Take this with the proverbial grain of salt, but Bloomberg has published a detailed investigative report today alleging that a list of U.S. Companies, including Amazon and Apple, suffered a security intrusion via hardware infiltration. This isn't a hack in the software sense, it's a result of literal physical modification to server motherboards at the time of manufacturing by subcontractors in China, allegedly coerced by operatives working for the Chinese People’s Liberation Army — making this a potentially state-backed attack.
For the full details, I encourage everyone to read Bloomberg's full report. It isn't particularly dense, and it does an excellent job of explaining the concepts required to understand how this happened. It also covers some of the details surrounding the multi-year history of the investigation on both the political and corporate level, as well as explaining some of the technical aspects behind the infiltration — though it isn't exactly a white paper.
The potential appearance and relative size of the compromised chips. Image source: Bloomberg
The hardware hack took the form of an implant placed on motherboards at the time of manufacturing by Chinese subcontractors hired by Supermicro Computer Inc., the supplier to the companies in question. Allegedly these implants were able to pass visually as other components. Original designs for motherboards were modified by the subcontracted Chinese manufacturers to include the part, connecting it to the "baseboard management controller" — something like the often-criticized Management Engine used by Intel, if you know what that is. Controllers like these functionally have additional privileges over the system, allowing for unobserved modification of things like system memory and other low-level operations. That means although the additional hardware may not be powerful enough in itself to do anything nefarious directly, it's in a position to surreptitiously load external software that can.
According to Bloomberg, this hardware-based infiltration has been under investigation by U.S. agencies aware of the possibility since at least as early as 2014, with affected companies noticing the suspicious hardware modifications as early as 2015. According to Bloomberg, in the last three years "no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged."
The relevance to Android, at first glance, seems tenuous. Although Amazon and Apple were alleged to be affected, there's no direct implication or effect on the world of Android, merely the services it might use. However, there is one potential avenue for future concern: Qualcomm SoCs starting with the Snapdragon 845 also include a security-oriented, isolated hardware platform called the Secure Processing Unit.
Qualcomm's SPU isn't quite the same as the Intel Management Engine or the baseboard management controller manipulated in Bloomberg's report. So far as I can tell from the limited information provided by Qualcomm, the SPU is isolated, but it may not have elevated access to other component hardware in the chipset. If it did, it could be a cause for concern in the future, as Bloomberg notes that "in one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached." In such cases, security-compromising hardware modifications could even be hidden in the space-restricted confines of phones someday.
Amazon and Apple dispute the claims
Both Amazon and Apple have denied the claims advanced by Bloomberg in separate statements given today, individually refuting facts presented about malicious modifications to motherboards or any investigation or government cooperation for such an investigation taking place. Corroborating evidence presented by Bloomberg, such as Amazon's sale of server hardware to Sinnet and claims about Topsy and Siri sharing space on Apple's servers, was dismissed.
A statement given by Apple to Bloomberg last year was provided by Apple:
Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented.
No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it.
Amazon's Steve Schmidt also stated "at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
Hopefully, Bloomberg's sources become public or we catch a real-life glimpse at the compromised hardware itself. Without additional information, all we have are Bloomberg's claims and Apple/Amazon's rebuttals sharing a vacuum.
China and Supermicro add their voice
Bloomberg has compiled a series of responses to its article, which also includes statements by Supermicro and China's Ministry of Foreign Affairs. Like the Apple and Amazon statements, each disputes the facts presented by Bloomberg in its own way.
Supermicro responded to a request for a statement by Bloomberg, saying "while we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard."
China's statement isn't a direct rebuttal with the precision in refuting claims provided by the other named parties. Instead, the statement speaks more abstractly about the issues of supply chain safety and international cooperation attempts. Still, the contrary intent behind the message is evident when the short statement concludes: "We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace."
With basically every party named by Bloomberg refuting the story, hopefully more evidence to the allegations is forthcoming.