Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT

A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise companies, and that when some of the victims discovered this fact, they quietly ripped out whole data-centers and replaced all their servers.

The story was all the more infamous because it prompted rare, detailed denials from the companies involved, like Apple, who have historically dealt with bad news and leaks with parsimonious, closed-lipped denials. Then came the hardware experts and security experts who delved deep into the implausibility of Bloomberg's story, though some highly reputable experts did admit that supply chain attacks were a grossly underrated risk with potentially catastrophic outcomes.

A year later, we still don't know what happened: how did all those nameless senior officials and ex-officials from big IT/tech companies end up telling Bloomberg the same story, especially if that story turns out to be false. The idea that a bunch of rival tech execs would cook up a conspiracy to defraud Bloomberg is, if anything, even weirder and more implausible than the idea that Chinese spooks were poisoning Supermicro's servers and raiding data from Big Tech's supposedly impregnable data-vaults.

That kind of Kremlinology is hard to investigate: all the facts are held by secretive giants (and maybe Chinese spies). Barring leaks, we're just left proffering unfalsifiable theories about which conspiracy took place.

On the other hand, the plausibility of a hardware implant is much easier to investigate. Read the rest