Dan Munro - Dev-Sec-Ops Engineer   Archives  Recommendations  About

Thoughts On The Chinese Motherboard Hack

The Big Hack

Bloomberg News earlier this month reported the results of an investigation, which check all the boxes of a classic international spy drama. Actors include nation states, global server equipment manufacturers, and tech companies familiar to most American households.

A Spy Novel In Real Life

The narrative honestly reads like a spy novel. A rogue chip the size of the tip of a sharpened pencil. A clandestine operation, co-opting manufacturing facilities to install this chip possibly within motherboard substrates, making detection exceedingly difficult. The world’s largest tech companies fill cavernous server farms with compromised motherboards. Certain unknown conditions occur, the chip activates, and a payload is delivered.

Server firmware and software can be modified without integrity checks failing. Privilege escalation attacks can be launched. Network monitoring and secure information leakage occurs.

But this, unfortunately, is not the setup of a new spy novel or Summer blockbuster film.

It’s also not necessarily what actually happened.

However, the truth likely lies somewhere in the middle. And if even some of the narrative turns out to be true, it represents the single most damaging compromise of computer hardware ever publicly discovered.

Accusations, And Denials

Across the board, strong denial has been the response du jour. And for good reason. As Bruce Schneier notes,

We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.

The alleged compromised companies, who again strongly deny these accusation, include Apple and Amazon among dozens of other companies. At this point, a confirmation would be much more surprising than what we’re seeing: across the board denials. A response to any other effect would be highly unusual, considering the national security implications these allegations carry. So who is right?

Reading Between The Lines

Hardware supply chains span the globe. Securing every supply line, in every manufacturing facility, for every manufacturer, everywhere, is simply not feasible. Even then, every shipping facility, middleman, and service provider is a potential attack vector. Periodic checks by expert analysts against provided schemas is just not foolproof.

Given the available evidence, it’s reasonable to assume compromises have happened, are happening, and will continue to happen for the foreseeable future.

Investigations And Responsible Disclosure

One point is important to emphasize: assuming this hack is true, this is exactly how companies involved would respond. To confirm this level of supply chain compromise would be reckless on many levels – most importantly, at the level of national security.

A (very) public confirmation will undoubtedly have unintended consequences. Revealing confidential sources and information during an ongoing investigation is dangerous, reckless, and raises roadblocks to progress. Sources get spooked; jury pools poisoned. Bias remains difficult to keep out of an investigation.

For any investigation, there is a target. Once privileged information leaks from the investigation and becomes public, the target also gains that knowledge. The advantage of information asymmetry is lost, and the target modifies their behavior in order to avoid future detection.

Secondly, the immediate extreme PR disaster fallout, not to mention possible legal jeopardy, will undoubtedly put jobs at risk. Jobs across the economic spectrum will not be safe, and that won’t really help fix the problem at hand.

Accounting For The Unknowns

Of course, at this point, the evidence is far from conclusive. While Bloomberg News makes unambiguous, well-researched claims, has its reputation on the line, and doubled down on their reporting – we’re still lacking key hard evidence. Confirmed photos. Detailed analysis by third party experts. Public confirmation by the parties involved (again, this is unlikely to ever happen regardless of the report’s veracity).

Still there are questions. The author of the chip is not verified. Where in the supply chain the compromise occurred is unknown. The conditions for its activation are unknown as well.

Was this all the work of one entity? Was it really a foreign spy agency? It wouldn’t be unreasonable for a certain three letter domestic agency to pull off this hack on motherboards in transit around the world. The same agency would be able to benefit twice by framing opposing spy agencies and sowing disinformation to hide the true source.

At this point, with the available information, we can’t say with any certainty what has happened. But that sure won’t stop us from speculating.

Written on Oct 9, 2018.