Bloomberg Business Week has exposed how Chinese manufactured components may have spying back-doors in IT and IoT products.
The report is serious tin-hat reading. Bloomberg claims servers were assembled in China for Elemental (An Amazon Company) by Super Micro Computer, a San Jose-based company that’s also one of the world’s biggest suppliers of server motherboards. These had a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the board’s original design. Investigators determined that the chip allowed unknown attackers to create a stealth doorway into any network a server was on. In other words
Investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, Amazon and the world’s most valuable company, Apple Inc. Amazon and Apple were important Supermicro customers. Apple no longer uses SuperMicro.
One country has an advantage executing this kind of attack: China, which by some estimates makes 75% of the world’s mobile phones and 90% of its PCs.
Problems with the Bloomberg report
Chip or not, competent system administrators should quickly pick up suspicious internet traffic to command and control servers. Mind you the term competent administrators may be an oxymoron.
The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China. White House officials have made it clear that companies should begin shifting their supply chains to other countries.
And US Vice President Mike Pence called on US companies to avoid doing business in China if it means handing over valuable technology to their local Chinese counterparts.
Millions of security cameras made by Chinese owned Ezviz/Hikvison (many sold under a plethora of well-known brands with no hope of firmware updates) had a back-door that allowed some of its products to be remotely hacked and turned into surveillance cameras. Despite widespread publicity, no patches are forthcoming.
Another Chinese VoIP specialist dbltek appears to have purposely built-in a back-door as a debugging aid, according to TrustWave. The back-door can install malware or spy on conversations.
Even a Chinese company as large as Lenovo is not immune although its response is heartening. But it is a stark reminder that ‘When in Rome do as the Romans do’ – or else:
If they want backdoors globally? We don’t provide them. If they want a backdoor in China, let’s just say that every multinational in China does the same thing. We comply with local laws. If the local laws say we don’t put in backdoors, we don’t put in backdoors. And we don’t just comply with the laws; we follow the ethics and the spirit of the laws. Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they’re asking.
Chinese internet giant Tencent was quick to defend a ‘feature’ in which a smartphone selfie camera self-activates when messaging apps are opened, leaving the country’s mobile users very worried. It appears that Tencent insisted the ‘feature’ be part of Chinese made phones. It was discovered by a user of a Vivo NEX phone with a motorised pop-up camera although it affects an unknown number of brands and models.
These snooping features have not just affected people from mainland China, but those from outside the country who want to communicate with friends in China. As the Chinese government has blocked most foreign social media technologies, anyone who wants to communicate with people in China has little choice but to install applications made in China, such as WeChat.
Then there is the Huawei and ZTE debacle and their preclusion from both Australia and the US 5G infrastructure. The real issue here is not that they cannot be trusted, but they are subject to Chinese laws that could conceivably be used to ensure its compliance. Perhaps the sanest, non-xenophobic reason I have heard is that critical infrastructure like 5G, telecommunications, utilities etc., need to be provided by an implicitly trusted source and governments have those choices.
Where there is smoke, there is fire. Throw enough mud some sticks. But how does the allegation of spying back-doors in IT and IoT affect us?
If you are Joe and Jane Average living in suburbia, then this does not really affect you. China makes 75% of the world’s phones (including Apple), and Í do not think for a minute its spies are after you. It is more likely that the Australian Federal Police are looking for keywords and metadata on every brand of phone because Australian Telcos are subject to Australian laws. I won’t complain if it keeps me safe.
But if you are a provider of critical infrastructure or keeper of secrets, then a certain degree of healthy paranoia is good.