Could spies actually insert malicious chips into computer circuit boards? A manufacturing expert says it's possible

Muddying the waters, all parties involved vigorously deny the report even as Bloomberg stands by its reporting. Amazon said the inaccuracies are "hard to count." Apple published a rare 750-word statement in response, calling the report untrue. 

It's not surprising that the situation is unclear. The story touches on matters of international spying, high-tech manufacturing, and the world of information security — three of the most secretive realms in the entire world.

Ultimately, we may never know with a high degree of certainty what actually happened in the past three years, in regards to SuperMicro's supply chain.

But according to one high-tech manufacturing expert, it's entirely realistic to think that one bad actor could change the design on a circuit board, and that it wouldn't be caught until the finished product is out in the wild. 

"There's so much complexity in these products," Anna-Katrina Shedletsky told Business Insider in a phone interview. "I think what's really great about that Bloomberg GIF that's the top of that at the top of their article."

—Bloomberg (@business) October 5, 2018

"See how tiny that chip is? There's no way human inspector is going to notice that there when it wasn't supposed to be. Even the engineer who is intimately familiar with the layout of that design may not notice that," she continued. 

Shedletsky would know about detecting issues in contract manufacturing. She's a cofounder of Instrumental, a company that uses machine learning to head off manufacturing defects, and she estimates she's spent 500 days in factories in China and around the world, first as a product design engineer at Apple for six years, and later in her role as Instrumental's CEO.  

"I think based on the methodology in which these parts are designed and manufactured, whether it's a nation-state actor or even just someone else, I don't actually think it's hard to inject stuff that the brand or design team didn't intentionally ask for," she said. She believes that easily searchable, high-resolution digital photos of circuit boards, one Instrumental's main products, will become increasingly important as companies implement more controls on the supply chain. 

All electronics have a circuit board

Shedletsky doesn't have any direct knowledge about the Bloomberg report or how SuperMicro does its manufacturing, and doesn't know what to think given the strong and detailed denials provided by the companies involved.

"I don't know what to believe, but at the same time it doesn't really matter, because it's possible, and we have to act like it is true to solve the problem," she said.

After all, Bloomberg alleges that spies were able to put an unwanted chip on a printed circuit board. All electronics have a circuit board in them, she said. And often, one person can change the computer file that has the design. 

"The manufacturer doesn't even need to be nefarious," she explained, speaking generally. "You just need one person who is going to change the reference design and hit save. Now it's going to go on any customer that pulls that reference design, for something like a server that's pretty generic."

"Every single component that is found on a circuit board is codified on the schematic," said Saket Vora, a Bay Area-based hardware engineer who has worked for Apple and other consumer hardware companies. "Think of a schematic as the architectural blueprint for a design. For an [electrical engineer] designer to discover a component on a finished circuit board that wasn't on the schematic would be akin to walking into a home you had built from scratch and discovering an extra window."

These parts go through an inspection before they're packed and shipped, but these kind of inspections aren't set up to detect things that have been added — they're often more concerned with common issues like whether the solder was properly applied. And if the design document was altered, then these tests wouldn't pick it up either.

"It would be very easy to get by one of those tests. Those tests are based on what's called the 'Gerber file' or the computer aided design of what's supposed to be on the board," she explained. 

One problem that has come up in her experience is counterfeits. Sometimes, she said, factories can replace one chip on a circuit board with cheaper, counterfeit alternatives and the company that built the product doesn't realize until it's shipping. 

Reuters Pictures Archive

"A friend of mine built a product and their batteries started smoking," she said. "The root cause was that the power chip was a cheaper version that was not on the design. It had less circuitry, but it looked like a power chip and kind of functions like one, but it was a 'cost-down' model, like it was a cheaper chip."

There's also a range of different levels of security at different factories, she said. In some, everything is locked down and controlled. At others, circuit boards and other parts are seen as less critical than stuff like the enclosures, which can be considered super-secret. 

In general, though, she doesn't worry about consumer devices like smartphones from big, well-resourced brands like Apple being vulnerable to hardware attacks like the one Bloomberg alleges — there are simply too many people looking at the design and finished product. 

But that still leaves a lot of vulnerable products out there. 

"Even regardless of whether it's true or not, if you were a SuperMicro customer for the last four years, five years you might be thinking, 'do any of our server boards have problematic stuff going on?'" Shedletsky said. "I would be asking myself if I was a customer. Because it's so plausible, there could be more we don't know about."