In what could be the most important national security story of the decade, a new report alleges that China has been installing tiny microchips, roughly the size of a grain of rice, on the motherboards of countless servers imported into the U.S.
The revelations come from a new report by Bloomberg, which states that the clandestine microchips were first found by Amazon in 2015, which in turn reportedly alerted America’s intelligence agencies.
Amazon Web Services (AWS), which has a contract with the CIA, was investigating a company called Elemental Technologies for a potential acquisition when it allegedly uncovered the microchips. Elemental’s products, along with that of a company called Supermicro, are used by everyone from the U.S. Navy to the CIA.
“Think of Supermicro as the Microsoft of the hardware world,” a former U.S. intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
The idea that China has been installing mini-spies into American electronics has long been a fear of the American intelligence community, as the U.S.’s New Cold War adversary produces most of the gadgets used in the west. China manufactures as much as 75 percent of the world’s smartphones and perhaps as much as 90 percent of the world’s personal computers, according to the report.
From Bloomberg Businessweek:
“The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”
The exploit reportedly hit nearly 30 American businesses, including Apple, “a major bank,” and a host of government contractors. The investigation into the massive security breach reportedly remains open to this day.
Apple, for its part, has denied Bloomberg’s reporting, issuing a new statement to CNBC this morning:
“We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
Amazon also challenged Bloomberg’s report, saying, “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
How could these microchips have hidden in plain sight? By looking like something else entirely.
Again, from Bloomberg:
“The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team. Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.”
There have been growing tensions between China and its New Cold War foes like the United States, Australia, and Germany. Best Buy has stopped selling Huawei devices over fears about the safety of those products and China has been shut out of bidding on lucrative 5G contracts in the United States. The U.S. government even claims that China is using LinkedIn to recruit Americans for spying.
In an email to Gizmodo for this story, Apple pointed us to the denial it provided Bloomberg. Likewise, Amazon reiterated its earlier comment:
“As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.”
Update 12:42pm ET: Amazon AWS just sent Gizmodo an even stronger denial, insisting, “we have not engaged in an investigation with the government.” The company has also written an entire blog post refuting the claims. So make of that what you will.
Update 4:17pm ET: Apple later released a lengthy statement refuting Bloomberg’s claims, titled “What Businessweek got wrong about Apple.”