Did China secretly install microchips to spy on U.S. companies?

What happened?

Bloomberg reports that San Jose based company Supermicro implanted microchips on server motherboards.  Over 30 U.S. companies were reported to be affected, including Apple and Amazon, who both deny these claims.

What is it?

An ongoing investigation that started over 3 years ago by Bloomberg has discovered that server motherboards of Amazon acquired company, Elemental, were found to contain tiny microchips that were not part of the initial design.  These boards were supplied by U.S. based company Supermicro, the largest distributor of server motherboards in the world.

How did it happen?

The tiny chip, no bigger than a grain of rice, was implanted during the manufacturing process when the boards were being assembled in China.  Because of cost and economic issues, many companies subcontract and outsource manufacturing to China.

What does it do?

The tiny implant allows a backdoor to the servers’ data by injecting a small amount of code to the core’s operating instructions and giving its own instruction on what to do with the data.  It can tell it to send the data to a remote network or give persistent access to a malicious actor.  The usual controls that would normally prevent the injection of additional code can be bypassed because the implant is part of the actual motherboard.  The implant is hard to detect because it is hardware based, which also makes it almost impossible to fix.

Why is this significant?

If the allegations are true, the growing concern by the U.S. government and companies on the monopoly that China has on the supply chain is substantiated, and it remains to be seen what will be done about the security of the supply chain going forward.

Updates:

Did it really happen?  The companies are denying the allegations, but no word on if they will be going after Bloomberg for printing article.  Cybersecurity experts are still skeptical if this hardware hack happened or not, but agree it is possible, and something the industry has feared for years.  Bloomberg still maintains that the reports are true and are reporting more companies have been affected, including an unnamed U.S. telecom company.