Headlines this weekend sent the entire IT industry into a frenzy with news that the ruling Communist Party of China had managed to exert its political influence in government and force a well-known motherboard manufacturer to spy on overseas companies using their products. The hack, and the existence of the chip, is still disputed by several of the companies involved, and there’s still no third-party evidence of the chip on the net. The story, however, keeps growing.
Bloomberg’s report is meant to be read by a lot of financial analysts, newspaper reporters, and people who don’t have a lot of technical knowledge, and it’s not filled with technical jargon or even proof-of-concept code for how this hack would have been carried out. The basics are quite easy to understand, however – the Chinese government, under the direction of the CPC, coerced motherboard maker Supermicro to allow for a small change in the designs of their Intel-based blade servers destined for overseas clients. That change was to add a small chip to the original design that wasn’t there before. It was designed to co-opt the Intel Baseboard Management Controller, a chip designed to help system administrators automate certain actions taken on servers, such as update the firmware, change hardware and power settings, and open up a remote KVM console to administer the server directly.
The chip itself is tiny – smaller than a grain of rice – and was reportedly disguised as a generic electronic component to blend into the board and avoid being discovered. The one in the header image in this article is very close to the real thing, and Bloomberg’s rendering of where the chip sits on the motherboard is also fairly accurate. This thing is tiny. So tiny, in fact, that it’s thin enough to be hidden inside the motherboard. Bloomberg’s reporters noted that during their investigation they uncovered information about several variations of the same chip, including one that was flat enough to be hidden in between the layers of the circuit board. You would need to have a laser cutter to slice the board up into millimeter strips to find this thing.
According to Bloomberg, the tiny chip with six contact points (see this Twitter thread on why this is important) was capable of basic computation, networking, and had its own memory. Several theories are floating about as to how it would do this, but the best one I’ve come across is that the chip implements a man-in-the-middle attack and intercepts legitimate requests for a BIOS update from the motherboard via the Supermicro servers, delivering firmware altered to allow for backdoors into the system. This way, the threat presented by the chip is constantly there, and you’d only know about it if you saw network logs that looked kind of odd when you requested a firmware update over the network. The report details that around 30 companies were targeted through this attack, which means that there are very few Supermicro motherboards out there with these devices on them. It would be unfeasible to include this chip on all motherboards that the company manufactures, but if you get more than three into a company of Apple’s size and stature, there’s a lot you can do before your infiltration is discovered.
Following the release of the report Apple, Amazon, Supermicro, and China’s Ministry of Foreign Affairs all issued statements to Bloomberg denying the report’s details and denied that an attack or compromise of SuperMicro’s supply chain ever occurred. While Apple and Amazon’s statements deny that user data was ever compromised, Supermicro’s is interesting because it doesn’t deny the claims, but it does point to third parties in the final paragraph, asserting that “Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies”. When companies are found to be negligent in their activities, they typically issue press statements that downplay the severity of the incident. These denials are scathing and very sharp, and one is left wondering who’s in the right here, or who has the right information – Bloomberg, or the companies they were investigating?
With the news of the report reaching overseas markets, Seamicro’s stock price tanked to 40% of its original price in less than one day. The price slide of its stock value was sent straight off a cliff, and has recovered to about half its initial value. In response to the report, the US Department of Homeland Security and the UK GCHQ both issued statements that said that they didn’t believe that Bloomberg’s report was incorrect, but that they had no reason to doubt the position of Apple and Amazon in their denials. Multiple eyes are on this now, but it’s also going to affect Supermicro’s business hard. I’ve seen multiple threads on forums and on Reddit where server administrators are pulling Seamicro boards out of production for fear of being a victim of the hacks. If the company’s financial woes as part of the recent tariff hikes by the US aren’t enough, this story might tank their business completely.