Martin Romijn, Chief Information Security Officer (CISO) of TU/e, says that over the past few weeks an extensive investigation has been conducted into the allegations expressed in the Bloomberg article of October 4. The article alleges that there may be mala fide chips, as big as a grain of rice, in the motherboards of the computers of the SuperMicro company. Allegedly this was done during their production in China. Those chips were to render espionage in systems possible. The international security community raised the alarm and tried to corroborate the allegations made in the article with hard evidence.
According to Romijn such evidence was not found and the CISO has also looked for expertise within TU/e to get more clarity about the potential dangers. Luca Allodi, Assistant Professor in the Security and Embedded Networked Systems group of Mathematics and Computer Science, has duly considered the issue. Allodi also says that since the beginning of October no hard evidence has surfaced which makes the allegations by Bloomberg plausible. “Which does not mean, for that matter, that it would not be technically possible to do so”, says Allodi. Still, in his opinion it should also be possible for experts to trace such chips on a motherboard.
Another way of checking the allegations expressed by Bloomberg is to monitor the network traffic of a server that may have been manipulated. That, too, has not yielded anything out of the ordinary, say Romijn and Allodi. Moreover, Allodi sets great store by the denials of several major companies, such as Apple and Amazon, that there is any substance in the accusations.
Is that the end to the matter and are the SuperMicro-servers safe? Allodi: “You can never say so with 100% certainty, but at this moment any firm evidence to the contrary is lacking. It would indeed be a peculiar thing to do, for how does China know precisely where servers are going and which systems thus need to be spied on? That would be letting off a shower of shot to kill a gnat and seems rather pointless to me.”
On the TU/e intranet site Information Management & Services does advise to ‘secure the access to the so-called Baseband Management Controller ports appropriately by means of firewalls and not to leave them open to the internet’. Romijn explains: “Within a research group it is well known who exactly needs access to a certain server. Make sure that only those persons have that access and isolate the server from the outside world, then nobody can penetrate into that system and nothing could go out either with such a built-in chip.”