In what will be a ground-breaking disclosure, Bloomberg is saying today that China managed to get a hardware chip that gave access to servers into servers made in the US. Hardware is very difficult to detect, even when you know where it is, so this case is one of a few that are known. Bloomberg says it has been classified for the past 3 years and not disclosed by our government.
The story, which sounds like a spy drama, says Amazon found a company, Super Micro Computer Inc, which makes server motherboards for others. A third-party firm found trouble: "Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community." This is a typical story that does not identify how the device was found or what prompted them to look for it to begin with. This isn't a routine due-diligence activity that is described in this article.
But, I talked about hardware penetrations in The Chinese Information War, because China has managed to monopolize several Internet components and those components carry a potential for putting devices in at their manufacturing origin. China has done it before. However, this indicates they can not only get hardware devices into their own products, but into components of US manufactured products as well. This is not good for anyone because it is virtually undetectable. Controlling the manufacturing and distribution supply chain is the only way to prevent this kind of thing, and the US can do neither of those things in the short run. It will be a long time before we can do anything about this, but somebody better start now.
Apple and Amazon have both published statements today denying that this penetration affects their services. Apple maintains it identified the problem in 2016 and "severed ties with the company". Bloomberg says they are standing by the story they published, which indicates the threat still exists.
No comments:
Post a Comment