In an alarming announcement earlier this month, Bloomberg revealed that Apple, Amazon, and 28 other US companies, including a major bank and government contractors, were infiltrated by Chinese spy chips embedded into the hardware of computer servers used by these companies. The story, headlined, The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies, revealed that the backdoor was created using a tiny chip, about the size of a grain of rice, compromising US’ technology supply chain.
The said computer servers were assembled by Super Micro, a San Jose-based company and one of the world’s biggest suppliers of server motherboards, chips and capacitors. The suspicious China spy chips were nested on the servers’ motherboard but were not actually part of the original design.
Investigations have discovered that these chips allowed the hackers to create a stealth backdoor to the network where the machines are included. According to reports, the chips were inserted at factories owned by manufacturing subcontractors in China.
Bloomberg raised the alarm saying that this attack is worse than the previous security breaches that were perpetrated before. Most of the attacks that we’re used to are software-based, while this one is hardware-based. Software attacks are more common than hardware hacks because it is easier to send a bug through remote connection than to tinker or hide spy chips in hardware pieces. Hardware attacks are more complicated and difficult to pull off, but the effects are more devastating and long-term.
Aside from corporate espionage, the attack, if proven true, could also compromise the US Military and law enforcement because the servers where the chips were found were also being used by the Department of Defense, the CIA’s drone operations, Navy warships, among others.
According to Bloomberg, senior insiders from Apple discovered the chips in the summer of 2015 and reported their findings to the FBI but kept the details quiet. A year after the chips were discovered, Apple broke up with Super Micro and removed all 7,000 Super Micro servers from its data centers.
However, Apple denied all these rumors in a statement released to the media, saying that Apple has no evidence of spy chips in their servers. According to Apple, Bloomberg reached out several times over the past year with claims of security incidents. Internal investigations were conducted based on the inquiries, but Apple “has found absolutely no evidence to support any of them.”
The statement emphasized that Apple did not find any China spy chips, hardware tampering, or vulnerabilities intentionally planted in their servers. The company has also denied contacting the FBI or any law enforcer about the incident.
Apple has expressed disappointment in Bloomberg’s report and explained that the media giant might have confused this incident with a previously security problem in 2016 involving an infected driver found on one Super Micro server in one of their labs.
Amazon also denied the reports, saying that there are so many inaccuracies in Bloomberg’s article. The statement released by Steve Schmidt, Chief Information Security Officer at Amazon Web Services (AWS), said that:
“We never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers.”
Elemental is the tech start-up Amazon was considering acquiring and where the malicious chips were discovered.
Apple’s Vice President of Information Security George Stathakopoulos also said in a separate statement that the Bloomberg’s report about the China spy chips was made by a single source, not by corroborating 17 sources as claimed by Bloomberg.
Bloomberg, for its part, stands by the veracity of its report.
Impact on Consumers
What do all these rumors have to do with us? This issue is crucial because the security of Apple and these other companies relates to the security of their consumers’ data. For example, Apple users’ data might get compromised because of these malicious chips.
As consumers, there’s not much we can do but make sure that our data is protected. One of the ways to make sure that there is no sensitive data that can be harvested from your computer is by completely deleting all your trash files, using an app such as Outbyte MacRepair. You’ll never know what these hackers can dig up from what you consider as junk files.
Amazon users are also at risk, especially the financial information of its users. Anti-virus and malware detection software is not enough to shield you from attacks like this. What you can do is use an encrypted VPN connection to hide your financial data from these attackers.
The question now isn’t whether the Bloomberg article is real or not. The real concern here is, are we ready for this kind of attack?