Take this with the proverbial grain of salt, but Bloomberg has published a detailed investigative report today alleging that a list of U.S. Companies, including Amazon and Apple, suffered a security intrusion via hardware infiltration. This isn't a hack in the software sense, it's a result of literal physical modification to server motherboards at the time of manufacturing by subcontractors in China, allegedly coerced by operatives working for the Chinese People’s Liberation Army — making this a potentially state-backed attack.

For the full details, I encourage everyone to read Bloomberg's full report. It isn't particularly dense, and it does an excellent job of explaining the concepts required to understand how this happened. It also covers some of the details surrounding the multi-year history of the investigation on both the political and corporate level, as well as explaining some of the technical aspects behind the infiltration — though it isn't exactly a white paper.

The potential appearance and relative size of the compromised chips. Image source: Bloomberg

The hardware hack took the form of an implant placed on motherboards at the time of manufacturing by Chinese subcontractors hired by Supermicro Computer Inc., the supplier to the companies in question. Allegedly these implants were able to pass visually as other components. Original designs for motherboards were modified by the subcontracted Chinese manufacturers to include the part, connecting it to the "baseboard management controller" — something like the often-criticized Management Engine used by Intel, if you know what that is. Controllers like these functionally have additional privileges over the system, allowing for unobserved modification of things like system memory and other low-level operations. That means although the additional hardware may not be powerful enough in itself to do anything nefarious directly, it's in a position to surreptitiously load external software that can.

According to Bloomberg, this hardware-based infiltration has been under investigation by U.S. agencies aware of the possibility since at least as early as 2014, with affected companies noticing the suspicious hardware modifications as early as 2015. According to Bloomberg, in the last three years "no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged."

The relevance to Android, at first glance, seems tenuous. Although Amazon and Apple were alleged to be affected, there's no direct implication or effect on the world of Android, merely the services it might use. However, there is one potential avenue for future concern: Qualcomm SoCs starting with the Snapdragon 845 also include a security-oriented, isolated hardware platform called the Secure Processing Unit.

Qualcomm's SPU isn't quite the same as the Intel Management Engine or the baseboard management controller manipulated in Bloomberg's report. So far as I can tell from the limited information provided by Qualcomm, the SPU is isolated, but it may not have elevated access to other component hardware in the chipset. If it did, it could be a cause for concern in the future, as Bloomberg notes that "in one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached." In such cases, security-compromising hardware modifications could even be hidden in the space-restricted confines of phones someday.

Hero image photo by Louis Reed on Unsplash