Last Fall reports came out claiming that rice-grain sized spying devices were secretly being planted onto US servers during the manufacturing process. The article created an uproar. Apple and Amazon, 2 of 30 companies said to be affected, adamantly denied the claims that malicious spy chips had been planted on their motherboards.

Apple, Amazon, Supermicro demand story retraction, request audit

The story stalemated between the reporting publisher who insisted their sources were good and the accused victims insisted no surveillance microchips invaded their boards. In December, the chip manufacturer – Super Micro Microcomputer (Supermicro) in San Jose, California – announced results of an audit that investigated the story claims, carried out by Nardello & Co. The Washington post reported the audit results:

“Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process…After a thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.”

The threat is dodged but not averted

Good news for Apple, Amazon, Super Micro Microcomputer, and the others. It might appear this bullet has been dodged. But we’ve all seen the movie where everyone relaxes after they think the bad guy has been caught – only to have the threat surface later after everyone’s guard is down. That’s why we’ve included this item in our predictions because the claims remain entirely in the realm of possibility. In fact, along with riling up Apple, Amazon and Supermicro, the initial news stories may have planted seeds in the minds of bad actors. China itself has claimed if such chip-spying scenarios were to occur, that they would be more a victim than a perpetrator. That’s hardly comforting.

The manufacturing process is vulnerable to compromise. Aptly named, Super Micro Microcomputer is the world’s largest vendor of motherboards, and they in turn hire Chinese subcontractors to assemble the boards. The US has little or no control over the network of sub-contractors involved. The US’s deep and exclusive reliance on China for these services isn’t going to change. And while accommodating infrastructure and affordable and skilled labor are attractive priorities, security hasn’t been.

IDC has also predicted the ramifications of this situation are just beginning and we join them in that prediction. To avert a scenario like this, US manufacturers must do more than be content that no compromise has happened so far. They must evaluate and scrutinize their supply chain and manufacturing relationships, far down the chain. This process of scrutiny must identify what kinds of heightened security systems are needed to uncover any existing bugs as well as prevent bugs from being planted in the future. We expect this story to continue to develop and possible new reports of bugged servers could surface in 2019.

Further resources:

Blog: US vendors should take reports of China chip hacking as a strong wake-up call to evaluate security in their supply chain.

White paper: Deterministic Protection Against Fileless and Memory-Based Attacks

View our monthly Newsletter