On October 4th, Bloomberg Businessweek published an alarming piece called the ‘The Big Hack‘ – claiming that a small processor – embedded in popular consumer electronic products by a Chinese hacking group – had compromised the security of devices from as many as 30 major US firms.

As the story’s strapline reads, “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

The story outlines that a Chinese military unit created microchips smaller than a sharpened pencil tip that were designed to look like signal conditioning couplers (as you might find them on a motherboard). Reportedly, the microchips were installed in Chinese factories and made their way into networking servers provided to the US by a firm called Supermicro. When a network server or computer would be turned on, the chip would apparently activate, allow its host to accept new modifications, and then reach out to other hijacked computers in search of ‘further instructions’.

As Businessweek alleged:

“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.

…During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

 Sounds scary.

That goes without saying. Should Businessweek’s reporting prove both accurate and true, the bid would stand as one of the most sophisticated hacking attempts ever made, and could feasibly threaten the security of thousands of people around the world. In its report, Businessweek lists that companies from Apple to Amazon have been affected, and had made no significant attempts to alert its consumers that their devices might be compromised.

So, is there truth in these claims?

While the report has quickly been re-shared across the length and breadth of the internet, the allegations made within have largely been refuted by leading technology companies. On the same day as Businessweek ran the story, Apple, Amazon, and Supermicro all published statements denying that the purported chipsets were ever found or existed. Similarly, three of the leading mobile network providers in the US – AT&T, Sprint and Verizon – have denied the report as well.

In technological terms, such an attack is actually possible, and is referred to as a ‘supply chain attack’ – where the processes, items, or delivery of goods shipped in the manufacturing process to a seller is hijacked, altered, modified, or destroyed without the consent of the transacting parties. In some cases, re-sold goods can be subject to a ‘man in the middle attack’, where certain components of a device can be hijacked to intercept data or certain functions.

However, the purported size and scale of the ‘hack’ itself – coupled with the fact that leading technology companies have refuted the report’s accuracy – have created controversy. Presently, the claims of a hack are unverified, and have not been interpreted, analyzed, or otherwise investigated by an independent party.

Should I be worried?

Over the coming weeks, it is likely that federal agencies in the US will set up a form of commission of inquiry into Businessweek’s allegations given their seriousness. Given the response to Businessweek’s article and opinions from veteran security researchers, it remains unlikely that the ‘The Big Hack’ actually took place and furthermore remained unreported to the public at large – though that will be up to researchers and government agencies to determine.

Ultimately, there is little end-consumers can do, or should be worried about at this stage. Should such a commission find that any hardware devices were altered, US firms will likely have to issue a recall of products that were shipped to consumers – or in the event that sensitive business networks were compromised, supply chain processes will likely be changed as well. The story may have a positive outcome (regardless of its accuracy), in that supply chain processes may be managed with closer scrutiny in the months and years to come.