Analysis: The Supermicro Backdoor
On Thursday, Bloomberg released a detailed report that accused China of placing surveillance devices on electronics manufactured by Supermicro and used by Apple, Amazon, and the US government. In the report, Bloomberg explicitly states that the People's Liberation Army was behind the hardware implant that enables remote access to affected devices.
The hardware backdoor was created by adding a small microchip to the motherboard of devices manufactured by American-based Supermicro, one of the world’s largest suppliers of motherboards. The company has its components fabricated in China, where the malicious hardware implant seems to have been integrated into the manufacturing process. The chip, no bigger than a grain of rice, created backdoor access into Supermicro devices, giving China the ability to remotely contact impacted electronics.
The discovery of the hardware implant affects more than 30 major US companies as well as US government agencies that utilize Supermicro devices. Apple, Amazon, NASA, the Department of Defense, and Congress are all known to have employed devices using Supermicro components. The compromised hardware could have given China the ability to remotely access infected devices at these organizations and siphon intellectual property or sensitive and even classified data from them.
China's long history of cyber espionage
China is known for its cyberespionage efforts conducted against both its own people and other countries. In fear of falling victim to these espionage efforts, the United States has banned use of Chinese-based Huawei and ZTE technologies in government organizations. With the news of implanted devices existing in American-designed electronics, it now appears that the risk of espionage comes not from using electronics designed by Chinese companies, but rather from using electronics manufactured in China. If China’s hardware manipulation efforts involved more companies than just Supermicro, the impact could be massive. China currently manufactures 75% of the world’s mobile phones and 90% of the world’s PCs.
Controlling the electronics supply-chain
While it would dramatically increase overall costs to electronics developers, hardware companies can increase the security of their products by moving the fabrication process of their components to another country. This however, would not be a quick fix and would pose regulatory challenges. The environmental impact of producing electronics is significant and precludes countries with strict environmental regulations from operating electronics manufacturing plants. Lax labor and environmental laws in China have allowed them to produce electronic devices more efficiently than countries with stricter regulations. The Chinese government has systemically integrated itself into the electronics manufacturing supply chain within its borders to conduct cyberespionage. Moving the fabrication process to a more trustworthy country would make it more difficult for China to conduct its hardware manipulation and spying campaigns.
How to prevent cyber-spying on existing devices and networks
For businesses and consumers of electronics products, it’s unrealistic to inspect the motherboards of every device searching for a hidden malicious microchip. However, continuous network monitoring can identify anomalous traffic and indicators of suspicious activity. Information security is best employed in layers of protection, with each control creating a difficult obstacle for an attacker to overcome. While China may have implanted electronics motherboards with a malicious chip, deploying numerous security controls with strict access parameters can help prevent the chip’s ability to download malware to the system or beacon sensitive data back to malicious actors. Cyber threat actors will always exist, but employing the proper technologies and controls on your network make it possible to Defend your Data.