Both Amazon and Apple have demanded that Bloomberg retract its recent news story that China embedded a spy chip in circuit boards in use by those company's servers. In the original article, the chip was described as "not much bigger than a grain of rice" and that it "wasn't part of the boards' original design."

The tech giants claim that Bloomberg's story keeps changing and that much of it lacks evidence. However, there's an ever better reason why the Bloomberg story can be dismissed out of hand: it's completely ridiculous because if China wanted to add a spying capability to hardware, they have a far less detectable way to do so.

Contrary to how they appear to the electronically illiterate, circuit boards are not particularly complex. A competent electronic engineer can compare a board as manufactured to the board's circuit design simply by eyeballing. That's especially true as circuitry has migrated from the boards onto SOC (System On Chip) designs, which tends to make boards less complex.

Sticking a "spy chip" on a circuit board is about as subtle as storing a "secret" key to your car by using it as the hood ornament. The entire concept is beyond ludicrous, especially since it would be trivial for the Chinese government to hide spy circuitry inside a chip that's already part of the circuit board design.

There are two ways this could be accomplished with little to no chance of detection:

1. When the chip is originally designed.

It's been decades since chip designers laid out the internal circuity in a semiconductor by hand. Today's designers use fantastically complex programs (called EDA or Electronic Design Automation) that handle the layout of the billions of components and connections that make up a modern chip.

During that process, much of the circuitry is transferred into the chip design in the form of "blocks" of pre-defined intellectual property (IP) that's already been designed and tested to correctly perform certain functions. IP blocks are basically black boxes; if a designer upstream inserted some rogue circuitry, it would be propagated everywhere that IP block ends up.

There's no evidence that this has ever happened but it remains a possibility. However, there's much more likely point where a bad actor could insert rogue circuitry into a chip...

2. When the chip is manufactured.

Chip manufacturing plants (aka fabs) don't simply make chips as designed. Especially at the smaller (and thus harder to manufacture) geometries reserved for the most important chips, fabs tend to have their own, proprietary manufacturing processes with their own peculiarities.

As a result, chip manufacturers have their own design engineers who make changes to the original chip design to ensure it can be correctly manufactured with an acceptable yield (i.e. a small number of failed chips.) While the fab engineers typical work closely with the original designers, it would be trivial for a fab engineer to add a rogue "spyware" block of IP that would be virtually undetectable.

So let's assume that China wants to add an undetectable rogue block of IP into a manufactured chip. The obvious place to do this would be at the fabs owned by the China-based chip giant, the Semiconductor Manufacturing International Corporation (SMIC), which has strong ties to (and receives funding from) the Chinese government. To potentially make matters even worse, SMIC chips are pretty much everywhere: computers, smartphones, Internet of Things devices, etc.

What's scary about this scenario is that chip-embedded rogue IP would be almost impossible to detect except, maybe, when it was communicating with another device or chip, like by piggy-backing data on the "noise" accompanying a wireless signal. (I don't know if that would actually work, but there are probably other ways to accomplish the same thing.)

Note: I'm not saying that this has actually happened nor am I accusing SMIC of anything. (I've reached out to SMIC for comment but have not heard back from them.) Frankly, based upon what I've heard, their industry reputation is sterling. Certainly they're extremely competent technically.

I am saying, however, that if China wanted to widely spy on companies and individuals, it wouldn't need the absurdly ham-handed approach of adding a chip to a circuit board. In short, as ridiculous as Bloomberg's "spy chip" story might seem, it theoretically could contain a core of truth. So maybe it's unwise to immediately dismiss the Bloomberg story as utter nonsense.

With all of the above in mind, I wonder whether it might not make sense for companies developing products that might be sensitive to espionage (corporate or otherwise) to consider running your development system entirely disconnected from the Internet.

Employees would access email on separate devices and there'd be some kind of protocol for bringing data from the Internet into the closed-off development system through an intermediary storage device so that the dev system is never accessible on the Web.

Considering that rogue IP inside chips is only the latest in a series of cyber security holes, it surprises me that more companies haven't already elected to do this. Yes, it would be a huge hassle to run a data center like this, but I suppose it all comes down to what risks you're willing to take.

Published on: Oct 23, 2018
Like this column? Sign up to subscribe to email alerts and you'll never miss a post.