Be warned against buying hardware from China, it could be fitted with extra micro-chips designed to break into your organisation.
The threat from technology built in China loomed large with the discovery of additional micro-processors on standard motherboards. It’s believed the problem affected around 30 US companies, including Amazon and Apple. The motherboards were also installed in servers used by major US government organisations such as the Department of Defense, the Navy and the CIA.
According to media sources, the threat first became apparent when Elemental Technologies, a young video software-compression company, was being evaluated by Amazon as a potential acquisition in 2015.
A third party in Canada was hired to scrutinise Elemental’s security. When motherboards were shipped to Ontario for examination, the tiny micro-chips were discovered, chips that weren’t part of the manufacturer’s official specification.
Amazon has always denied that the threat was known about so long ago.
The motherboards were made by Supermicro. Its headquarters are in San Jose but it has production facilities in various countries, including China and it dominates the US$1 billion market for boards in so-called “special-purpose” computers – such as MRI scanners and weapons systems.
US investigators believe the alteration of motherboards was carried out at the manufacturing stage, in China, by operatives working for the People’s Liberation Army.
What the “grain of rice” can do is create a doorway into any network. At any time in the future it can be used to gather valuable data.
One US government official interviewed by Bloomberg News claimed that the aim of these rogue chips was to give China long-term access to valuable corporate secrets and to sensitive government networks.
While the target might be specialist computers, the deliberate tampering with a major IT supply chain presents an ongoing threat to anyone who buys hardware built in China.
Check your kit
Gary Jowett, from Computer & Network Consultants in Brighton, said: “If the problem is three years old already, your company may have unwittingly purchased kit with these motherboards fitted. So, it’s worth contacting an independent IT consultant to check the kit’s provenance. Also, any IT partners you use – including cloud services providers – should be able to guarantee that servers they use have a clean bill of health.”