The Chinese military’s security, privacy and supply chain issues in your iPhone

Apple is expected to start shipping iPhones in May with flash memory chips, an essential for data storage, produced by Yangtze Memory Technologies (YMTC). The People’s Republic of China (PRC) owns YMTC, cleverly funnels some $200 billion in subsidies there to avoid World Trade Organization pitfalls, and runs the entity with leaders drawn from the country’s military modernization effort. . YMTC’s partnership with Apple raises security, privacy and supply chain issues. Apple did not return the request for comment.

Security

Semiconductor-enabled cyberattacks are not theoretical. Take the case of Supermicro corroborated by several US intelligence and security officials. The People’s Liberation Army (PLA), together with a PRC contractor, reportedly attached a tiny chip to thousands of motherboards in an attempt to create remote stealth access. The attack reportedly affected at least 30 companies, including a major bank, Apple and Amazon Web Services. Apple then removed and replaced 7,000 servers, and Amazon terminated a PRC provider as a result.

Relying on YMTC for chips means they could be intentionally compromised in the same way during the design process. If put into a product with sufficient proficiency, these built-in vulnerabilities would be extremely difficult to detect in testing. And they could be exploited months or years later to disrupt or exfiltrate data from a system containing the compromised chip. Such a scenario was detailed in PW Singer’s novel Ghost Fleet: A Novel About the Next World War, which describes the grounding of US fighter jets due to compromised PRC-made chips. The Pentagon’s Trusted IC Strategy and Trusted Foundry Program was established to ensure clean chips for defense, but no such program exists for consumer devices, which could also be hacked with devastating consequences or to install a bot as part of a botnet attack on a larger system.

Apple has led innovation in the system-on-chip (SoC), a value proposition it describes as silicon-integrated security, although the main vulnerability of this platform is the inability to isolate resources between trusted agents and untrusted agents.

Supply chain

Apparently Apple, the richest company in the world with the most valuable brand, can ill afford to compromise security by partnering with a Chinese military supplier and the potential for compromised chips. Conversely, with almost a quarter of the smartphone market in the PRC, Apple cannot afford not to. Ultimately, Apple has calculated that security trumps profitability. By working with PRC national champion YMTC, whose goal is to disrupt and displace US leadership in semiconductors, Apple can squeeze prices from its chip suppliers in democratic countries.

Apple might claim that YMTC chips won’t be installed in phones destined for the US market, but that’s hard to promise, let alone deliver. Almost all Apple products are made in China. One of Apple’s trade associations told regulators that the devices “…include hundreds of components – each with their own complex supply chains – sourced from around the world from trusted vendors and vendors. Even the products network devices that are assembled in the United States by American companies depend on foreign inputs from their global partners.Growing supply chain challenges and geopolitical uncertainty likely increase the likelihood that any iPhone could have a chip YMTC.

Apple is no stranger to toeing the PRC’s line on human rights abuses like censorship, surveillance or slave labor, as detailed in a New York Times briefing. In 2017, Apple launched a joint venture in the PRC to build a data center in accordance with the country’s cybersecurity law, presumably to facilitate government access to Apple customer data.

Privacy

Apple has already designed the PRC’s preferred surveillance and censorship model, and it’s deployed to 230 million PRC users. Extending these systems to other countries is not necessarily technically difficult.

The rule of law is the bulwark against such practices, at least in the United States and the European Union, although Apple has an army of lawyers and lobbyists to challenge the roadblocks. Consider that national security experts have called for YMTC to be added to the Bureau of Industry and Security (BIS) Entity List for years with demonstrated proof that it is a military end user, but this fell on deaf ears. Indeed, US semiconductor tool makers made record profits by equipping YMTC with tools to make chips.

Memory chips are referred to as “low-end” in the semiconductor market, but they are still able to store Apple ID data, relevant and sensitive customer information from iCloud, App Store and other Apple online stores, iMessage and FaceTime.

Conclusion

It’s hard to see how the PRC wouldn’t leverage the partnership with YMTC for geopolitical advantage. The option that Apple is working with YMTC should have been taken off the table years ago. Apple claims to be a pro-American company, but when a fifth of its revenue comes from the PRC, its patriotism goes no further. Senator Marco Rubio (R-FL) ripped the Apple CEO for his hypocrisy. “No American consumer should be made an accomplice to the evils of the PLA simply because they own an iPhone,” he wrote. Since end users cannot control the chips that go into their iPhones, policy makers must step in to ensure security.

As Apple downgrades security for Americans and Europeans with PRC chips, new BRI Undersecretary Alan Estevez can step it up by adding YMTC to the Entity List.

Comments are closed.