October 5, 2018
Bloomberg dropped a bomb shell of an article recently “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies”. We highly recommend on reading it. The article has been since called to question about its truthfulness. All parties involved in the article have responded with strong denial of Bloombergs claims. Amazon and Apple both released statements calling Bloombergs claims false and not factual.
Even if the Bloombergs article was false it brings to light a serious threat possibility in the hardware and the supply chain. These attacks have been known to be possible for a long time but the scale of it in Bloombergs article is mind blowing. Tens of thousands of Supermicro servers used by US government and big companies infected with a sophisticated hardware implant that could exfiltrate data out of the server or run and inject code into the machine.
Scary thought. Even scarier thought, if it can be done on Supermicro motherboards it could be done on mobile phones. Better yet, closed source firmware can do the same thing without needing a physical implant on the hardware and it is running in every single smartphone currently.
In a follow-up article from Bloomberg they revealed the possibility of another attack through this infected firmware. Firmware in these components is usually proprietary and closed source and very hard to verify. This “black code” can do anything on your server or device even without it being “infected”.
As this threat has been known for awhile it has already made some countries look into the future and take action regarding 5G infrastructure and governmental networks. Huawei and ZTE, two very big Chinese router and phone manufacturers, have been banned so far in USA, Australia and India from participating in the 5G networks and governmental infrastructure. It should not take long to realize that what the router can do and the threat it poses can also be done in smartphones.
Similar trends can be seen in Europe with Germany announcing a new cyber security fund in attempt to distance itself and end its reliance on mainly US and China made technologies. France has also realized this threat of using US based code, especially when its from a CIA-backed startup and its rooted deep within Frances infrastructure. France is also looking for local and European based solutions for their mission-critical infrastructure by funding research and companies working in these technologies.
Once you have hardware made with open source components that masses can verify, you get rid of these security issues and threats. Especially when you manufacture the device in for example Europe with great oversight, you can be sure there are no targeted supply chain or hardware threats. Combined with open source software you have the most secure mobile platform to build on in the world. This is exactly what we are aiming for with our Necuno Mobile, a verifiably secure mobile platform that you can trust and build upon.