Can you trust Chinese computer equipment?
February 4, 2010 —
As you surely know, Google has accused China of hacking into its systems and is considering pulling out of China altogether. The U.S. government is taking this seriously, and Google has partnered with the NSA (National Security Agency) to get to the bottom of this. What you may not know is that the United Kingdom's MI5 -- Americans can think of this as a combination of the FBI and CIA -- has reported that the Chinese government has been giving UK executives electronics with built-in security holes.
According to the Sunday Times, "A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of 'gifts' and 'lavish hospitality.' The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers."
That's bad. But why, if these stories are true, should the Chinese government stop there? U.S. and British citizens buy billions of dollars every year of Chinese-made USB memory sticks, computers, hard drives, and cameras. Why not just add security holes as a matter of course to the firmware of all of them?
It's not hard. Heck. It's trivial.
Backdoors, systems with a deliberate security hole that allows its creator full access to a system, have been around for ages. Indeed, back in 1983, Ken Thompson, one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system then in existence.
If China's government really is hell-bent on keeping an eye on American and European businesses, why not just incorporate 21st century backdoors into their products? Then, you could just have them automatically call home to do a data dump of documents. If there's anything interesting in the files, it can be set to monitor its user on a regular basis.
There's nothing difficult about doing this. Not only are backdoors easy to create, running an automatic check for words of interest, even in terabytes of documents, just requires some servers. After all, Google does it every day with far more data than such a plot could ever uncover.
Best of all, if I'm a government snoop, once my broken machines are in place, it doesn't matter how good its users are about PC security. The malware is already on the equipment and ready to go.
Sure, if a company or government agency uses top network security they may spot the illegal activity, but how many actually have crack security analysts? Far fewer than you might think. It's easier to just put down any problem to some more mundane malware infection than to consider that the computers themselves were designed to be working for an enemy.
Do I think this is happening? I honestly don't know. I have no proof. What I do know though is that it's easy to do, hard to detect, and the Chinese government appears to be engaging in a massive IT espionage. That's a worrisome combination.
If I were in charge of any enterprise where I thought I had any reason to think that these Chinese authorities might be interested in what I was doing, I'd stop buying Chinese computer products today. Until this issue of Chinese cyber-espionage has been cleared up and cleaned up, I simply couldn't justify buying or using hardware that might be working against me. If you consider it for a minute, I think you'll agree.