Today, Bloomberg's BusinessWeek (BW from now on) published a story The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies . The big question is whether they actually did or not. If they did, then this is the most brazen security breach that anyone knows about. It is worth reading the whole article. Since the article is written by people who don't seem to understand either semiconductors or printed circuit board manufacture, it is hard for me (and probably you) to make your mind up. All the people involved are anonymous people who are supposedly ex-employees of CIA and NSA. Both Apple and Amazon have denied it in pretty strong terms. Here is Apple's official statement: We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple. Apple went further and published an entire rebuttal on their website later in the day. You can read the whole thing. One key paragraph is unequivocal: On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement. Obviously, Apple has been responding to news organizations all day, and the last paragraph says: Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations. Now that's a denial! It never happened, and we are not saying so just because we have been told we have to. Given all of the facts that came to light as a result of the Snowden disclosures that were previously denied by the NSA, the fact that there is official denial all-round may or may not mean anything. One theory is that the whole thing has been hushed up (too embarrassing?) and made secret, and all the companies are being good citizens and issuing denials as instructed. But the Apple denial in particular goes a long way beyond "no comment" or even "it never happened." Of course, another theory is the BW got it totally wrong, all the denials are correct. That would imply someone had a motive to create such an elaborate hoax. What Supposedly Happened? The basic story is that San Jose company Supermicro makes motherboards for many companies, including (at least in the past) Apple, Amazon, the Department of Defence, The actual assembly of the motherboards is done in China, using a web of subcontractors. The tiny chip was allegedly added to the motherboards, and since it is colored grey it looks more like a surface-mount device. In BW's words: Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, That was the first version of the hardware hack. BW said that there was an even more sophisticated version: In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. My Opinion I find the whole story completely implausible. I can believe that it might be possible to sneak a component onto a PCB through a corrupt subcontractor. But for it to do any good, the entire board would have to be re-designed and re-manufactured. The part is small, so it could only connect to very few signals, and those signals would have to all be brought together in a small area of the board. The component is truly tiny (see the picture above from the BB article showing the size against a cent coin). Of course, you can get 100M transistors per square mm, so you can get a lot onto the chip. The problem is getting signals on and off the chip and into the system through the board. I think it is simple enough to thin a semiconductor die to embed inside a multi-layer PCB. Sony's CMOS image sensor stack thins some of the die to less than 3um. But how would you connect it to enough of the right signals to be useful? Even if you assume, as the article does, that the main function of a chip like that is to allow the hardware to be penetrated and it is the payload so enabled that does the real dirty work, I still don't see how you could do that. The article blithely assumes that if you can slip a chip onto a motherboard it is simply to fool a Linux system into not requiring passwords using the rogue chip, and only connecting to a handful of signals. It is not enough to connect to them passively (just to listen). But if the chip is doing something active (passing data through and occasionally changing it) then it has to run at speed, all the signal integrity issues need to be addressed, the power supply needs to be clean, and so on. As Mythbusters used to say "busted". Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧