Super Micro Computer Inc, also known as 'Supermicro', is one of the largest manufacturers of high-end server motherboards. Their products are top of the range and highly sought after by large technology companies such as Amazon and Apple. However, in a worrying turn of events, it has been revealed that malicious chips, no bigger than the tip of a sharpened pencil, have been found on these boards.
The chips allow attackers to gain access to any network of which it is part. As part of the investigation, it was discovered that the chips were likely inserted during the manufacturing process in China. These manufacturing subcontractors were responsible for building the boards for Supermicro, and it is thought that they - the subcontractors - were infiltrated by members of the People's Liberation Army of China.
The matter has been under investigation since 2015, when the tiny chip was discovered as part of due diligence work undertaken by Amazon. As part of their upcoming purchase of Elemental Technologies, they were undertaking a closer look at security matters when they discovered a chip that was not part of the original motherboard design.
Source: Scott Gelber for Bloomberg Businessweek
Bloomberg has been taking a closer look at the matter. In their bombshell report, they reveal that "Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
They continue, "During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China."
Source: Bloomberg Businessweek
Usually hacks are undertaken through software; inserting a hardware vulnerability is incredibly difficult. The fact that these chips have not only found their way on to servers used by tech giants, but on to servers used by government agencies, is both astonishing and terrifying.
So what does this mean for consumers? As far as we know the compromised hardware was designed to gather corporate and government secrets, and no consumer data has been stolen. However, care should always be taken online; use long unique passwords, don't share any personal information, and check whether the domain secured (ie starts with HTTPS and has a valid SSL certificate - most browsers will alert you if that is not the case).