does eventually come out. The legitimacy of the statements is also bolstered by them being backed by both US and UK government agencies – so they must be true right?

The quandary is that when placed alongside the circumstantial evidence of both companies having fallen-out with Supermicro in 2016 seem to be at odds with each other and it looks like someone isn’t telling the truth.

That said, both Apple and Amazon offer a potential explanation in the form of a misunderstanding in that an incident occurred in 2016 whereby malware was discovered in a single Supermicro server driver; both companies suggest that this story may have its roots there.

This draws out the conspiracy theorist in me and could seem to be a bit like explaining the strange lights in the sky as swamp gas reflecting the light of Venus! It also makes the alleged removal of the Supermicro hardware and subsequent cessation of trading seem like an extreme reaction to something both companies refer to as quite trivial.

Then there is the cost of all this if it were true – we’re talking about the Chinese government so perhaps cost isn’t an issue but humours me. Say we want to get our ‘spy’ chip into US servers, what would be the cost of developing, manufacturing and then distributing the ‘spy’ chips to thousands of different servers in a particular supply chain to capture just a few that wind up in certain datacentres? It wouldn’t be cheap.

Then there is the risk of it being exposed, all of that investment is being done on the off-chance that none of the ‘spy’ chips (or the communication traffic they would need to send out) in the other servers would get picked up by anyone… and that ‘anyone’ wouldn’t tell ‘anyone else’ and blow the lid off the whole thing? The chances of pulling it off successfully and not wasting a ton of money - not to mention the political embarrassment – is incalculable.

In summary, there are a lot of ups and downs in this story and I doubt we have seen the end of it yet, we have two conflicting arguments completely at odds with each other and both from very credible sources.

The implications if it turns out to be true could be far-reaching and if that’s the case then I suspect this is only the tip of the iceberg.

For the full article, click here!