Experts question whether China has technical know-how to pull off chip hack
Tapping into a private server via the hardware would be a complicated process that also requires a degree of luck, says one expert
Some Chinese technology experts have expressed doubts about the veracity of the spy chip hack reported by Bloomberg last week for one simple reason: they do not believe China has the expertise to pull it off.
Microchips as small as a grain of rice were installed on circuit boards made by Chinese subcontractors working for San Jose, California-based Super Micro Computer (Supermicro), a major supplier of custom servers and the world’s biggest vendor of server motherboards, Bloomberg Businessweek reported last Thursday.
The report said Chinese spies exploited vulnerabilities in the US technology supply chain to infiltrate the computer networks of almost 30 American companies, including Amazon.com, Apple, a major bank and government contractors.
“It would be amazing for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip,” said Zhang Baichuan, founder of cybersecurity website youxia.org. “The fact is, China’s chip technology is still at a primary stage.”
Tapping into a private server via the hardware would be a complicated process that also requires a degree of luck, said Li Aijun, chip set head at Intellifusion, a Shenzhen-based provider of artificial intelligence technology designed to help police catch traffic violators.
“Implanting a chip to crack [the server] without a trace is not possible as Chinese companies only assemble the components designed by the vendors. The motherboard only works as it was originally designed and implanting a hacking chip would always result in failure as it was not originally [part of the circuit design],” said Li.
Semiconductors are considered a core technology that is dominated by the US and other western nations. That is why China imported US$260 billion worth of semiconductors in 2017, because Chinese-made chips accounted for less than 20 per cent of domestic demand, according to the China Semiconductor Industry Association.
Semiconductors are a key technology under the government’s “Made in China 2025”, a national road map designed to boost the country’s advanced manufacturing prowess, but one that has become a lightning rod amid escalating trade tensions between the US and China.
While experts believe such a hardware-based hack would be very difficult to achieve, software-based hacks are a different story. Last month, CNBC reported that a team of security experts at Chinese internet giant Tencent Holdings demonstrated how they hacked into a Tesla Model S, controlling the car remotely. Tencent notified Tesla of the vulnerabilities and the electric carmaker issued an update to patch the security holes.
The server motherboards made in China for Supermicro ultimately made their way into data centres operated by dozens of US companies, including Amazon and Apple, providing the Chinese military with a way to access confidential data and valuable intellectual property, according to the Bloomberg report, which cited more than a dozen anonymous sources.
Amazon, Apple and Supermicro all issued rebuttals after the report was published on Thursday. Amazon said it has never found “modified hardware or malicious chips in Supermicro motherboards” in any Amazon systems, while Apple made a similar rebuttal, adding that it has “never had any contact with the FBI or any other agency about such an incident”.
Supermicro, whose stock market valuation slumped as much as 50 per cent on Thursday after the report became public, said it has “never found any malicious chips, nor been informed by any customer that such chips have been found”.
The US Department of Homeland Security (DHS) released a statement over the weekend that supported Apple and Amazon’s denials. “At this time we have no reason to doubt the statements from the companies named in the story,” the statement said.
It followed a statement on Friday by the UK's National Cyber Security Centre, which told Reuters it had “no reason to doubt the details assessments” made by Amazon and Apple.
China’s Ministry of Foreign Affairs said China is a “resolute defender” of cybersecurity. “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim,” it said.
The spy chip described by Bloomberg Businessweek was said to be able to fit on the tip of a pencil. Zhang said microprocessors developed by Silicon Valley-based Intel are about the size of a USB. “Although the spying tool might be smaller, I don’t think it can be that tiny,” he said.
Some Chinese technology companies are pushing the leading edge in semiconductor designs. Huawei Technologies, the world’s largest telecommunications equipment supplier, last month unveiled its new Kirin 980 smartphone chip based on the advanced 7-nanometre fabrication process employed by chip foundry Taiwan Semiconductor Manufacturing Corp.
The infiltration of the computer systems was investigated as part of an FBI counter-intelligence probe, according to national security officials familiar with the matter, who spoke to Bloomberg. The people familiar told Bloomberg that the DHS may not be involved in such inquiries.
In a statement last week Bloomberg said: "Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We stand by our story and are confident in our reporting and sources."
