Bloomberg Business Week has exposed how Chinese manufactured components may have spy back doors in IT and IoT products.
The report is serious tin-hat reading. Bloomberg says server boards made in China for Elemental (An Amazon Company) by Super Micro Computer, a San Jose-based company contained spy back doors.
Super Micro is one of the world’s biggest suppliers of server motherboards.
These had a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the board’s original design. Investigators determined that the chip allowed unknown attackers to create a stealth doorway into any network a server was on. In other words, placing spy back doors in IT and IoT.
Investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, Amazon and the world’s most valuable company, Apple. Apple no longer uses SuperMicro.
One country has an advantage in executing this kind of attack: China. By some estimates makes 75% of the world’s mobile phones and 90% of its PCs.
Problems with the Bloomberg report
Chip or not, competent system administrators should quickly pick up suspicious internet traffic to command and control servers. Mind you the term competent administrators may be an oxymoron.
The Trump administration has made computer and networking hardware, including motherboards, routers, switches and 5G a focus of its trade sanctions against China. White House officials have made it clear that US Tech companies must shift their supply chains to other countries.
And US Vice President Mike Pence called on US companies to
avoid doing business in China if it means handing over valuable technology to
their local Chinese counterparts.
How widespread are spy back doors in IT and IoT
Millions of security cameras made by Chinese-owned Ezviz/Hikvison have spy back doors that turn them, into surveillance cameras.
It does not stop there. EZViz/Hikvision sold many white-labels under a plethora of well-known brands. These have no hope of firmware updates. Despite widespread publicity, no patches are forthcoming.
These devices are banned in various western countries and for government, military and educational use.
Another Chinese VoIP specialist dbTtek appears to have purposely built-in a spy back doors as a ‘debugging aid’. The real purpose according to Trustwave is that spy back doors can install malware or spy on conversations.
Even a Chinese company as large as Lenovo is not immune although its response is heartening. But it is a stark reminder that ‘When in Rome do as the Romans do’ – or else:
If they want backdoors globally? We don’t provide them. If they want a backdoor in China, let’s just say that every multinational in China does the same thing. We comply with local laws. If the local laws say we don’t put in backdoors, we don’t put in backdoors. And we don’t just comply with the laws; we follow the ethics and the spirit of the laws. Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they’re asking.
Chinese internet giant Tencent was quick to defend a ‘feature’ where a smartphone selfie camera activates when its messaging apps are opened.
It appears that the Chinese Communist Party (CCP) insisted the ‘feature’ be part of Chinese made phones. It was discovered by a user of a Vivo NEX phone with a motorised pop-up camera although it affects an unknown number of brands and models.
These spy back doors have not just affected people from mainland China, but those from outside the country who want to communicate with friends there.
As the Chinese government has blocked most foreign social media technologies, anyone who wants to communicate with people in China has little choice but to install applications made in China, such as WeChat.
Then there is the Huawei and ZTE debacle and their preclusion from both Australia and the US 5G infrastructure. The real issue here is not about trust. They (and any Chinese company) are subject to Chinese laws that ensure compliance.
Perhaps the sanest, non-xenophobic reason I have heard is that critical infrastructure like 5G, telecommunications, utilities etc., need to be provided by an implicitly trusted source and governments have those choices.
GadgetGuy’s take: You must assume that Spy backdoors exist and that the Chinese Communist Party can access any data from Chinese owned companyies or stored on Chinese servers
Where there is smoke, there is fire. Throw enough mud some sticks. But how does the allegation of spying back-doors in IT and IoT affect us?
If you are Joe and Jane Average living in suburbia, then this does not really affect you. China makes 75% of the world’s phones (including Apple), and I do not think for a minute its spies are after you. It is more likely that the Australian Federal Police are looking for keywords and metadata on every brand of phone because Australian Telcos are subject to Australian laws. I won’t complain if it keeps me safe.
But if you are a provider of critical infrastructure or keeper of secrets, then a certain degree of healthy paranoia is good.