Western governments, from the US Navy to NASA, and NATO, have been found to use encryption chips manufactured by a Chinese company that has been flagged by the US Department of Commerce for its connections to the Chinese military. This illuminates the intricacy of hardware supply chains and raises alarming security concerns.

Infiltration by an unlikely player

A company based in Hangzhou, China, Hualan Microelectronics, which also operates as Sage Microelectronics, was added to the US Department of Commerce’s Bureau of Industry and Security’s “Entity List” in 2021. This trade restrictions list identifies companies that are deemed to act against the US’s foreign policy interests. The bureau noted that Hualan was on the list for supporting military modernization efforts of the People’s Liberation Army in China.

Surprisingly, two years later, a subsidiary of Hualan, Initio, still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives. Some of their notable customers are Western government aerospace, military, and intelligence agencies such as NASA, NATO, and the militaries of the US and UK. Procurement records indicate that various US government agencies have purchased encrypted hard drives using these chips.

Ambiguous branding or deliberate deception?

The disconnect between the Commerce Department’s warnings and the purchases made by Western government customers suggests a significant oversight. It’s possible that the confusing branding and Taiwanese origin of Initio, acquired by Hualan in 2016, contributed to this situation.

However, the Chinese ownership of the chip vendor has instilled fears among security analysts. They suggest that these chips might contain a hidden backdoor that enables the Chinese government to decrypt Western agencies’ secrets undetected.

The Entity List is primarily an “export control” list, meaning US organizations are forbidden from exporting components to the listed companies. Nevertheless, it often serves as a warning to US customers against buying from listed foreign companies. The inclusion of companies such as Huawei and DJI for their alleged military ties to China highlights this function.

The security conundrum

Initio’s chips are deployed in encrypted storage devices acting as bridge controllers. They facilitate encryption and decryption of data on USB thumb drives or external hard drives. Various hard drive manufacturers including Lenovo, Western Digital, Verbatim, and Zalman have reportedly used Initio’s encryption chips.

However, the security of the encryption largely depends on the trust in the chip’s designer. If a secret vulnerability or intentional backdoor exists in the chips, it could potentially allow unauthorized access to sensitive data. These backdoors are notoriously hard to detect, making the situation even more precarious.

While Initio asserts that their products cannot be hacked, even by Initio or Hualan, cryptography experts warn that as long as a chip performs encryption and decryption, it possesses potential for malfeasance.

Unraveling the complex supply chain

The incident serves as a potent reminder of the complexities in navigating the computing hardware supply chain. It underscores the pressing need for heightened vigilance in assessing the origins and security of components used in sensitive systems.

This finding throws a spotlight on an urgent question – how can governments and organizations safeguard their systems from potential backdoors or vulnerabilities? Are the existing trade restrictions and warnings enough to avert such security risks? How can they fortify their vetting process for greater security in the future?