Hardware Hacking Is a Global Problem, Says Cyber Executive

Hardware-based hacking is a global problem, and one that almost no one, be it private companies or governments, takes the required measures to handle, said cyber expert Yossi Appleboum in an interview with Calcalist held last week.

For daily updates, subscribe to our newsletter by clicking here.

Earlier this month, Bloomberg ran a series of stories reporting that China installed spy chips on motherboards manufactured by U.S.-headquartered Supermicro, a company whose motherboards are used by tech companies like Apple and Amazon in their servers. Supermicro, Apple, and Amazon all strongly denied the accusations, stating they’ve never found evidence of such manipulation in their equipment. Apple’s vice president of information security George Stathakopoulos went as far as to send a letter to Congress on the subject. Supermicro and Apple both criticized Bloomberg for its refusal to share details about the alleged breaches.

On Tuesday, Bloomberg published a new article, this time quoting Appleboum as a first-hand witness. Appleboum provided the news agency with “documents, analysis and other evidence” about such a chip he discovered in a Supermicro motherboard used by a “major” U.S. telecom company that was unnamed, according to the report by Bloomberg due to a nondisclosure agreement Applebaum signed. The implant, which was built into the server’s Ethernet connector, was discovered in a physical inspection performed due to unusual communications from the server.

Appleboum told Bloomberg the problem was not specifically with Supermicro, whose server was built in a Chinese factory, but with the entire Chinese supply chain and the fact that such spyware could be installed at numerous points along the way. He has previously seen similar manipulations performed in the equipment of other vendors manufacturing in China, he told Bloomberg.

In his interview with Calcalist, Appleboum said that Bloomberg’s expose is just the tip of the iceberg, and that hardware-based hacks are on the rise, and much harder to identify than software breaches. “Previously, you needed the capabilities only countries have to perform them,” he said. “Today we’re seeing attacks that cost hundreds of thousands of dollars, even tens of thousands.”

Appleboum, 45, served in leading roles in Unit 8200, the Israeli military's NSA equivalent. In 1998 he co-founded advanced networking and security systems company WebSilicon, in 2013 acquired by physical security integration company Magal. After serving as the chief technology officer of Magal’s cybersecurity division, he co-founded Cyber Sepio Systems Ltd. in 2016 and serves as the CEO of its North American business.

Sepio provides hardware-focused cybersecurity technology to organizations. Sepio’s chairman of the board is Tamir Pardo, the former director of the Israeli Mossad. its advisory board includes Robert Bigman, the former chief information security officer of the CIA.

Sepio has found breached computer mice, altered keyboards and printers, and manipulated scanners, Appleboum said. The company once found an advanced cellular implant in the mouse of the vice president of finance in one of the largest banks in the world, which enabled the operators to steal bank information. It found similar implants in a European electricity company, and in telecommunication companies in Singapore, Israel, and Brazil. Applebaum did not disclose the names of the companies in which these findings were made.

“Since it’s not a software breach, traditional cyber defense tools just can’t detect them,” Appleboum said. “They fly under the radar.”

These manipulations can occur at various stages of the supply chain. Appleboum revealed a recent case where a product came from the manufacturer clean, but the client received it with tampered hardware. “It was one of the largest delivery companies,” he explained. “They paid the delivery man and told him: before you enter the building, bring the box to us and take another box instead. And voila, they infiltrated the organization.”