Security Perception and Supply Chain Poisoning: Those Pesky Little Chips

By now it’s inevitable you’ve run across the Bloomberg article discussing how nefarious forces in China managed to surreptitiously add malicious chips to server motherboards supplied by Super Micro, and how those boards ended up in servers deployed in marquee cloud providers’ data centers, including those operated by Amazon and Apple, and maybe even the US military and intelligence agencies. These chips supposedly provide China’s People’s Liberation Army the ability to secretly monitor server and network activity as well as alter I/O to the affected machines’ CPUs.

But if you’ve read the Bloomberg article, you’ve also likely caught the wave of meta-journalism around the topic, including vociferous denials from both Amazon and Apple that anything of the sort was discovered, as well as statements from some of the “officials” referred to in the original story that muddies the whole thing up.

This is a deliciously insidious problem, because it perfectly feeds standard conspiracy theory tropes. The big cloud providers will deny their hardware has been irreparably compromised, because of course they would—to do otherwise is to cast doubt on the safety and security of the bulk of their offerings. The involved “officials” will make similar denials as well, because they don’t want to be in the headline above the fold when the cloud industry goes into a tailspin.

I’m not trying to stoke conspiracy chatter around this topic or suggest that the creeping body horror scenario of little chips embedded in everything and watching every move we make is the new reality, and the companies and officials we trust to ferret out these little nasties are covering the whole thing up to quell panic. I don’t have the data in front of me I would need to make a conclusive judgment one way or the other. Is it possible that surveillance chips are being slipped into production boards? Sure, though—wow—what a complicated attack that would be. If there aren’t chips inserted into the boards, is it still possible that there is unseen surveillance code buried in the firmware or microcode? Sure, that’s also possible and a little more probable, actually. The real takeaway, however, is that the end functionality of the entire stack from silicon to user space software depends on a complex web of trust between parties that increasingly don’t trust each other.

We’re already well past the point at which we should be thinking about security as something other than the final lick of paint before dropping alpha code to paying customers. But this is another strong case for getting serious about defense in depth: the perimeter doesn’t trust the Internet; the segment doesn’t trust the backbone; the network doesn’t trust the host; the host doesn’t trust the network, the software, or the user; and absolutely everything is monitored and logged (and someone or something, preferably a properly-tuned SIEM, is actually doing something smart with the logs). Given that so many organizations haven’t even begun flirting with the bare minimum of information security, we’re probably not ready to get too wound up about secret little Chinese chips.