How China (may have) spied on big American companies


There's a splashy, fascinating long read on Bloomberg today that examines a disturbing allegation: Chinese operatives may have infiltrated the manufacturing supply chain to embed spy chip-sets on server motherboards.

The story paints a frightening picture of an operation to target Amazon, Apple and other big enterprises from the top by targeting Supermicro, a server manufacturer. 

It worked like this: people working on behalf of the government muscled their way into Supermicro factories and embedded tiny chips into server motherboards without any knowledge of the company itself or the customer. 

These chips are supposedly the size of a grain of rice, and fully independent, able to modify the server's remote administration layer to silently collect data and ship it back to China when connected to the internet:

The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser.

The piece is well researched and sourced, and the allegations are explosive... but I have serious doubts about some of the claims. Many of the technical details make little sense, particularly when you examine how Bloomberg describes the way data is stolen.

Not only do all of the companies that were specifically named in the article vehemently deny any such breach, Apple went as far to specifically dispute almost all of the claims made:

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. [...] Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.

Then, a few hours later, Amazon did too:

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. [...] At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro.

Where does that leave us? Are Amazon and Apple lying? It's complicated, but I believe that there is something here, but Bloomberg may have made a mistake. I do think that China does engage in cyberattacks such as these, but not in this manner -- it seems too sloppy.

I suspect what might have happened here is either serious embellishment from sources, and the assumption of guilt from the publication, or a lack of technical insight into the realities of the actual breach. The article doesn't seem to include any experts discussing the risk, or realities of the technology, nor any physical evidence.

We'll find out in the next 48 hours whether or not Bloomberg backs down, but I doubt it will and we'll be left to decide for ourselves. Such a story is too juicy to turn down, and the companies involved are naturally going to deny these accusations regardless.

If indeed it is real, the cloud industry has a serious problem: China is the beginning and the end of the supply chain, and there's no simple way to break that addiction. I don't think China is stubborn enough to endanger that industry so brazenly, when virtual attacks would've been much simpler and easier to disguise.

Tab Dump

Instagram invents Snap QR codes to add your friends
Took long enough, and on Snap's worst day in the public markets ever too.

Nokia's latest phone is $350, and looks fantastic
The next frontier in smartphones now that the high-end price points is saturated is offering high-end style products at really compelling prices. Nokia is doing well on this front in Europe, and I'm starting to see them everywhere as a result.

Bird will deliver electric scooters to your house every morning
Commute sustainably by having a dude drive an electric scooter to your house every morning. Seems legit?

Europe's latest silly technology regulation gets approved
Streaming platforms must make 30% of their content in Europe. My bet: they'll just avoid Europe instead, in the future.