How secure is the global technology supply chain?
That's the question on every techie's mind after a story broke about server computers powering the cloud and enterprises being compromised with difficult-to-detect spying components that had been added in factories in China.
To recap, Bloomberg published a story about server motherboards on which electronic components were mounted and soldered, claiming spy chips that weren't in the original designs had been added.
The tiny custom-designed spy chips were allegedly mounted by Chinese military operatives on to circuit boards made by Taiwanese-United States server specialist Supermicro three years ago and found in an audit of the equipment.
Supermicro is a household name for enterprises, online providers, and armed forces everywhere. Yes, that includes New Zealand companies.
If true and, technically what's described in the story is both possible and feasible, the consequences will be mind-blowing.
Supply chain threats having been on the cards for some years now with countermeasures and mitigations developed because not being able to manufacture IT products in massive volumes in China and other low-cost countries is simply unthinkable.
Should there be further corroboration that Supermicro boards were compromised, it'll be evidence that the mitigations didn't work.
That means countless servers in data centres will need to be vetted, somehow, and new and improved supply chain security measures will have to be developed.
Getting under the skin of software with hardware implants opens up a world of possibilities for hackers who can pretty much do what they want on compromised systems.
Since computers run everything imaginable from servers storing and processing our sensitive data, to cars, power plants, medical equipment, and voting systems and more, the supply chain threat must be taken seriously.
Did the server hardware hack happen though?
Unfortunately, the lengthy article doesn't provide concrete evidence that it did.
Apple denies its Supermicro servers were compromised, ditto Amazon Web Services.
Ironically enough, so does Bloomberg which also uses Supermicro boxes.
The United States Department of Homeland Security and Britain's National Cyber Security Centre have both officially said they believe Apple and AWS.
Renowned security experts are scratching their heads at the unequivocal denials from the companies involved and infosec authorities, and weighing them up against the 17 unnamed seemingly authoritative sources that Bloomberg quoted.
It's also hard to imagine the Chinese authorities would pull the rug from underneath the country's electronics industry like this, and push manufacturing of trusted IT gear elsewhere.
But the seeds of doubt have been sown and there are precedents of electronic components being modified by attackers.
As expected, Supermicro shares have collapsed after the story, and the contagion is spreading to other Chinese hardware makers, including Lenovo.
Billions of dollars is at stake here and the issue could further sour the West's relations with China.
For that reason, a trusted third party should be urgently allowed to work out if the spy chipping took place — or not.