The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips

  News, Security
image_pdfimage_print
Computer chips in from of China and USA map in colors of flags

From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans—and the US government—increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West.

In July of 2021, the Commerce Department’s Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and … attempting to acquire US-origin items in support of military modernization for [China’s] People’s Liberation Army.”

Yet nearly two years later, Hualan—and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016—still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments’ aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too.

The disconnect between the Commerce Department’s warnings and Western government customers means that chips sold by Hualan’s subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor’s Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.

“If a company is on the Entity List with a specific warning like this one, it’s because the US government says this company is actively supporting another country’s military development,” says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. “It’s saying you should not be purchasing from them, not just because the money you’re spending is going to a company that will use those proceeds in the furtherance of another country’s military objectives, but because you can’t trust the product.”

Technically, the Entity List is an “export control” list, says Emily Weinstein, a researcher at Georgetown University’s Center for Security and Emerging Technology. That means US organizations are forbidden from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein, and the Commerce Department note that it’s often used as a de facto warning to US customers not to buy from a listed foreign company, either. Both networking firm Huawei and drone-maker DJI have been added to the list, for instance, for their alleged ties to the Chinese military. “It’s used somewhat as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert to anyone in the US government who’s working with this company to take a second look at this.”

When WIRED reached out to the Commerce Department’s Bureau of Industry and Security, a spokesperson responded that the BIS is restricted by law from commenting to the press on specific companies and that a company’s unlisted subsidiary—like Initio—isn’t technically affected by the Entity List’s legal restrictions. But the spokesperson added that “as a general matter, affiliation with an Entity Listed party should be considered a ‘red flag.’”

https://arstechnica.com/?p=1948695