In the 2015 novel Ghost Fleet, the spark that starts World War III is not a nuclear bomb, but a supply chain hack. In the book—which is based on real-life technology, technical papers, and diplomatic meetings—national security and international relations expert Peter W Singer suggests that Chinese-made microchips embedded in our appliances, devices, satellites, fighter jets, war ships, and tanks could turn against us.
That was speculative fiction, but cybersecurity experts have warned for years that America’s overreliance on Chinese manufacturing is a major security vulnerability that could fundamentally shift the balance of world power if China were to compromise the integrity of the supply chain.
Our fighter jets aren’t suddenly shutting off due to a secret Chinese killswitch, but the China-America supply chain has apparently been compromised and weaponized, according to a new blockbuster report by Bloomberg Businessweek. According to the report, a group within China’s People’s Liberation Army (PLA) has embedded a microchip into motherboards used by a company called Supermicro, which sells servers to many major American companies, including Apple and Amazon. According to the report, the microchip is capable of compromising the server, allowing China to spy on the internal networks of some of the world’s most powerful companies.
If Businessweek’s story checks out (Motherboard does not have independent reporting on the specifics of the allegations), it would be one of the most important and devastating security breaches in history, one that highlights a core weakness baked into American capitalism. It could have major ramifications not only in the security industry but in international relations. It’s worth noting that the companies involved have vehemently denied any knowledge of the attack, and both Apple and Amazon have flatly—and forcefully—denied that they have ever found any servers that have been attacked in the way described in the article.
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple told Bloomberg. “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed.”
“At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any [Amazon subsidiary] Elemental or Amazon systems,” Amazon wrote in a blog post. “Nor have we engaged in an investigation with the government.”
Regardless of whether or not the attack happened, it is now the cover story in one of the most important business publications in the world, and it brings to light an inherent tension in American-Chinese relations, and a global cybersecurity issue researchers have been warning us about for years.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com. You can contact Jason Koebler on Signal on +1 347 513 3688 or email firstname.lastname@example.org.
“There are two possible stories here,” Matthew Green, associate professor at Johns Hopkins University, tweeted about the attack. “One is that there was an attack. The other is that a large swath of the National Security establishment is promoting the idea that there was an attack. Pick your poison.”
Singer told Motherboard that it is a potentially game-changing hack.
“It is an explosive story, incredibly significant for cybersecurity,” Singer, a strategist and senior fellow at the New America Foundation, told Motherboard. “But even it undersells the potential impact. The focus of concern now is using the hardware hack as a means to steal information. However, this type of operation (not exactly what they did here, but the type of attack overall) could be used to shut down the flow of information or change it.”
What Is a Supply Chain Attack?
Computers, mobile phones, and servers are made up of an almost unfathomably complex, interlocking set of components, chips, and boards. These could be sourced from all across the world, and developed by various companies, before coming together to form the final product. A supply chain attack is one that introduces new parts, or tampers with existing ones, somewhere in that process to give a hacker access. But the manufacturing process can be so hard to audit, that, depending on the step the hackers may target, they may get away with adding new malicious components to a computer or server.
“Hardware is a nightmare. We can barely validate software, and all our assumptions rely on the hardware working correctly. Pull away that assumption, it’s like removing the screws from a piece of IKEA furniture,” Green told Motherboard in an online chat.
Because hardware attacks may in some cases be harder to detect and cumbersome to fix (hardware can’t be easily patched like software), they not only keep security professionals up at night, but are highly coveted by spy agencies. According to documents leaked by Edward Snowden, the National Security Agency has intercepted computer equipment while in transit to insert its own surveillance capabilities.
What China is accused of doing is introducing a totally new—and malicious—microchip into motherboards of servers themselves during the manufacturing process.
“Supply chain risk management is difficult enough for conventional threats (disruptions in operations caused by natural disasters, financial failures, poor quality, etc.),” Lily Ablon, an information scientist focusing on cybersecurity and supply chains at global think tank the RAND Corporation, told Motherboard in an email. “A key component of managing supply chain risk—conventional or cyber—is identifying the suppliers involved, getting visibility to lower-tier and sub-tier suppliers, and determining which suppliers pose the most risk. Gaining full visibility into every supplier at each sub-tier is a herculean task.”
Hacks like this have been proven over-and-over again in proof-of-concept papers by academics and security researchers, but supply chain manipulation of the size and scope reported in Businessweek is unprecedented.
Last year, researchers at Israel’s Ben Gurion University were able to embed a malicious chip into a smartphone’s touchscreen and used it to remotely spy on the device without modifying the phone’s firmware. The study was able to “simulate a chip-in-the-middle scenario in which a benign touchscreen has been embedded with a malicious integrated chip.”
At the time, Omer Shvartz, one of the authors of that study, told Motherboard that “while you can target a specific individual, it is quite possible that a mass scale attack is already happening while we lack the tools for discovering it.”
Joe FitzPatrick, a hardware-focused security researcher, told Motherboard in an online chat he was “not surprised to see an example finally.”
Decades of Outsourcing Have Created One of America’s Greatest Vulnerabilities
In 2005, the Pentagon warned in a report that outsourcing electronics manufacturing to China could become a problem for America, because of the risk of hardware “tampering.” America has largely lost the ability to create many of the electronics we use everyday—Donald Trump famously asked Apple CEO Tim Cook why the iPhone isn’t made in America, but it’s not clear that the United States is even capable of making iPhones in America at any sort of scale.
China’s cheap, skilled labor, manufacturing infrastructure, and vast rare Earth mineral-mining operations around the world have secured its spot as the high-tech manufacturing hub of the world. This of course has had many benefits for the United States and American companies, but it’s also a great risk.
“The use of foreign suppliers—in particular foreign manufacturers—does create a security vulnerability,” Ablon said. “If we only look at this from a supply chain to supply chain, or manufacturing power to manufacturing power, perspective, then yes, this is an asymmetrical situation.”
In 2012, a 136-page report prepared by military contractor conglomerate Northrop Grumman for the federal government’s US-China Economic and Security Review Commission found that American hardware manufacturers with factories in China are “exposed to innumerable points of possible tampering.”
The US relies on “commercial vendors, most of whom use complex, geographically dispersed supply chains, creating a vulnerability of potential insertions of malicious hardware or embedded software on the hardware components,” the report notes, adding that the PLA has been increasingly interested in espionage against American companies.
The Businessweek story, if true, will force America to ask itself: Now what? America finds itself in a position of weakness against China; the country doesn’t have the manufacturing infrastructure to bring electronics manufacturing within US borders, and consumers have gotten used to cheap electronics, almost all of which are produced overseas.
“If the Bloomberg story is right, there’s a covert program that goes beyond normal commercial espionage and threatens the ‘trusted system’ of global commerce,” Paul Musgrave, political science assistant professor at University of Massachusetts Amherst told Motherboard in an email.
The hack being discovered may not just be the worst nightmare from a US cybersecurity perspective. China’s undermining of products made in its country could backfire.
“If this is true, it would be the Chinese worst nightmare. The world buys stuff from them with the condition they don’t backdoor it,” Alfredo Ortega, a security researcher who previously produced similar proof-of-concept work around hardware attacks.
If companies cannot be sure that the hardware they buy from China or China-linked companies hasn’t been tampered with in some way, or re-engineered for malicious purposes, some customers may try to fulfill their needs elsewhere, which is certainly easier said than done.
Perhaps China “felt that, while very risky and potentially harmful to future trade, manufacturing, and diplomatic relations, the benefits of trying and succeeding outweighed the risks,” Ablon said.
Concerns over potential Chinese cyberattacks have already impacted several key deals and businesses. In particular, Western governments have repeatedly spared with China over supply chain concerns.
In August, Australia banned Chinese computer giant Huawei from supplying equipment for a 5G mobile communications network due to national security concerns. Back in 2012, Australia also banned the company building its high-speed broadband network from sourcing supplies from Huawei.
In the US, the government restricted phone company ZTE from operating in the area, also for concerns around security. The US temporarily lifted a part of that ban several months later so ZTE could update already deployed devices, but the main trade ban remains in place. President Trump also signed a ban on Huawei and ZTE technology from being used by the US government in August.
Some deals have gone ahead though. The state-owned China General Nuclear Power Corporation agreed to a 33 percent stake in the construction of the Hinkley Point C nuclear power plant in the UK. UK officials previously, following expert advice, said the Chinese government could use its involvement to introduce vulnerabilities into the plant’s systems. The UK even setup a special unit staffed by former GCHQ officials to check Huawei equipment for security issues; around 50 of BT’s 21st Century Network uses equipment built by Huawei.
Cybersecurity experts have been screaming from the rooftops about the possibility of supply chain attacks for years now, and America’s reliance on Chinese-made electronics has continued unabated. With the news that the supply chain may have been compromised, the United States will have to figure out what to do next.
“This looks like magic to the general public, but turns out no matter how far fetched it sounds, it’s entirely feasible from the hardware design perspective,” FitzPatrick said.
Update: This article has been updated with quotes from Lily Ablon of RAND.