From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans—and the US government—increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West.
In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army.”
Yet nearly two years later, Hualan—and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016—still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too.
The disconnect between the Commerce Department’s warnings and Western government customers means that chips sold by Hualan’s subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor’s Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.
“If a company is on the Entity List with a specific warning like this one, it’s because the US government says this company is actively supporting another country’s military development,” says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. “It's saying you should not be purchasing from them, not just because the money you’re spending is going to a company that will use those proceeds in the furtherance of another country’s military objectives, but because you can’t trust the product.”
Technically, the Entity List is an “export control” list, says Emily Weinstein, a researcher at Georgetown University's Center for Security and Emerging Technology. That means US organizations are forbidden from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein, and the Commerce Department note that it's often used as a de facto warning to US customers not to buy from a listed foreign company, either. Both networking firm Huawei and drone-maker DJI have been added to the list, for instance, for their alleged ties to the Chinese military. “It’s used somewhat as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert to anyone in the US government who’s working with this company to take a second look at this.”
When WIRED reached out to the Commerce Department's Bureau of Industry and Security, a spokesperson responded that the BIS is restricted by law from commenting to the press on specific companies and that a company's unlisted subsidiary—like Initio—isn't technically affected by the Entity List's legal restrictions. But the spokesperson added that “as a general matter, affiliation with an Entity Listed party should be considered a ‘red flag.’”
Hualan didn't respond to WIRED's multiple requests for comment, but Initio spokesperson Mike Ching responded in a statement that Initio primarily makes controller chips for consumer storage products, and that its "current products are developed by Initio itself." He added that "Initio is not able to set any backdoors to their products."
Hualan's Initio chips are used in encrypted storage devices as so-called bridge controllers, sitting between the USB connection in a storage device and memory chips or a magnetic disk to encrypt and decrypt data on a USB thumbdrive or external hard drive. Security researchers' teardowns have shown that storage device manufacturers including Lenovo, Western Digital, Verbatim, and Zalman have all at times used encryption chips sold by Initio.
But three lesser-known hard drive manufacturers, in particular, also integrate the Initio chips and list Western government, military, and intelligence agencies as customers. The Middlesex, UK-based hard drive maker iStorage lists on its website customers including NATO and the UK Ministry of Defence. South Pasadena, California-based Secure Data lists as customers the US Army and NASA. And US federal procurement records show that Poway, California-based Apricorn has sold its encrypted storage products to NASA, the Navy, the FAA, and the DEA, among many others.
The encryption features enabled by Initio chips in those drives are designed to protect their data against compromise if the drives are physically accessed, lost, or stolen. But the security of that encryption feature essentially depends on trusting the chip's designer, cryptography experts warn. If there were a secret vulnerability or intentional backdoor in the chips, it would allow anyone who lays hands on any drives that use them—the drives are often marketed for use “in the field”—to defeat that feature. And that backdoor could be very, very difficult to detect, cryptographers note, even on the closest inspection.
“In the end, it's a matter of trust, whether you actually trust this vendor and its components with all your sensitive data,” says Matthias Deeg, a security researcher at German cybersecurity firm Syss, who has analyzed the Initio chips. “These kinds of microcontrollers are a black box to me and every other researcher trying to understand how this device is working.”
Last year, Deeg analyzed the first firmware of a Verbatim secure USB thumbdrive that uses an Initio chip and found multiple security vulnerabilities: One allowed him to quickly bypass a fingerprint reader or PIN on the drives and access any “administrative” password that had been set for the drives, a master password feature designed to allow IT administrators to decrypt users' devices. Another flaw allowed him to “brute-force” the decryption key for the drives, deriving the key to access their contents in at most 36 hours.
Deeg says that Initio has since fixed those vulnerabilities. But more troubling, he says, was how tough it was to do that analysis of the devices' firmware. The code had no public documentation, and Hualan didn't respond to his requests for more information. Deeg says the lack of transparency points to how difficult it would be to find a hardware-based backdoor in the chips, such as a minuscule component hidden in their physical design to allow for surreptitious decryption.
He notes, too, that there's no way of knowing whether the vulnerabilities he found were accidental. “Is it better to have a hidden backdoor,” Deeg asks, “or one that is more visible but can be attributed to negligence by the developer?”
When WIRED reached out to device manufacturers who use Initio chips, iStorage, the UK-based encrypted hard drive maker, told WIRED that its storage devices' architecture means that users don't have to trust Hualan or its Initio subsidiary because the private keys used to encrypt and decrypt data stored on them are generated and stored by a separate chip that comes from a different, France-based manufacturer, and the Initio chip never stores that key. “I appreciate concerns with using Chinese technology, but we’re very confident that even though we’re using these chips, our products cannot be hacked, even by Initio or Hualan,” iStorage's CEO John Michael says. (Michael also noted that some of iStorage products use a chip sold by Taiwanese firm Phison instead of Hualan or Initio, but didn't specify which products.)
Even if a bridge controller chip doesn't create a secret key and isn't intended to store it, however, it still has enough access to it to enable a backdoor, says Matthew Green, a cryptography-focused computer science professor at Johns Hopkins University. After all, a bridge controller performs the encryption and decryption using that secret key, and so could either secretly exfiltrate and store it or furtively encrypt the data with its own, different key. “If the chip has the key and does the encryption, there is a possibility of malfeasance,” Green says.
iStorage also passed on a statement from Initio pointing out that Initio isn't specifically named on Commerce's Entity List, and arguing that Hualan's inclusion on the list doesn't apply to Initio. But the Atlantic Council's Cary argues—echoing the Commerce spokesperson's “red flag” comment to WIRED—that wholly owned subsidiaries of companies on the list are generally considered to effectively be on the list, too. “I don’t buy that line of argument,” Cary says of Initio's claim to not be affected by the Entity List, pointing out that otherwise the list's restrictions could be easily circumvented through the use of subsidiary companies. “If the company that owns you is on the Entity List, you’re included.”
In a response to WIRED's questions after publication, Secure Data's chief operating officer, Sergey Gulyayev, said that only the company's portable hard drives, not its thumb drives, use the Initio chips. For its hard drives that meet the FIPS-140-2 standard required by most federal buyers, Gulyayev added that those drives include only Initio chips from a bulk purchase carried out shortly after Initio's acquisition by Hualan—early enough that the chips would have been manufactured before the acquisition. Gulyayev noted, too, that the company won't be using any chips sold by Hualan going forward.
WIRED also reached out to Hualan and Initio customers including NATO, NASA, the US Navy and Army, the DEA, and the FAA. Of those that responded, none would comment on what hardware they buy. But statements from NATO, the US Navy, and the UK Ministry of Defence all repeated that they carefully vet the security of the technology they use. “We have policies in place to address supply chain risk management, as well as established security standards to ensure all procured commercial products and services are inspected for security vulnerabilities,” read a statement from the US Navy, for instance. An FAA spokesperson said the agency complies with government regulations like the National Defense Authorization Act related to the purchase of hardware, but didn't answer questions about purchasing components from companies on Commerce's Entity List.
In fact, several of the encrypted hard drives that use Hualan's and Initio's chips tout that they do have cybersecurity certification from the National Institute of Standards and Technology such as the FIPS 140-2 standard. But Johns Hopkins' Green notes that for that level of certification, NIST generally only checks for accidental vulnerabilities in cryptographic products, not intentionally hidden ones created by a determined adversary.
“These backdoors can be so subtle and clever, and there’s so many ways to do them that you may not even see in the code,” Green says. “It would really shock me if any of these tests are assuming an untrusted manufacturer.”
The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. “At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments,” he says. “It seems very significant. And it’s probably not a one-off mistake.”
Update 9 am ET, June 15, 2023: Added additional comment from an Initio spokesperson. Update 3 pm ET, June 15, 2023: Clarified a comment from Dakota Cary. Update 1 pm ET, August 4, 2023: Added a response from Secure Data.
