Thursday, October 4, 2018

Tiny Chinese MicroChips Have Compromised US Cybersecurity

The Chinese fabricate over 50% of all computer related products imported into the US and almost three-quarters of the world's mobile phones. Two huge Chinese telecommunications companies have been found to manufacture motherboards that are implanted with tiny microchips the size of a grain of rice. These motherboards were then sold to SuperMicro, a electronics hardware company based in San Jose that, among other products, manufactures servers for many US corporations and the Department of Defense.

In 2015 the wheels started to come off this scheme:
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
SuperMicro Server Motherboard 
[…]Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.
Government and private researchers ultimately discovered that the Peoples Liberation Army was responsible. The PLA bribed or threatened Chinese component manufacturers and their subcontractors who produced these motherboards into cooperating with the vast spy operation. Apparently perhaps tens of thousands of corrupted motherboards have been placed into the servers of thirty US corporations as well as American weapons systems.

These chips can assume control of the CPU and it's internal memory (ie. prefetch cache instructions) as well as communicate with other servers. These instructions are hard coded within the chip and can vary from one server application (telecoms) to another (weapons systems).

The implications are beyond frightening.
The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.
Story here.


Finally someone is getting serious. From The Hill:
The Senate on Wednesday passed a key cyber bill that solidifies the Department of Homeland Security’s role as the main federal agency overseeing civilian cybersecurity.  
Sen. Dan Sullivan (R-Alaska) asked for “unanimous consent” to pass the Cybersecurity and Infrastructure Security Agency Act, a bipartisan bill that will establish a cybersecurity agency that is the same stature as other units within DHS.  
The bill will rebrand DHS’s main cybersecurity unit known as National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Protection Agency, spinning the headquarters office out into a full-fledged operational component of DHS on the same level as Secret Service or FEMA.

No comments:

Post a Comment

Please scribble on my walls otherwise how will I know what you think, but please don’t try spamming me or you’ll earn a quick trip to the spam filter where you will remain—cold, frightened and all alone.


Related Posts Plugin for WordPress, Blogger...