A bombshell report, published by Bloomberg on Oct. 4, claimed that microchips with spyware were being planted into server boards manufactured in China. Those servers were used by major tech firms such as Apple and Amazon, according to the report.
Since the report was published, Taiwanese motherboard manufacturers have gone on alert, accelerating their plans to move production out of China—an undertaking many had already begun since the U.S.-China trade war threatened to impose tariffs on their goods, DigiTimes, a Taiwan-based news website covering the global IT industry, reported on Oct. 8, citing people in the industry that it didn’t identify.
The manufacturer of the allegedly manipulated servers, Supermicro, is a U.S.-based company that was founded by a Taiwanese engineer. It makes up more than 11 percent of the global motherboard server market. The company’s motherboards can be found in MRI machines, weapons systems, as well as servers for banks, hedge funds, cloud computing providers, and more.
In fact, many of the world’s major motherboard suppliers—most of them Taiwan-based companies—manufacture their servers in mainland Chinese factories.
While Apple, Amazon, and Supermicro have since denied the claims in the Bloomberg article, the report has exposed the security risks involved with manufacturing in China and vulnerabilities in the tech supply chain.
Moving Out of China
Inventec, a Taiwanese motherboard maker that supplies to computer brands such as Dell and HP, kicked off an expansion of its plant located in northern Taiwan back in September, according to the report. U.S. exports account for 20 to 25 percent of Inventec’s motherboard shipments.
Wistron, another Taiwanese manufacturer, was considering moving motherboard production to the Philippines, according to Japanese business publication Nikkei Asian Review.
Meanwhile, Quanta Computer has already begun increasing production in U.S. and German facilities, and Foxconn, Compal, and Pegatron are among other Taiwan-based manufacturers with plans to relocate production out of China.
Of the top 20 major corporations that export to the United States, 15 are corporations with capital from Taiwan, most of them science and tech firms, according to the Hong Kong Economic Times.
And of the top 100 Chinese joint-venture corporations that exported to the United States last year, 40 percent were joint ventures with Taiwanese firms, which is a major reason why the Taiwan IT sector worries about the U.S.-China trade war.
Supply Chain Safety
The Bloomberg story has also highlighted the need for improved security for supply chains, according to an Oct. 5 report by market research firm IDC.
Many U.S. companies depend on suppliers that manufacture in China. To prevent such security vulnerabilities in the future, U.S. firms will have to break that dependency, with a supply chain that’s “buttoned up,” the IDC report stated.
“In a nutshell, it will raise the risk concern on outsourcing electronic manufacturing to China,” Bernstein analyst Mark Li told EE Times, a news website covering the electronics industry, on Oct. 6.
But the IDC report’s authors note that given the complexity of supply chains, it may be difficult for companies to move manufacturing operations completely out of China.
The complex supply chain is exemplified by Supermicro, which designs the motherboards in San Jose, California, but hires Taiwan-based contract manufacturers to make them—most of which have plants in China. Japanese business publication Nikkei Asian Review identified three of Supermicro’s Taiwan-based contractors: Universal Scientific Industrial, Wistron, and Orient Semiconductor Electronics.
China’s History of Hacking Supply Chains
Despite Apple and Amazon’s denials, China has long exhibited the capability and willingness to exploit supply chains. In 2012, the U.S. Senate Armed Services Committee warned how U.S. military performance was compromised by Chinese-made counterfeit electronic parts that dominated the U.S. defense supply chain.
Spying through electronic devices is nothing new for China. In 2013, Chinese spy chips were found in electric kettles and irons that were exported to Russia. The chips could search for unsecured WiFi connections, granting access to cyber hackers.
In 2014, cyber security firm TrapX discovered that a Chinese company had installed spy software in handheld scanning devices used for global shipping. The infected devices in the “Zombie Zero” case gave Chinese spies access to all corporate financial data, customer data, and shipping data on the infected systems.