Skip to Content
Security & privacy

Does your motherboard have a secret Chinese spy chip?

Did you hear about the report that said China has been covertly adding tiny microchips to server motherboards that were manufactured in the country? It came out last week, and had the tech world in a tizzy.

And why wouldn’t it? The kind of supply chain attack that was presented is quite scary, and certainly possible. And the ramifications of it being true, if it is, could be devastating to our national security.

Not surprisingly, the companies who would be victims here claim this is a non-story. That’s not to say there’s nothing here — the report exists for a reason. Just, this is a really big deal and up to this point no one wants to admit it’s true.

And why would they?

The issue was reported by Bloomberg, who went into great detail on what they uncovered and why it is going on. The feature piece was titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” and it understandably raised some eyebrows, especially since it claimed nearly 30 major companies or organizations were victimized, including tech giants Amazon and Apple.

Bloomberg’s reporting was quite detailed, and the picture it painted was one of deception combined with great technology that was used to fool everyone. It’s a brilliant scheme, really, as secretly installing the chips inside the Super Micro motherboards manufactured by Chinese subcontractors would make it really difficult for anyone to even realize something was amiss.

There would be a supply-chain trail, of course, but why would anyone think there was a problem unless they were told to look for one? If true, the microchips would allow backdoor access to a server, which could lead to all sorts of problems.

As the Bloomberg report put it, the Chinese spy chips were there to exploit the baseboard management controller, which can let a remote administrator control the computer while modifying existing firmware on the system, likely for malicious purposes. The chip could allow Chinese spies to open a back door into a company’s servers and have free reign to do whatever they’d like.

It would be quite the scam, especially since most people probably would not know what to look for to even identify the issue’s existence. IT people could, however, if they noticed when the chip was sending information back to the spies who were using it. As long as the network was being monitored, that communication would obviously be pretty suspicious.

But is it a real issue?

The answer is not entirely clear. Bloomberg of course stands by their report, which is in-depth and quite worrisome.

Apple, Amazon and Super Micro have come out with strong denials of there even being an issue, and an apparent lack of evidence seems to back up their claims. There are no specific details of the Chinese spy chip, only a report that one exists.

Up to this point, there is no record of anyone who has actually found one. Therefore, it is easy to conclude that this threat is more conjecture than reality, though that does not mean it is a myth.

That said, the Department of Homeland Security released a statement casting doubt on Bloomberg’s report. It reads:

“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.

“Just this month — National Cybersecurity Awareness Month — we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.”

The Bloomberg report named nearly 30 companies as targets of the scheme, which would mean if it is true, the investigations that are going into it right now should ultimately turn up some kind of evidence that proves its existence. Whether or not their findings will be made public is anyone’s guess, so even if it is real, there’s a chance we’ll never know about it.

And if a chip is found?

Any company affected will have to deal with the knowledge that their servers may have been hacked. The fallout from such a revelation could be dramatic, especially if the rabbit hole they go down leads to the discovery of even more troubles.

On a national-security level, it would show how vulnerable our systems can be, especially as tech manufacturing gets outsourced to other, perhaps less-than-friendly countries.

Seen through the lens of the trade war the United States is currently in with China, it could make an already strained relationship that much more testy.

After all, if Chinese spies have found a way to infiltrate some of America’s most prominent and important tech companies, especially those who millions of people trust and rely on, it would only further the idea that U.S. companies should not trust their Chinese counterparts with building their tech.

Should I worry about it?

Unfortunately, there seems to be no way of knowing whether or not the spy chips actually exist and, if so, who all they have affected and how. You could be concerned if your motherboard was pieced together by Super Micro, but again, they are denying the story altogether.

At this point, all we can do is wait for the investigations to play out and, if they uncover something, figure out what kind of damage was caused. Only from there could we know what steps should be taken, if we can take any at all.

Komando Community background

Join the Komando Community

Get even more know-how in the Komando Community! Here, you can enjoy The Kim Komando Show on your schedule, read Kim's eBooks for free, ask your tech questions in the Forum — and so much more.

Try it for 30 days