Last week, the Financial news website Bloomberg released what could potentially be the biggest security related story in years. Evidence that the Chinese government were implanting so called “Spy Chips” on Supermicro motherboards intended for use in top American companies including Amazon, Apple, and the US government itself. In the hours and days following, Supermicro’s share price has fell by 40 percent; while Supermicro, Apple and Amazon have all issued vehement denials as to their alleged discovery of the chips embedded in the motherboards. Both The Register and Ars Technica produced excellent write ups of what was an bombshell revelation.
A week later, Bloomberg released a second story talking about how an unnamed US telecom company discovered further tampered Supermicro hardware, this time using a modified Ethernet connector. This story appears to have been single sourced from the security specialist Yossi Appleboum. Again, the story was met by strong denials of the discovery of such tampering. So what does this all mean? As I’m not an expert in hardware security, or in supply-chain security, I’ll leave that to other better qualified people; and look at this story from my perspective, as an Information Security Manager.
Who to believe?
The first reaction to this story was “Bloody hell, this is bad!” yet upon further analysis, the situation becomes less clear. First we need to consider that Bloomberg prides itself on high-quality factually correct journalism that the financial markets depend on. We therefore should start with the assumption that they believed everything they reported to be true. Next we need to consider that there are inevitably national security implications to such revelations, which might mean the implicated companies are under gag-orders meaning they cannot disclose what they have found. This seems unlikely given the highly detailed nature of the denials issued by all involved. The implicated companies protecting their commercial interests is also a consideration given what happened to the share price of Supermicro. That said, deliberately lying to investors is not a sensible move for any public company and the detailed denials do not fit this. We therefore have to assume that the companies involved are telling the truth.
Bloomberg telling the truth and the companies implicated telling the truth are mutually exclusive, hence the FUD (Fear, Uncertainty, Doubt) around this story at the moment. Let’s consider who might benefit from these revelations then. Donald Trump has been extremely vocal over the US-Chinese relationship since before his election as president, recently imposing billions in tariffs. Such stories may serve to deter having hardware manufacturing performed in China, which would serve these ends. Could it be then that the unnamed intelligence officials are actually pushing an anti-Chinese agenda on behalf of the White House? That’s unclear and possibly unlikely. Then again, we live in interesting times and nothing is impossible.
Short answer: I don’t know! Ultimately though it doesn’t matter…
So, should I be worried?
So, the CEO / Managing Director has been reading Bloomberg and comes fretting about Chinese hackers putting spy chips into your servers. Now we’re into the kind of question that most information security professionals will need to be asking. The best answer is likely to be yes, but not about spy chips. If we forget about the contentious part of the story – the spy chips themselves, and we leave aside the geopolitics, what we are left with is the overarching problem of supply chain security. This isn’t going to make headlines like James Bond-esque revelations about spies and altered blueprints, but presents a much larger and more real threat to more organisations.
Hardware-based attacks have to be amongst the most complex to successfully execute. First, you cannot simply “bug” every device – the more of them you put in place the greater the chance of one being discovered – either the hardware itself, or the signature of its operation. As such, in order for this kind of attack to be successful, you need to be ordering servers in such a quantity that it creates a known channel in the supply chain. For almost all companies, either large multinationals, this isn’t a major concern. Servers will generally be ordered through a reseller from general stock. If we look at this from a risk perspective, assuming that you’re not ordering 20,000 servers and working on national security workloads, the likelihood of you getting a server with a spy chip is probably about the same as an asteroid hitting your office.
Unfortunately there are other much more effective methods of compromising a server or network without using a chip. UEFI or the onboard device ROM offers the easiest way to do this, using hardware that is already on the device and has privileged access to the system. Furthermore such attacks would be harder to tie to a specific group, and could be distributed more widely. Edward Snowden revealed how the NSA were planting backdoors in Cisco firmware while it was in transit back in 2014. It could also be possible to compromise a suppliers website in order to serve compromised firmware, though this is harder to target.
The reality is however that all companies are much more at risk of being compromised by malware than by a spy chip or malicious firmware. Most likely delivered via a phishing email. This brings us back to the core of good security hygiene: Effective security controls supported by strong user education and awareness.
What about supply chain security?
While the wider topic of supply chain security deserves an article of its own, what’s the quick answer? For most organisations, the level of supply chain security needed to prevent an attack of this nature is beyond any definition of reasonable. Some pragmatic and sensible steps an organisation can take to improve security of the supply chain include:
- Only buying hardware and software from reputable organisations, and installing known good versions of firmware on them;
- Periodically vetting suppliers that provide services or handle information on behalf of your organisation with an appropriate and proportionate due diligence exercise;
- Reacting to findings of due diligence exercises to minimise the identified risks; and
- Treating all cloud services as inherently insecure and implementing appropriate security controls.
Remember, you’re not just responsible for the actions of your suppliers, but of their suppliers (and so on) also. Where the supply chain involves the transfer and processing of personal data, GDPR will hold you responsible for the actions of anybody that is processing your data.
Compared to the release of the Spectre and Meltdown vulnerabilities, a week after the initial revelations, we still know little more than we did on day 1; meaning it’s not something I’m going to be losing sleep over. That’s the good news. The bad news is that it has put the focus of supply chain security, something that has the potential to raise very awkward questions for some organisations.