It's not the size that I thought was suspicious - that's a pretty common size these days - it was the idea that they could put a chip on there, with one extra pin (assume the other two are power and ground - those are pretty necessary - and yeah, there are some tricks to use pins for more than one thing) and use that to send data somewhere. Exactly how does this chip get put on the board if the printed wiring board wasn't designed for that part? There are no solder pads in the design, so the board has to be modified. Nobody would notice that? Exactly how does "China" get the data? Radio? With something that small and no obvious heat sinking, it's going to be low power, which means it's going to have to be transmitting to someplace close. Again, how? What frequency? What data rates? If signals are going around on the motherboard at "a few" gigahertz, you'd better be sending that rate if you're trying to capture what the users are doing. If it's not radio, the questions get even more uncomfortable. Serial link? Pretty much has to be in the same building. Use the computer itself to send the data? And nobody: no software, no traffic analysis, nothing notices?
It strained credulity, but the rumor-fest article quoted several people and gave them credibility. Trade magazine Electronic Design even proposed how it could be done, by attacking the baseboard management controller (BMC) which has complete control of the motherboard. One of the companies that Bloomberg singled out by name was San Jose-based Supermicro. From Bloomberg
To help with due diligence, AWS [Amazon Web Services], which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.In that Bloomberg article, Supermicro, Amazon and others denied that any of this was true. This week, news was released that Supermicro had hired an independent company to audit their motherboards from China and that contractor had found no such things.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
The company was unable to find any evidence supporting the Bloomberg report. The implants, according to Bloomberg, were camouflaged as tiny passive components and were added to the boards during manufacturing. The report said that the malicious chip was designed to give Chinese intelligence agents a secret door into the networks of almost 30 American companies, including government contractors.This is a tough question of "who do you believe?" The only people who are likely to know the truth are probably in Three Letter Agencies somewhere, forbidden to tell the story. Amazon and Apple denied the Bloomberg allegations about finding this malicious hardware. The thing is, it's kind of in the best interests of Amazon, Apple and Supermicro to cover up anything found. If customers don't have confidence in their products, sales collapse. On the other hand, it's kind of the in the best interest of Bloomberg Businessweek to spread stories like this. Increase sales of their publication. Perhaps affect the stock price of the companies they've named so owners or subscribers could get a good deal? It seems everyone has an incentive to tell less than "the truth, the whole truth, and nothing but the truth".
Charles Liang, Supermicro’s founder and chief executive officer, said Tuesday: “no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware.” He added: “Today’s announcement should lay to rest the unwarranted accusations.”
Bloomberg's diagram showing how the attack worked.