Deeg says that Initio has since fixed those vulnerabilities. But more troubling, he says, was how tough it was to do that analysis of the devices’ firmware. The code had no public documentation, and Hualan didn’t respond to his requests for more information. Deeg says the lack of transparency points to how difficult it would be to find a hardware-based backdoor in the chips, such as a minuscule component hidden in their physical design to allow for surreptitious decryption.
He notes, too, that there’s no way of knowing whether the vulnerabilities he found were accidental. “Is it better to have a hidden backdoor,” Deeg asks, “or one that is more visible but can be attributed to negligence by the developer?”
When WIRED reached out to device manufacturers who use Initio chips, iStorage, the UK-based encrypted hard drive maker, told WIRED that its storage devices’ architecture means that users don’t have to trust Hualan or its Initio subsidiary because the private keys used to encrypt and decrypt data stored on them are generated and stored by a separate chip that comes from a different, France-based manufacturer, and the Initio chip never stores that key. “I appreciate concerns with using Chinese technology, but we’re very confident that even though we’re using these chips, our products cannot be hacked, even by Initio or Hualan,” iStorage’s CEO John Michael says. (Michael also noted that some of iStorage products use a chip sold by Taiwanese firm Phison instead of Hualan or Initio, but didn’t specify which products.)
Even if a bridge controller chip doesn’t create a secret key and isn’t intended to store it, however, it still has enough access to it to enable a backdoor, says Matthew Green, a cryptography-focused computer science professor at Johns Hopkins University. After all, a bridge controller performs the encryption and decryption using that secret key, and so could either secretly exfiltrate and store it or furtively encrypt the data with its own, different key. “If the chip has the key and does the encryption, there is a possibility of malfeasance,” Green says.
iStorage also passed on a statement from Initio pointing out that Initio isn’t specifically named on Commerce’s Entity List, and arguing that Hualan’s inclusion on the list doesn’t apply to Initio. But the Atlantic Council’s Cary argues—echoing the Commerce spokesperson’s “red flag” comment to WIRED—that wholly owned subsidiaries of companies on the list are generally considered to effectively be on the list, too. “I don’t buy that line of argument,” Cary says of Initio’s claim to not be affected by the Entity List, pointing out that otherwise the list’s restrictions could be easily circumvented through the use of subsidiary companies. “If the company that owns you is on the Entity List, you’re included.”
WIRED also reached out to Hualan and Initio customers including NATO, NASA, the US Navy and Army, the DEA, and the FAA. Of those that responded, none would comment on what hardware they buy. But statements from NATO, the US Navy, and the UK Ministry of Defence all repeated that they carefully vet the security of the technology they use. “We have policies in place to address supply chain risk management, as well as established security standards to ensure all procured commercial products and services are inspected for security vulnerabilities,” read a statement from the US Navy, for instance. An FAA spokesperson said the agency complies with government regulations like the National Defense Authorization Act related to the purchase of hardware, but didn’t answer questions about purchasing components from companies on Commerce’s Entity List.
