China’s Microchip: Hack or Hoax?

Yesterday, Bloomberg Businessweek reported that China performed a hardware hack on as many as 30 US companies. The biggest names on the list of supposedly hacked companies, Apple and Amazon, have disputed the claims regarding China’s microchip. The US Congress, however, didn’t help these companies’ claims of zero hardware hacks.

China’s Microchip – What Bloomberg Reported

According to Bloomberg Businessweek, Amazon discovered the wide-scale hardware hack while they were investigating a possible new acquisition. Amazon was looking into using the video service Elemental. Soon enough, it found out that the servers Elemental required customers to install had a tiny microchip nested on the servers’ motherboards.

These servers are made by a Chinese-owned company called Super Micro Computer. In fact, it turned out that many US companies use these servers.  This includes Government organizations, banks, and tech companies like Amazon and Apple.

Apparently, Amazon notified the US authorities of its finding, and investigations have been ongoing ever since.

China’s Microchip – The US Companies Respond

Apple, Amazon, and SuperMicro, in turn, released statements regarding Bloomberg’s explosive article. Here are some parts of those statements:

Apple’s Response 

Apple completely disregarded Bloomberg’s article. It even went so far as to call out Bloomberg, saying that the media outlet has contacted Apple many times before and has always received an answer explicitly stating that this hack doesn’t exist:

” Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them“…”On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server“.

Amazon’s Response

Amazon, just like Apple, also refuted the claims. Again, just like Apple, Amazon made it clear that their company has no records of such a hack happening:

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in the data centers based in China“…”We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro…We’ve found no evidence to support claims of malicious chips or hardware modifications“.

SuperMicro’s Response

SuperMicro, on the other hand, neither refuted nor agreed. They simply stated that the claim Bloomberg said about SuperMicro being investigated by the US government is untrue:

“We are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.”

Why China’s Microchip Caused Such a Commotion

To start, this is a hardware hack. A software hack, while incredibly dangerous, can be caught and confined within a moderate time frame. Software hacks obviously cost the target a lot of money, but they don’t require a complete loss of all the affected servers.

However, Hardware hacks are different. Because most companies don’t (and can’t) check every single aspect of the hardware they’re receiving, there is an inherent trust between suppliers and their customers. Hardware hacks are, in general, difficult to execute but incredibly dangerous if done correctly. With a hardware hack, the attacker has an open door into whatever information they want to get.

China’s Microchip – Final Thoughts

Bloomberg is saying that its report is based on confirmations from within the affected companies themselves. Apparently, six current and former national security officers, two Amazon higher-ups, and three sources from within Apple have corroborated the story.

Apparently, no one really knows if this happened or not. Both sides of the story seem to have compelling evidence to prove themselves true. What we do know is that this will affect how the US approaches offshore tech companies in the future. It may also seriously affect some of the diplomatic treaties currently under speculation by the US Congress.