Bloomberg's Groundbreaking Report on a Chinese Supply-Chain Attack

By Herb Lin
Thursday, October 4, 2018, 4:56 PM

As many readers know, supply chain security has been an increasing concern for those who use information technology for critical functions—that is, it affects everyone.

Over the past several years, many reports have been issued on this topic, notably by the Brookings Institution and the Defense Science Board. DARPA has also had a program to improve hardware integrity.

But to my knowledge, there has never been a publicly documented incident of hardware supply chain compromise at the fabrication level originating abroad—until now.

On Oct. 4, Bloomberg carried a story called “The Big Hack: How China Used a Tiny Chip to Infiltrate Amazon and Apple.” The story discusses how a San Jose-based company known as SuperMicro—a big supplier for the world of motherboards for servers—was apparently responsible for the addition of a chip to those motherboards that would enable back-door access to servers in which those boards were installed. These chips surreptitiously communicated with other systems that supplied additional code to be run on the motherboards. The back-door chips were apparently installed by SuperMicro subcontractors in China.

Bloomberg also asked Amazon, Apple, SuperMicro and the Chinese Ministry of Foreign Affairs for comment on the story, and reprinted their answers in full. The companies all denied the story.

Nevertheless, the reporting on this story appears to me to be quite credible and well done. I would also note in passing another set of stories dating to the mid-1990s on alleged intervention by the National Security Agency in certain encryption products made by the Swiss firm Crypto AG. These products were used around the world as well, although not nearly on the scale reported in the Bloomberg story. For those looking to read more on the subject, my colleague Nick Weaver’s analysis is penetrating and insightful.

Those of us who have been wanting a citable source on an actual foreign intervention in the hardware supply chain now have one.