Image by Bloomberg Businessweek
Apple Categorically Denies Businessweek’s China Hack Report
Color us confused. Last week, Bloomberg Businessweek published a long, detail-filled story alleging that Chinese spies had compromised America’s technology supply chain by inserting a malicious chip into servers used by as many as 30 major technology companies, including Apple.
It’s a bombshell of an article, but an odd one, simultaneously specific in places while vague about what these alleged chips actually did. Plus, all sources were anonymous, which isn’t unusual for an article that involves government-level industrial espionage and national security, but it’s surprising that the article doesn’t quote any outside experts on the record.
In response, Apple released a public statement, saying bluntly that everything the article claims about Apple is completely untrue:
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
Apple’s statement has none of the tenor of a company trying to cover up untoward behavior, and if anything, it sounds as though the company is fed up with Bloomberg’s questions and allegations. Since then, both the US Department of Homeland Security and Britain’s National Cyber Security Center have said that they have no reason to doubt Apple’s statement. Plus, BuzzFeed’s John Paczkowski reported that multiple senior Apple executives “all denied and expressed confusion” with the report. And Apple has now sent a letter to Congress reiterating these denials.
In addition, Apple and Amazon, which also denied the article’s scenario, are both $1 trillion public companies that routinely face and sometimes lose lawsuits over product representations. Their statements are so specific, cover so much, and are so definitive that both companies would have an enormous liability should it come out that they were lying.
Although there have been some suggestions that such an attack is technically feasible, our contacts with hardware manufacturing experience are extremely dubious that this particular one could have taken place as described without anyone noticing, and our contacts in security reporting haven’t heard anything about this from their sources. So we are currently assuming that Apple is telling the truth about not having found malicious chips in its servers.
But Businessweek isn’t a fly-by-night publication, and there are too many sources quoted and details given for the reporters to just be confused. So unless it’s all an elaborate fiction that somehow snuck by the publication’s editors, we remain unable to explain why Businessweek published the piece in the face of such categorical denials.
Something that also raises a question mark for me is that any outside firm or outsider would benefit enormously by revealing their identities as well as details about what exactly went wrong with the chips.
I have enormous respect for Bloomberg and Business Week, and I have the highest respect for their reporting. But publications I also have the highest respect for have, with the best intentions, published stories that proved to be horrendously wrong. A few examples:
Janet Cooke at the Washington Post, who won a Pulitzer for what turned out to be fake news:
Jason Blair at the New York Times:
Stephen Glass at the New Republic:
(Shattered Glass, the movie about this scandal, is excellent; especially since as it foreshadows how digital footprints and social media can affect the gathering and publication of news.)
In each case, their editors were duped by reporters who could craft very readable text about stories that audiences would want to believe and who would buy, and hopefully subscribe, to the journals.
Bloomberg has reportedly published unfounded articles in the past, but can’t find the reference right now.
At best, I suppose both sides could be partially correct.
This is old news that has somehow recently gained credence. We learned from Snowden et al. that the NSA compromised routers by injecting chips or code in-transit from manufacture (or Amazon?). Something similar could be slipped into the supply chain. The denials seem crafted to deny this in “servers”. Maybe true. What about desktops, laptops, or phones? From my blog, TechWite, in Feb. 2015: “I met an insider years ago (p.s. – Pre-Snowden), who told me he was convinced Lenovo had code embedded in the computer ROM that allowed Chinese authorities full access to the device. He gave up on trying to expose this security “flaw” after everyone, including the FBI, told him he was paranoid. So, who’s paranoid now?”—Christo
Homeland’s response of “no reason to doubt” falls a little short of a complete denial.
To me this reporting seems a little too convenient for the adminstration’s ongoing campaign to convince everyone to support their potentially expensive china trade war.
The timing is highly suspicious. Smack in the middle of the build-up for a massive trade war with China. Also, I don’t like the fact that government institutions like DHS or the British NCSC appear to be frantically backing up private companies. Sure, the US government might have a vested interest since Apple and Amazon are major US corporations. But what’s in it for the Brits?
OTOH, this is a rather outrageous scenario and apparently it did have the expected effect on Supermicro stock. So that would make you wonder if the story is essentially just a means to manipulating the stock market in a desired fashion.
I really don’t know which side to believe at this point.
Bloomberg has a new Chinese hardware hacking story based on a single report that Supermicro has not responded to yet: https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg
An interesting development
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom
Jordan Robertsonupdated an hour ago
Yes I mentioned that one earlier today.
Doesn’t appear to be directly related to the previous article though.
Another take on this latest article, comments on how big a problem this could well be and suggestion that an SEC investigation is in order.
Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro
The containment of the story within Supermicro always worried me I have to say. The strategy and execution seem so evolved I found it hard to believe that they would have had only one target. I think it’s probably safe to expect more stories about alternate approaches.
And it all speaks to the ever lengthening list of items the public are losing their faith in so it beholdens companies to speak clearly and forthrightly here, much as Apple did. It has all the hallmarks of a sticky idea, it’s going to be difficult to counter.
I think what we are most likely to find out is that Bloomberg got it (almost) 100% wrong. They got hold of some misunderstood comment and talked to people who didn’t have actual facts and blew up a story that simply wasn’t there.
I follow a few security people on twitter and one of them (and people he is re-tweeting) are expressing strong doubts about this new Ethernet jacking story.
Good overall story expressing doubts with updates about the new Bloomberg story: https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack
And the main twitter thread I saw yesterday expressing doubt (retweeted by Google researcher Tavis Ormandy): https://twitter.com/marcan42/status/1049687546945392640
Another, from one of the expert sources of the first story who has since that he has doubts about the original Apple/Amazon story:
And not that supply chain spying isn’t or couldn’t be a problem, it just sounds as if these two stories aren’t evidence of it. Or at least that security researchers need some more detail In order to comment with confidence about it, and even an expert source has doubts.
It will be interesting to see how this new development plays out:
Tim Cook is now calling for Bloomberg to retract the story, which is unprecedented.
Super Micro’s audit turned up nothing.
It’s a year later and several articles are revisiting the topic. There’s still no proof that any of Bloomberg’s claims were true.
Join the discussion in the TidBITS Discourse forum