Random Connections on Bloomberg Hardware Infiltration Story

The Bloomberg story lit up some associations in my foggy memory about hardware tampering and secure supply chains.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” is the title of a much contested story on Bloomberg. In summary, it alleges that the PLA, aka “Chinese Spies” installed chips into Supermicro computer boards which allowed remote access of some sort. According to the article, this was discovered in 2015 by the CIA and other agencies, which then opened a secret investigation into the hardware infiltration. I don’t know enough to say something about the veracity of the story one way or the other. It is entirely plausible. In fact, the US Government agencies, in particular the NSA, have been worried and warning about this for a long time.  Light Blue Touchpaper posted a nice write-up about the feasibility of such an action. GCHQ and DHS have both stated they support Apple and Amazon in denying this was deployed in the company datacenters.

From my own memory of the time, and slightly before it, here are a few random connections which may or may not be relevant. DARPA created the Supply Chain Hardware Integrity for Electronics Defense (SHIELD) project. Furthermore, in 2014-2015, a slew of kickstarter projects were initiated about tamper-proof hardware. I talked to the founders of one such project, ORWL, about its applications for a “magical anonymity router“.

I remember talking with a few agencies on secure supply chain and their concerns about the lack of semiconductor manufacturing in North America, especially the USA. For a while, “securing the supply chain” was a big deal, and then it seemed to go away. In the world of security, legal agreements are just one small part of the way to secure a supply chain. Inspections of boards and the entire process from end to end, whether through predictable or random sampling at various scales, is the best way to catch hardware hacking. Unfortunately, at the scale of the US Government and the commercial world, this is an expensive and non-trivial operation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s