Image by Bloomberg Businessweek
Color us confused. Last week, Bloomberg Businessweek published a long, detail-filled story alleging that Chinese spies had compromised America’s technology supply chain by inserting a malicious chip into servers used by as many as 30 major technology companies, including Apple.
It’s a bombshell of an article, but an odd one, simultaneously specific in places while vague about what these alleged chips actually did. Plus, all sources were anonymous, which isn’t unusual for an article that involves government-level industrial espionage and national security, but it’s surprising that the article doesn’t quote any outside experts on the record.
In response, Apple released a public statement, saying bluntly that everything the article claims about Apple is completely untrue:
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
Apple’s statement has none of the tenor of a company trying to cover up untoward behavior, and if anything, it sounds as though the company is fed up with Bloomberg’s questions and allegations. Since then, both the US Department of Homeland Security and Britain’s National Cyber Security Center have said that they have no reason to doubt Apple’s statement. Plus, BuzzFeed’s John Paczkowski reported that multiple senior Apple executives “all denied and expressed confusion” with the report. And Apple has now sent a letter to Congress reiterating these denials.
In addition, Apple and Amazon, which also denied the article’s scenario, are both $1 trillion public companies that routinely face and sometimes lose lawsuits over product representations. Their statements are so specific, cover so much, and are so definitive that both companies would have an enormous liability should it come out that they were lying.
Although there have been some suggestions that such an attack is technically feasible, our contacts with hardware manufacturing experience are extremely dubious that this particular one could have taken place as described without anyone noticing, and our contacts in security reporting haven’t heard anything about this from their sources. So we are currently assuming that Apple is telling the truth about not having found malicious chips in its servers.
But Businessweek isn’t a fly-by-night publication, and there are too many sources quoted and details given for the reporters to just be confused. So unless it’s all an elaborate fiction that somehow snuck by the publication’s editors, we remain unable to explain why Businessweek published the piece in the face of such categorical denials.