Security

Chinese chip spying report shows the supply chain remains the ultimate weakness

Comment

Image Credits: Getty Images

Thursday’s explosive story by Bloomberg reveals detailed allegations that the Chinese military embedded tiny chips into servers, which made their way into data centers operated by dozens of major U.S. companies.

We covered the story earlier, including denials by Apple, Amazon and Supermicro — the server maker that was reportedly targeted by the Chinese government. Apple didn’t respond to a request for comment. Amazon said in a blog post that it “employs stringent security standards across our supply chain.” The FBI did not return a request for comment but declined to Bloomberg, and the Office for the Director of National Intelligence declined to comment. This is a complex story that rests on more than a dozen anonymous sources — many of which are sharing classified or highly sensitive information, making on-the-record comments impossible without repercussions. Despite the companies’ denials, Bloomberg is putting its faith in that the reader will trust the reporting.

Much of the story can be summed up with this one line from a former U.S. official: “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

It’s a fair point. Supermicro is one of the biggest tech companies you’ve probably never heard of. It’s a computing supergiant based in San Jose, Calif., with global manufacturing operations across the world — including China, where it builds most of its motherboards. Those motherboards trickle throughout the rest of the world’s tech — and were used in Amazon’s data center servers that power its Amazon Web Services cloud and Apple’s iCloud.

One government official speaking to Bloomberg said China’s goal was “long-term access to high-value corporate secrets and sensitive government networks,” which fits into the playbook of China’s long-running effort to steal intellectual property.

“No consumer data is known to have been stolen,” said Bloomberg.

Infiltrating Supermicro, if true, will have a long-lasting ripple effect on the wider tech industry and how they approach their own supply chains. Make no mistake — introducing any kind of external tech in your data center isn’t taken lightly by any tech company. Fear of corporate and state-sponsored espionage has been rife for years. It’s chief among the reasons why the U.S. and Australia have effectively banned some Chinese telecom giants — like ZTE — from operating on its networks.

Having a key part of your manufacturing process infiltrated — effectively hacked — puts every believed-to-be-secure supply chain into question.

With nearly every consumer electronics or automobile, manufacturers have to procure different parts and components from various sources across the globe. Ensuring the integrity of each component is near impossible. But because so many components are sourced from or assembled in China, it’s far easier for Beijing than any other country to infiltrate without anyone noticing.

The big question now is how to secure the supply chain?

Companies have long seen supply chain threats as a major risk factor. Apple and Amazon are down more than 1 percent in early Thursday trading and Supermicro is down more than 35 percent (at the time of writing) following the news. But companies are acutely aware that pulling out of China will cost them more. Labor and assembly are far cheaper in China, and specialist parts and specific components often can’t be found elsewhere.

Amazon reportedly offloaded its Chinese server business because it was compromised

Instead, locking down the existing supply chain is the only viable option.

Security giant CrowdStrike recently found that the vast majority — nine out of 10 companies — have suffered a software supply chain attack, where a supplier or part manufacturer was hit by ransomware, resulting in a shutdown of operations.

But protecting the hardware supply chain is a different task altogether — not least for the logistical challenge.

Several companies have already identified the risk of manufacturing attacks and taken steps to mitigate. BlackBerry was one of the first companies to introduce root of trust in its phones — a security feature that cryptographically signs the components in each device, effectively preventing the device’s hardware from tampering. Google’s new Titan security key tries to prevent manufacturing-level attacks by baking in the encryption in the hardware chips before the key is assembled.

Albeit at start, it’s not a one-size-fits-all solution. Former NSA hacker Jake Williams, founder of Rendition Infosec, said that even those hardware security mitigations may not have been enough to protect against the Chinese if the implanted chips had direct memory access.

“They can modify memory directly after the secure boot process is finished,” he told TechCrunch.

Some have even pointed to blockchain as a possible solution. By cryptographically signing — like in root of trust — each step of the manufacturing process, blockchain can be used to track goods, chips and components throughout the chain.

Instead, manufacturers often have to act reactively and deal with threats as they emerge.

According to Bloomberg, “since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected.”

Williams said that the report highlights the need for network security monitoring. “While your average organization lacks the resources to discover a hardware implant (such as those discovered to be used by the [Chinese government]), they can see evidence of attackers on the network,” he said.

“It’s important to remember that the malicious chip isn’t magic — to be useful, it must still communicate with a remote server to receive commands and exfiltrate data,” he said. “This is where investigators will be able to discover a compromise.”

The intelligence community is said to be still investigating after it first detected the Chinese spying effort, some three years after it first opened a probe. The investigation is believed to be classified — and no U.S. intelligence officials have yet to talk on the record — even to assuage fears.

China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers

More TechCrunch

Some startups choose to bootstrap from the beginning while others find themselves forced into self funding by a lack of investor interest or a business model that doesn’t fit traditional…

VCs wanted FarmboxRx to become a meal kit, the company bootstrapped instead

Uber and Lyft drivers in Minnesota will see higher pay thanks to a deal between the state and the country’s two largest ride-hailing companies. The upshot: a new law that…

Uber and Lyft’s ride-hailing deal with Minnesota comes with a cost

Andreessen Horowitz’s American Dynamism fund has established a new fellowship program aimed at introducing top engineers and technologists to venture investing, a move that could help the firm less obvious…

a16z’s American Dynamism team launches program to introduce technical minds to VC

Another fintech startup, and its customers, has been gravely impacted by the implosion of banking-as-a-service startup Synapse. Copper Banking, a digital banking service aimed at teens, notified its customers on…

Teen fintech Copper had to emergency discontinue its banking, debit products

Autodesk — the 3D tools behemoth — has acquired Wonder Dynamics, a startup that lets creators quickly and easily make complex characters and visual effects using AI-powered image analysis. The…

Autodesk acquires AI-powered VFX startup Wonder Dynamics

Farcaster, a blockchain-based social protocol founded by two Coinbase alumni, announced on Tuesday that it closed a $150 million fundraise. Led by Paradigm, the platform also raised money from a16z…

Farcaster, a crypto-based social network, raised $150M with just 80K daily users

Microsoft announced on Tuesday during its annual Build conference that it’s bringing “Windows Volumetric Apps” to Meta Quest headsets. The partnership will allow Microsoft to bring Windows 365 and local…

Microsoft’s new ‘Volumetric Apps’ for Quest headsets extend Windows apps into the 3D space

The spam reached Bluesky by first crossing over two other decentralized networks: Mastodon and Nostr.

The ‘vote Trump’ spam that hit Bluesky in May came from decentralized rival Nostr

Welcome to TechCrunch Fintech! This week, we’re looking at the continued fallout from Synapse’s bankruptcy, how Layer wants to disrupt SMB accounting, and much more! To get a roundup of…

There’s a real appetite for a fintech alternative to QuickBooks

The company is hoping to produce electricity at $13 per megawatt hour, which would be more than 50% cheaper than traditional onshore wind.

Bill Gates-backed wind startup AirLoom is raising $12M, filings reveal

Generative AI makes stuff up. It can be biased. Sometimes it spits out toxic text. So can it be “safe”? Rick Caccia, the CEO of WitnessAI, believes it can. “Securing…

WitnessAI is building guardrails for generative AI models

It’s not often that you hear about a seed round above $10 million. H, a startup based in Paris and previously known as Holistic AI, has announced a $220 million…

French AI startup H raises $220M seed round

Hey there, Series A to B startups with $35 million or less in funding — we’ve got an exciting opportunity that’s tailor-made for your growth journey! If you’re looking to…

Boost your startup’s growth with a ScaleUp package at TC Disrupt 2024

TikTok is pulling out all the stops to prevent its impending ban in the United States. Aside from initiating legal action against the U.S. government, that means shaping up its…

As a US ban looms, TikTok announces a $1M program for socially driven creators

Microsoft wants to put its Copilot everywhere. It’s only a matter of time before Microsoft renames its annual Build developer conference to Microsoft Copilot. Hopefully, some of those upcoming events…

Microsoft’s Power Automate no-code platform adds AI flows

Build is Microsoft’s largest developer conference and of course, it’s all about AI this year. So it’s no surprise that GitHub’s Copilot, GitHub’s “AI pair programming tool,” is taking center…

GitHub Copilot gets extensions

Microsoft wants to make its brand of generative AI more useful for teams — specifically teams across corporations and large enterprise organizations. This morning at its annual Build dev conference,…

Microsoft intros a Copilot for teams

Microsoft’s big focus at this year’s Build conference is generative AI. And to that end, the tech giant announced a series of updates to its platforms for building generative AI-powered…

Microsoft upgrades its AI app-building platforms

The U.K.’s data protection watchdog has closed an almost year-long investigation of Snap’s AI chatbot, My AI — saying it’s satisfied the social media firm has addressed concerns about risks…

UK data protection watchdog ends privacy probe of Snap’s GenAI chatbot, but warns industry

U.S. cell carrier Patriot Mobile experienced a data breach that included subscribers’ personal information, including full names, email addresses, home ZIP codes and account PINs, TechCrunch has learned. Patriot Mobile,…

Conservative cell carrier Patriot Mobile hit by data breach

It’s been three years since Spotify acquired live audio startup Betty Labs, and yet the music streaming service isn’t leveraging the technology to its fullest potential — at least not…

Spotify’s ‘Listening Party’ feature falls short of expectations

Alchemist Accelerator has a new pile of AI-forward companies demoing their wares today, if you care to watch, and the program itself is making some international moves into Tokyo and…

Alchemist’s latest batch puts AI to work as accelerator expands to Tokyo, Doha

“Late Pledge” allows campaign creators to continue collecting money even after the campaign has closed.

Kickstarter now lets you pledge after a campaign closes

Stack AI’s co-founders, Antoni Rosinol and Bernardo Aceituno, were PhD students at MIT wrapping up their degrees in 2022 just as large language models were becoming more mainstream. ChatGPT would…

Stack AI wants to make it easier to build AI-fueled workflows

Pinecone, the vector database startup founded by Edo Liberty, the former head of Amazon’s AI Labs, has long been at the forefront of helping businesses augment large language models (LLMs)…

Pinecone launches its serverless vector database out of preview

Young geothermal energy wells can be like budding prodigies, each brimming with potential to outshine their peers. But like people, most decline with age. In California, for example, the amount…

Special mud helps XGS Energy get more power out of geothermal wells

Featured Article

Sonos finally made some headphones

The market play is clear from the outset: The $449 headphones are firmly targeted at an audience that would otherwise be purchasing the Bose QC Ultra or Apple AirPods Max.

8 hours ago
Sonos finally made some headphones

Adobe says the feature is up to the task, regardless of how complex of a background the object is set against.

Adobe brings Firefly AI-powered Generative Remove to Lightroom

All cars suffer when the mercury drops, but electric vehicles suffer more than most as heaters draw more power and batteries charge more slowly as the liquid electrolyte inside thickens.…

Porsche Ventures invests in battery startup South 8 to boost cold-weather EV performance

Scale AI has raised a $1 billion Series F round from a slew of big-name institutional and corporate investors including Amazon and Meta.

Data-labeling startup Scale AI raises $1B as valuation doubles to $13.8B