We’ve known for roughly two years the US government has programs devoted to intercepting computer hardware mid-shipment. These programs are used to insert backdoors or spyware deep into a system’s firmware before it even arrives at its destination. A new report claims Apple is looking into building its own servers as a way to thwart this type of insertion.
The Information (currently offline as of this writing) reported yesterday that:
Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.
Security isn’t Apple’s only motivation — the company has expressedunhappiness with Amazon Web Services and, according to VentureBeat, is working on a plan to build its own in-house data centers and software to run them. Currently, services like iTunes are mostly outsourced to other providers like Amazon or Microsoft’s competing Azure. Apple is far from the first company to take steps like this; Google publicly announced it would begin encrypting all data that travels through its data centers after information leaked that the NSA had tapped undersea cables to spy on Google’s data centers from the inside, where data was once unencrypted.
If government agencies start feeling less sure of their own ability to compel cooperation or access information at will, this fight could go more public than it has to date. The technology sector would ferociously oppose such legislative fiat (assuming Congress was willing to consider it in the first place), but whether that opposition would be sufficient to sway the final outcome is another unknown.
Both Republicans and Democrats have given great deference to the NSA, FBI, and their claims that warrantless wiretaps and mass surveillance are required if the American people are to be kept safe. Apple, however, isn’t alone in its efforts. Last year, Cisco’s security chief announced it purposefully shipped to fake locations to keep the NSA from targeting and intercepting its hardware.
This rumor isn’t going to be well-received by the government, which has already indicated it believes Apple’s behavior is just shy of treasonous in various court filings related to the San Bernardino shooting. Building its own data centers and designing its own hardware from the ground up, at least partly for the express purpose of locking the government out, isn’t going to sit well with the folks in Washington.
Whether or not this approach can actually lock out groups like the NSA is an incredibly difficult question. Apple could contract with companies like Foxconn to build hardware to its own specifications, but there’s no guarantee that the NSA wouldn’t find a different method of penetrating Apple’s security. A government agency that’s gone to the trouble of building infrastructure to intercept, bug, and re-ship network equipment and servers is obviously one that’s willing to spend top dollar to guarantee results. Apple can make the game more difficult, certainly, but can it close the loopholes altogether?
Up to this point, the battle over encryption has largely been waged behind the scenes. The White House has declined to push for any legislation that would actually ban encryption or formally require companies to cooperate with the government in turning over keys and access. One likely reason for this state of affairs is that government agencies feel reasonably assured that they can get the data they want without the battle public legislation would spark.