Bloomberg is not an organization to wave away. If they say that after months of research based on more than 15 sources discovered that Chinese spies have misused chips in all kinds of server equipment, there is perhaps cause for concern. Those chips, no bigger than a grain of grain, would make it possible to secretly enter a network and transmit data from there.
The chips are also embedded in the servers of video compression startup Elemental, which was acquired by Amazon in 2015. Amazon found out and from there, an investigation went all the way down the rabbit hole. The servers of Elemental were made by Supermicro from San José, but they had some subcontractors manufactured from China parts again. And there was the possibility to implant the chips.
Is there such a thing?
Supermicro makes a lot of server equipment that is used by all kinds of big companies such as Amazon and Apple. They may even deliver to the US government. So they would all run the risk that their data was captured by the Chinese … er … party. Remember that certainly Amazon has a lot of other customers with its web services, so potentially this could be a disaster.
It is not, however, says Amazon. No evidence has been found to enforce the claim about the espionage chips, Amazon Web Services says. Apple also calls the story kul. According to the company from Cupertino, Bloomberg is wrong and this story is confused with an incident from 2016 where an infected driver was found in a Supermicro server. That turned out not to be a targeted attack, but an error.
In addition, it is extremely difficult to manufacture a chip such as this at a hardware level, which is not only barely visible, but can also operate independently of all software running on the servers. Whether it is really true remains to be seen, but rest assured: after this message everyone will screw servers apart to find the chips or to say with certainty that they are not in it.
What does that mean to us?
For us, it means nothing yet. The chip would be intended for industrial espionage and to be able to spy on the American government, so nothing is done with the data that goes over the possibly infected servers. It could have consequences for the long-term security of the systems that many of us use, but more in the sense that the services themselves should temporarily go offline in the worst case. No reason for panic yet.