Bloomberg Business Week has exposed how Chinese manufactured components may have spy back doors in IT and IoT products.
The report is serious tin-hat reading. Bloomberg says server boards made in China for Elemental (An Amazon Company) by Super Micro Computer, a San Jose-based company contained spy back doors.
Super Micro is one of the world’s biggest suppliers of server motherboards.
These had a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the board’s original design. Investigators determined that the chip allowed unknown attackers to create a stealth doorway into any network a server was on. In other words
Investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, Amazon and the world’s most valuable company, Apple. Apple no longer uses SuperMicro.
One country has an advantage in executing this kind of attack: China. By some estimates makes 75% of the world’s mobile phones and 90% of its PCs.
Problems with the Bloomberg report
Chip or not, competent system administrators should quickly pick up suspicious internet traffic to command and control servers. Mind you the term competent administrators may be an oxymoron.
The Trump administration has made computer and networking hardware, including motherboards, routers, switches and 5G a focus of its trade sanctions against China. White House officials have made it clear that US Tech companies must shift their supply chains to other countries.
And US Vice President Mike Pence called on US companies to avoid doing business in China if it means handing over valuable technology to their local Chinese counterparts.
How widespread are spy back doors in IT and IoT
Millions of security cameras made by Chinese-owned Ezviz/Hikvison have spy back doors that turn them, into surveillance cameras.
It does not stop there. EZViz/Hikvision sold many white-labels under a plethora of well-known brands. These have no hope of firmware updates. Despite widespread publicity, no patches are forthcoming.
These devices are banned in various western countries and for government, military and educational use.
Another Chinese VoIP specialist dbTtek appears to have purposely built-in a spy back doors as a ‘debugging aid’. The real purpose according to Trustwave is that spy back doors can install malware or spy on conversations.
Even a Chinese company as large as Lenovo is not immune although its response is heartening. But it is a stark reminder that ‘When in Rome do as the Romans do’ – or else:
If they want backdoors globally? We don’t provide them. If they want a backdoor in China, let’s just say that every multinational in China does the same thing. We comply with local laws. If the local laws say we don’t put in backdoors, we don’t put in backdoors. And we don’t just comply with the laws; we follow the ethics and the spirit of the laws. Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they’re asking.
Chinese internet giant Tencent was quick to defend a ‘feature’ where a smartphone selfie camera activates when its messaging apps are opened.