An attorney for the Edmans says that they, too, were victims – duped by overseas suppliers. But one thing is clear: the case is about a lot more than trademark infringement. Security experts warn that, as supply chains become more global and more opaque, no one can be sure what parts are going into the computers that run, well, everything – from air traffic control towers to banks to weapons systems. US Secretary of Homeland Security Michael Chertoff raised the issue recently at a briefing attended by Popular Mechanics and others. “Increasingly when you buy computers they have components that originate… all around the world,” he said. “We need to look at … how we assure that people are not embedding in very small components… that can be triggered remotely.”

Software vulnerabilities and online scams receive plenty of public attention. Viruses, Trojan horses, spyware, phishing schemes that trick people into providing financial data – all have made headlines in recent years.

The emerging hardware threat is different. Imagine buying a computer, printer, monitor, router or other device in which malevolent instructions, or at least security loopholes, are etched permanently into the silicon.

Individuals, companies and government agencies could all be at risk from foreign governments or criminal enterprises. A computer chip built with a subtle error might allow an identity-theft ring to hack past the encryption used to connect customers with their banks. Flash memory hidden inside a corporation’s networked printers could save an image file of every document it printed, then send out the information. In a disturbing national-security scenario, overseas agents might be able to hard-wire instructions to bring down a Department of Defence system on a predetermined date or in response to an external trigger. In the time it took to bring the systems back online, a military assault could be under way.

Shadowy threat
When a software problem is detected, thousands or millions of computers can be fixed within hours with a software patch. Discover a malevolent hardware component, however, and machines need to be fixed one by one by one. On a large network it could take months – if the problem is detected at all.

“There are a whole bunch of functions inside each chip that you have no direct access to,” says Stephen Kent, chief information security scientist for BBN Technologies and a member of the Intelligence Science Board, which advises US intelligence agencies. “We passed the point a long time ago when you could combinatorially test all the possible inputs for a complex chip. If somebody hid a function that, given the right inputs, could cause the chip to do something surprising, it’s not clear how you could test for that.”

Such tampering wouldn’t have to occur in a factory where computer components were built. In fact, repair businesses and subcontractors may pose a greater danger. “A skilled and capable adversary could replace a chip on a circuit board with a very similar one,” says John Pironti, a security expert for information technology consulting firm Getronics. “But this chip would have malicious instructions added to the programming.” The strategy wouldn’t be practical for running a broad identity-theft operation, but it might allow spies to focus an attack on a valuable corporate or government target – gaining access to equipment, then doctoring it with hidden functions.

However, not all experts agree that the risk is severe. After all, there’s never been a report of anyone outside of the United States using such technology to steal information or commit sabotage. (The US did successfully conduct such a mission against the Soviet Union during the Cold War.)

“It’s certainly possible for the world’s major espionage services to secretly plant vulnerabilities in our microprocessors, but the threat is overblown,” says Bruce Schneier, chief technology officer of the data security company BT Counterpane.

“Why would anyone go through the effort and take the risk, when there are thousands of vulnerabilities in our computers, networks and operating systems waiting to be discovered with only a few hours’ work?”

The US National Security Agency and Defence Department aren’t convinced. There’s no way to know if they are reacting to an imminent danger or simply swinging at shadows, but security professionals are scrambling to guard their electronics supply chains.