A major report[1] from Bloomberg on Thursday describes an infiltration of the hardware supply chain, allegedly orchestrated by the Chinese military, that reaches an unprecedented geopolitical scope and scale—and may be a manifestation of the tech industry's worst fears. If the details are correct, it could be a nearly impossible mess to clean up.
"This is a scary-big deal," says Nicholas Weaver, a security researcher at the University of California at Berkeley.
Cybersecurity experts often describe supply chain attacks as worst-case scenarios, because they taint products or services at the time of their creation. They've also been on the rise on the software side[2], precisely because of that reach and effectiveness. But the Bloomberg report[3] raises a much more alarming specter: that Chinese government actors compromised four subcontractors of the US-based Super Micro Computer Inc. to hide tiny microchips on Supermicro motherboards.
The chips, Bloomberg says, offered a fundamental backdoor into the devices they were hidden in, ultimately helping the Chinese government access the networks of more than 30 US companies—including Apple and Amazon—and to gather intelligence on their plans, communications, and intellectual property.
"This sort of attack undermines every security control we have in place today.'
Jake Williams, Rendition Infosec
Apple, Amazon, and Super Micro all issued extensive statements[4] to Bloomberg refuting the report, categorically denying having ever found evidence of such an attack in any of their infrastructure. "Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company wrote, later adding in an extended post[5] more details, including that it was not operating any kind of government-imposed gag order. Amazon published a extended rebuttal[6] as well. "At no time, past or present, have