The possibility of Chinese interdiction into the American technological supply chain is real, but the realities of a hardware hack are much more complicated.
The details: The accusation is that a Chinese military unit designed and manufactured, “microchips as small as a sharpened pencil tip” which were inserted into motherboards of servers from Chinese factories that supplied Supermicro. These chips then found their way into servers of companies like Amazon and Apple and disseminated to the data centers of at least 30 leading companies and security agencies in the United States, including the Department of Defense.
Why it matters: If the accusations are correct, the chips represent a major nation state level attack against the American technological supply chain. Hardware hacking of this scale and sophistication would represent a major breach in security amid growing tensions between the U.S. and China.
The hacker perspective:
David “Moose” Walpoff, CTO and cofounder of Randori, believes that the accusations might have some merit:
“Do I believe that China is willing and able to interdict hardware at the source? Yes. Absolutely. I would need more information to jump onboard and say that this particular incident is real. But we have seen plenty of supply chain issues in the past, so this type of problem isn’t new or unknown.
Even if you have a backdoor into everything, particularly with a chip that small, it doesn’t make it easy to use or leverage.
I have had the opportunity to interact with Amazon’s risk planning management group, the risk architecture team. In the realm of companies that have risk management teams, theirs is spectacular. If it were true that Amazon ceased doing business or divested itself of some manufacturer over concerns with Chinese interference, I would call that incredibly credible, because they are very knowledgeable, very well thought out and not prone to panic. They are a good team.
But, I see the pictures of the chips that are alleged to be the ones and I say, as a hardware guy, ‘that’s not it, show me something else.’ What they showed is a chip with three pins and there are not a lot of things you can do with a chip with three pins. It looked more like they were showing a picture of a tiny resistor than a picture of a computer of any sort. That doesn’t mean you can’t have a horrendous effect on a computer with something really small, but the particulars of the photo they showed made me think, hmm, maybe not this one.”