We don't like Chinese PCs

|
Now that IBM's PC division is owned by Lenovo, some people are getting worried about their security:
Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed.

His comments came after Rep Frank Wolf expressed national security concerns.

...

In a letter to Mr Wolf, Mr Griffin said government security experts had recommended the computers "be utilised on unclassified systems only".

He said the government was committed to ensuring the purchase would not "compromise our information and communication channels".

And he said the state department would change the way it buys its technology "in light of the changing ownership of IT equipment providers."

His letter did not refer to Mr Wolf's specific concern that at least 900 of the computers were to be used "as part of the classified network deployed in the United States and around the world in embassies and consulates".

Mr Wolf, Republican chairman of the committee that oversees the department's funds, told reporters that China's spying efforts were "frightening".

It was "no secret that the US is a principal target of Chinese intelligence services", he said, adding: "No American government agency should want to purchase from them".

Should you worry? Well, sort of.

The first thing you need to realize is that manufacturing PCs isn't like manufacturing cheese. Any real-world PC contains components from zillions of manufacturers. Let's take one of our servers which I happen to have open as an example:

ComponentManufacturerManufacturer CountryCountry of Manufacture
CaseChenbroTaiwanUnknown
Power supply??????Taiwan
MotherboardTyanTaiwanTaiwan
CPUIntelUSAUnknown, but Intel fabs all over the world.
MemorySamsungKoreaUnknown
RAID Card3WareUSAUnknown
Hard DrivesSeagateUSASingapore
Floppy DriveMitsumiJapanPRC
Operating SystemLinux-All over the world

And this is just the components you buy separately. The motherboard is basically a bunch of components (memory, video chips, NICs, etc.) which are bought bought by the manufacturer and surface mounted onto the motherboard. These subsidiary components are manufactured all over the world and the PC manufacturer has basically no supervisory role over the manufacture. IBM/Lenovo may manufacture more of their components themselves but quick look at a typical IBM desktop offering suggests a similar mix-and-match situation.

With that in mind, let's ask what the threat model is. It seems to me that there are two basic threats to be concerned by. The first is that the computer will be built with some kind of trojan horse so that an attacker can take control remotely to get access to or copies of your data. This requires somehow having access to some reasonably central part of the computer (i.e., probably not the floppy drive) but if you can write to the memory or PCI bus, you're most likely good to go there. And of course if you control the Operating System or the BIOS, you're totally set. Did I mention that lots of PCI cards have access to the BIOS for things like RAID configuration and network booting? And, of course, Microsoft (which is what State presumably runs) has a zillion programmers who produce a large number of unintentional security holes. It wouldn't exactly be hard to hide an intentional one. You could even make it look unintentional to cover your tracks.

That's all most people have to worry about (to the extent they need to worry at all) but intelligence agencies need to worry about another attack: some sort of extra component like a keylogger that provides a side channel into the computer. Anyone who has access to any part of the computer at pretty much any point in the assembly process can install something like this.

So, the situation is really bad in that if you buy pretty much any off-the-shelf computer and the attacker knows what model of computer you buy, they can almost certainly bribe someone in the production process to insert some kind of trojan/key-logger, etc. Hardware and software are simply so brittle that it's not possible to have any level of confidence that your system is secure if you're up against an attacker with that level of sophistication (read Reflections on Trusting Trust for just how bad the situation can be). But that said, it's not clear why one should be any more concerned about equipment manufactured by Lenovo than anyone else. Sure, they're owned (partly) by the PRC, but the stuff assembled in the US, so it's probably not any easier for the PRC to compromise Lenovo's machines than someone else's.

The real issue here is protection against what Schneier calls the "New York Times Attack". You have to buy some computers and there's some chance they'll be compromised. No matter what the real risk profiles, when that happens it's going to look a lot better to say you bought them from Dell than from the Communist Chinese Government.