I was a bit sceptical upon reading the news on China implanted tiny chip as reported by Bloomberg.
It is rather unbelievable to have such small chip to perform as what claimed. Many chips have many pins, sure whoever needs to implant the chip need to have bigger chip or multiple chips to intercept different signal pins from the motherboard?
Until I came across the article on Light Blue Touchpaper. I learned new concepts such as BMC (Baseboard Management Controller), SPI (Serial-Peripheral Interface) and how the chips are using serial, rather than parallel, signalling; which technically means they need only few wires/pins: data, clock, power and ground. It is also interesting to read that the BMC is an ARM processing running … Linux. We have embedded operating system on a motherboard without even the main OS knows about it.
So, it is technically possible that the tiny chip to modify the signals from BMC. But the question is what’s next. It needs to be able to initiate network call to the Internet and with my limited knowledge this may or may not be possible.
Unless, this chip works ‘together’ with another ‘implant chip’ embedded on the Ethernet port.
To me, the later more makes sense and probably more do-able. Intel had provided the ‘proof’ in 2017, even allowing users to remotely login to the server with embedded KVM software.
With all of these chips, it is possible to have network connection without even the operating system knows about it. People may argue the firewall should block such traffic, there are two main issues with the firewall. With the cloud and hyper-converged solutions, the firewalls are now ‘virtual’. It is a software running on the server itself. Even if there is physical firewall presence, the physical firewall itself may be compromised with implanted chips. Both have the same result: the firewall would not detect and block those extra traffics.
It is a difficult issue to solve. The supply chain is tightly integrated, it is difficult to change the manufacturer. There is no guarantee the US does not do the same. As someone said, it is a matter of choice; which intelligence agency you prefer to have your data: US Intelligence agency or Chinese Intelligence agency 🙂