• United States




Why I don’t believe Bloomberg’s Chinese spy chip report

Oct 08, 20188 mins
Critical InfrastructureCyberattacksSecurity

China can and has stolen the information it wants from US companies without using secretly embedded hardware, so why would it jeopardize its massive semiconductor industry?

security threats and vulnerabilities
Credit: Thinkstock

I’m very dubious of the recent Bloomberg report stating that several American companies were compromised by spy chips inserted secretly by the Chinese on U.S.-used computer motherboards. The Bloomberg article should be used as a starting point for a very real, serious, and long overdue discussion of supply chain risks, but I’d rather start with the facts supported by evidence instead of anonymous claims that have been unsupported for over three decades.

We know for sure that the Chinese government has broken into thousands of U.S. companies, both over the internet and using human spies, and stolen nearly every secret that was worth stealing. If China wanted to learn about something, they did. It is a national tragedy from which we will never be made whole again.

I’m not saying that Bloomberg didn’t do a good job of researching the claims. I love Bloomberg and read its website every day. However, I’m dubious of these particular claims involving secretly installed Chinese chips. Here’s why:

A brief history of Chinese digital espionage

I’ve been hearing some form of the “Chinese are spying on us using computer chips” for decades. Early on, the story was that the White House had found secret Chinese spying chips in its computers and had confidentially been telling government contractors not to buy Chinese-made computers. In some cases, Chinese-made computers were not allowed into government contractor businesses.

I consulted at several U.S. government contactors that would not allow me to bring my Lenovo laptop into their facilities. I had to leave it in my car. In a few cases, the threat was deemed so risky that I could not even have it in my rental car on the company’s property. I had to leave it at home or in my hotel.

Each person telling me that I couldn’t use my Chinese-made laptop claimed to have a friend who had seen the top-secret White House document with the “evidence” to back up the claim. After decades of trying to see a copy of that document, I never talked to a person whom I trusted had seen a real document. It was always a “friend-of-a-friend” story.

I first wrote about, and discounted, this dubious accusation against the Chinese almost ten years ago in an article entitled China is not selling bugged hardware. That article was written only after a decade of hearing private accusations against the Chinese. At the time, I was frustrated with the seriousness of the claims without any real evidence to back them up. I’ve seen nothing to change my mind in the intervening ten years.

Why keep Chinese spying quiet?

Maybe it happened, but if so, where’s the real evidence? What possible reason could the White House or any government entity have for hiding that they have found a spy chip on computers sold in the U.S.? Are we supposed to believe that American computers are full of Chinese spy chips, but for reasons we can’t explain, it’s better not to let the rest of American businesses know? It strains credulity.

Every purportedly compromised company denies the claims

Every company mentioned in the Bloomberg article is saying it didn’t happen. Apple went so far to say that not only didn’t it happen, but that it is not under a national gag order preventing it from telling the truth.

Again, what is the benefit of those companies lying to us? Many would have you believe that these companies are worried about customer and consumer trust if they were to reveal the breach. Please!!!

All of these companies have been compromised by foreign adversaries over and over. Billions of our records are stolen each year. There isn’t a man or woman (and increasingly, a child) that hasn’t had their personal information compromised dozens of times in the last ten years.

The existing narrative is that we are compromised all the time, often by foreign adversaries. How would one more announcement of a data beach harm that narrative? If the Chinese spy chip story were true, it would shock no one. Heck, most of America already believes it.

Most chips are foreign-made

Underlying all this likely nonsense is the obvious fact that almost every computer chip in the world is made outside of the U.S., often in Asian locations. I used to laugh when I was told that I couldn’t bring my Lenovo laptop in, but I could bring in my Dell laptop, which itself was full of nothing but Asian-made chips.

If you are worried about supply chain threats, and you should be, it’s not just one little purported spy chip you should be worried about. You can’t find a computerized device in the U.S. that doesn’t have foreign-made chips. There isn’t some secret U.S. government agency that goes around inspecting all those chips for security holes or backdoors before they get put into all our computers.

To me it is a hilarious idea that the Chinese would have to insert a specialized, tiny spy chip when it would be far easier to put an intentional weakness or backdoor into any of the hundreds of chips that are used in every computer on the planet. It would be far easier to hide in the weeds than to create a dedicated spy chip that any hardware expert would notice and question.

The U.S. has done it

I do know of a powerful nation that has implanted spy chips and software backdoors into domestically produced computer equipment that was then shipped to other countries. Yep, the good ole USA. I love America. I’m a patriot in every sense of the word, but it would be hypocritical to discuss this topic without mentioning the fact that the only country that I know of that has implanted spying hardware or software into computers destined for foreign lands is ours — not once, but many times, and that’s just what we know of.

America’s intelligence agencies and law enforcement routinely compromise encryption hardware headed to foreign counties to enable spying on groups who think they are using the world’s best cryptography to protect their digital communications. This type of cyberwarfare was used by the U.S. and its allies against Middle East terrorists and South American drug cartels.

The U.S. intercepts encryption cards and cell phones headed toward groups it is monitoring, to either record the included secret keys to decrypt their encrypted communications or disable the protection altogether. It’s also hard to turn a blind eye to the time that the US and UK broke into Gemalto, the world’s largest producer of cell phone SIM cards and stole the basic encryption codes used by cell phones around the world. It probably includes your cell phone’s SIM card.

In the most famous recent case, the National Security Agency (NSA) implanted Cisco equipment with surveillance programs and backdoors. Cisco says it was not involved in or aware of this intrusion, and I trust that’s true. Let’s not even bring up the several cases where the U.S. government intentionally weakens our own recommended and required cryptography (e.g., DES and Dual_EC_DRBG) to let it spy on its own people.

The supreme irony of what is being claimed is that while the U.S. government is warning all the world to avoid using Chinese-made phones, especially those made by Huawei and ZTE, the NSA was caught implanting backdoor software in Huawei servers with a goal of spying on Huawei and its customers.

Allowing spy chips in its products would be corporate suicide

When it was announced that the NSA implanted backdoors into Cisco network equipment, Cisco said it was unaware of the unauthorized modifications and condemned the NSA. It had to. Like most network and computer companies, Cisco is a global supplier. It relies on foreign companies for much of its revenues.

If it was determined that Cisco knew of the NSA scheme, it would severely damage Cisco’s reputation abroad. I’m sure some foreign customers will not buy Cisco products because of the revelation. It could take Cisco decades to reclaim those lost customers. No company wants this type of bad press.

The same is true of China. If Chinese companies were found to have placed chips on equipment bound for the U.S., it would devastate the Chinese economy. The world would stop buying Asian chips, and any ascension into ranks of the world’s top financial leaders would be over in an instant.

It would be incredibly foolish to spy using hardware chips, because it would be more easily discoverable and be real evidence. It would be even crazier to do it when the Chinese have broken into every company they need to break into using traditional methods that won’t compromise its dominant chip industries. Chinese hackers are already as successful as they need to be without risking the financial stability of their country.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author