• United States




China is not selling bugged hardware

Oct 31, 20083 mins
Data and Information SecuritySecurity

Rumors of secret Chinese spy chips in office computers don't stand up to logical scrutiny

In the last two weeks, I’ve heard various groups theorizing that Chinese companies are producing computers that contain secret spy hardware. According to the theories, this secret chip would either allow backdoor access, record and send information over the Internet, or disrupt the computer when activated.

Here’s one representative article fanning the rumor flames. I’ve been onsite at several companies this last year that refused to let Lenovo (previously branded IBM laptops, now owned by China) laptops in their facilities. Not just not plugged into their networks — not allowed physically onsite.

Let me start by saying that I don’t believe in inter-planetary visitors, ghosts, vampires, or the Bermuda Triangle; I’m a regular listener of the Skeptics’ Guide to the Universe podcasts. I believe in facts, and I’ve yet to see any on the subject of secret Chinese spying hardware.

While it is possible that the Chinese are making computers with hardware-based spyware, I don’t think it would be possible on anything beyond a few token specialized computers attacking specific military targets (if that). Here’s why:

First, let’s speculate that it is true. A widespread spyware attack, like all Lenovo laptops, would be fairly easily detected. The bigger the spread, the more likely it is to be detected. It’s not like the world can’t find out the true intentions of any hardware chip. Our government certainly has such facilities. The NSA would probably detect something like that. And the world is full of busy reverse-engineering companies that can take apart complicated computer chips like child’s play.

If our government really knew the rumor to be true, wouldn’t Chinese-manufactured hardware be illegal in all government buildings, instead of just a few facilities? And why would our government keep the spy chips a secret? Wouldn’t they want to let American business and the American people know about the huge threat?

Many of the rumors claim that the spy chip can’t be detected because it operates below the operating system layer and, thus, could get around any firewall or other blocking/detection defenses. That might be true for local detection, but the secret chip’s network data stream can’t be perfectly hidden and would be detected by someone. We’ve got thousands of people sniffing their networks every minute of every day looking for signs that vendors are stealing person information. Government networks are certainly doing the same. Don’t you think someone — anyone — would notice an unauthorized data stream heading to Chinese IP addresses?

Finally, would China, as a country, really bet the bank on a secret chip that if found would mean that no one in the world would ever buy Chinese hardware of any kind ever again? Especially when hackers can routinely, easily break in using all the available, well-known, attack vectors? Chinese leaders would certainly have to approve such a device and then bet — really big — that no one in the world would find the “hidden” devices in the entire lifetime of the computer. The Chinese government would have to involve one or more Chinese hardware companies and bet that no one from those companies would leak the information.

It’s hard to find two people who can keep a secret, much less asking me to believe that the Chinese government, one or more Chinese companies, and our own U.S. government are keeping the secret from the public — and to what ends?

Sorry, I find these rumors to be for the tinfoil hat wearers only.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author