A recent report from Bloomberg Businessweek has caused controversy in the security community and now a US state agency has made a statement.
Last week, a story from Bloomberg Businessweek claimed that Chinese operatives infiltrated the hardware supply chains of major tech firms, including Apple and Amazon. The report alleged that spies planted a tiny chip on hardware used in servers owned by the tech players.
Following the report, the companies were quick to issue strenuous denials of the story’s legitimacy. Apple, Amazon and hardware maker Supermicro were firm in their statements, with Amazon’s chief information security officer calling the piece “erroneous”. The publication itself said it had numerous verified anonymous sources to back up the claims laid out in the story.
UK and US agencies dispute story
Now, security agencies in both the UK and the US have said they have no grounds to doubt the statements issued by the companies denying the story. Late on 5 October, the UK National Cyber Security Centre (NCSC) said it believed the companies had carried out strenuous security checks. It added: “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple.”
On 6 October, the US Department of Homeland Security (DHS) echoed the NCSC’s statement, leaning towards the side of the companies affected. It said: “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.
“Information and communications technology supply chain security is core to DHS’s cybersecurity mission, and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”
In a report from Bloomberg on 7 October, it claimed that the infiltration of the computer systems was investigated as part of a larger “FBI counter-intelligence probe, according to national security officials familiar with the matter”. It added that the DHS “may not be involved in such enquiries”, according to some of its sources.
Computer expert Nicholas Weaver wrote in a blogpost that the Bloomberg story is at least plausible. He said: “This scheme is less crazy than it might seem. Modern circuit boards are filled with small support chips, and the backdoor chip would appear to be just another faceless component to all but the most detailed examination.”
While both sides of this tale have issued their respective statements, the truth will likely remain unclear unless a compromised board featuring one of the so-called spy chips is located.