Skip to content
Thoughtful, detailed coverage of everything Apple for 28 years
and the TidBITS Content Network for Apple professionals
Splash screen from Businessweek article

Image by Bloomberg Businessweek

16 comments

Apple Categorically Denies Businessweek’s China Hack Report

Color us confused. Last week, Bloomberg Businessweek published a long, detail-filled story alleging that Chinese spies had compromised America’s technology supply chain by inserting a malicious chip into servers used by as many as 30 major technology companies, including Apple.

It’s a bombshell of an article, but an odd one, simultaneously specific in places while vague about what these alleged chips actually did. Plus, all sources were anonymous, which isn’t unusual for an article that involves government-level industrial espionage and national security, but it’s surprising that the article doesn’t quote any outside experts on the record.

In response, Apple released a public statement, saying bluntly that everything the article claims about Apple is completely untrue:

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

and

Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.

Apple’s statement has none of the tenor of a company trying to cover up untoward behavior, and if anything, it sounds as though the company is fed up with Bloomberg’s questions and allegations. Since then, both the US Department of Homeland Security and Britain’s National Cyber Security Center have said that they have no reason to doubt Apple’s statement. Plus, BuzzFeed’s John Paczkowski reported that multiple senior Apple executives “all denied and expressed confusion” with the report. And Apple has now sent a letter to Congress reiterating these denials.

In addition, Apple and Amazon, which also denied the article’s scenario, are both $1 trillion public companies that routinely face and sometimes lose lawsuits over product representations. Their statements are so specific, cover so much, and are so definitive that both companies would have an enormous liability should it come out that they were lying.

Although there have been some suggestions that such an attack is technically feasible, our contacts with hardware manufacturing experience are extremely dubious that this particular one could have taken place as described without anyone noticing, and our contacts in security reporting haven’t heard anything about this from their sources. So we are currently assuming that Apple is telling the truth about not having found malicious chips in its servers.

But Businessweek isn’t a fly-by-night publication, and there are too many sources quoted and details given for the reporters to just be confused. So unless it’s all an elaborate fiction that somehow snuck by the publication’s editors, we remain unable to explain why Businessweek published the piece in the face of such categorical denials.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 28 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Apple Categorically Denies Businessweek’s China Hack Report

Notable Replies

  1. Although there have been some suggestions that such an attack is technically feasible, our contacts with hardware manufacturing experience are extremely dubious that this particular one could have taken place as described without anyone noticing, and our contacts in security reporting haven’t heard anything about this from their sources. So we are currently assuming that Apple is telling the truth about not having found malicious chips in its servers.

    Something that also raises a question mark for me is that any outside firm or outsider would benefit enormously by revealing their identities as well as details about what exactly went wrong with the chips.

    But Businessweek isn’t a fly-by-night publication, and there are too many sources quoted and details given for the reporters to just be confused. So unless it’s all an elaborate fiction that somehow snuck by the publication’s editors, we remain unable to explain why Businessweek published the piece in the face of such categorical denials.

    I have enormous respect for Bloomberg and Business Week, and I have the highest respect for their reporting. But publications I also have the highest respect for have, with the best intentions, published stories that proved to be horrendously wrong. A few examples:

    Janet Cooke at the Washington Post, who won a Pulitzer for what turned out to be fake news:

    https://www.washingtonpost.com/archive/lifestyle/1996/05/09/janet-cookes-untold-story/23151d68-3abd-449a-a053-d72793939d85/?utm_term=.b912fe254fcb

    Jason Blair at the New York Times:

    https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html

    Stephen Glass at the New Republic:

    https://www.vanityfair.com/magazine/1998/09/bissinger199809

    (Shattered Glass, the movie about this scandal, is excellent; especially since as it foreshadows how digital footprints and social media can affect the gathering and publication of news.)

    In each case, their editors were duped by reporters who could craft very readable text about stories that audiences would want to believe and who would buy, and hopefully subscribe, to the journals.

  2. Bloomberg has reportedly published unfounded articles in the past, but can’t find the reference right now.

    At best, I suppose both sides could be partially correct.

    -Al-

  3. This is old news that has somehow recently gained credence. We learned from Snowden et al. that the NSA compromised routers by injecting chips or code in-transit from manufacture (or Amazon?). Something similar could be slipped into the supply chain. The denials seem crafted to deny this in “servers”. Maybe true. What about desktops, laptops, or phones? From my blog, TechWite, in Feb. 2015: “I met an insider years ago (p.s. – Pre-Snowden), who told me he was convinced Lenovo had code embedded in the computer ROM that allowed Chinese authorities full access to the device. He gave up on trying to expose this security “flaw” after everyone, including the FBI, told him he was paranoid. So, who’s paranoid now?”—Christo

  4. Homeland’s response of “no reason to doubt” falls a little short of a complete denial.

  5. To me this reporting seems a little too convenient for the adminstration’s ongoing campaign to convince everyone to support their potentially expensive china trade war.

  6. The timing is highly suspicious. Smack in the middle of the build-up for a massive trade war with China. Also, I don’t like the fact that government institutions like DHS or the British NCSC appear to be frantically backing up private companies. Sure, the US government might have a vested interest since Apple and Amazon are major US corporations. But what’s in it for the Brits?

    OTOH, this is a rather outrageous scenario and apparently it did have the expected effect on Supermicro stock. So that would make you wonder if the story is essentially just a means to manipulating the stock market in a desired fashion.

    I really don’t know which side to believe at this point.

  7. Yes I mentioned that one earlier today.

    Doesn’t appear to be directly related to the previous article though.

    -Al-

  8. The containment of the story within Supermicro always worried me I have to say. The strategy and execution seem so evolved I found it hard to believe that they would have had only one target. I think it’s probably safe to expect more stories about alternate approaches.

    And it all speaks to the ever lengthening list of items the public are losing their faith in so it beholdens companies to speak clearly and forthrightly here, much as Apple did. It has all the hallmarks of a sticky idea, it’s going to be difficult to counter.

  9. I think what we are most likely to find out is that Bloomberg got it (almost) 100% wrong. They got hold of some misunderstood comment and talked to people who didn’t have actual facts and blew up a story that simply wasn’t there.

  10. I follow a few security people on twitter and one of them (and people he is re-tweeting) are expressing strong doubts about this new Ethernet jacking story.

    Good overall story expressing doubts with updates about the new Bloomberg story: https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack

    And the main twitter thread I saw yesterday expressing doubt (retweeted by Google researcher Tavis Ormandy): https://twitter.com/marcan42/status/1049687546945392640

    Another, from one of the expert sources of the first story who has since that he has doubts about the original Apple/Amazon story:

    And not that supply chain spying isn’t or couldn’t be a problem, it just sounds as if these two stories aren’t evidence of it. Or at least that security researchers need some more detail In order to comment with confidence about it, and even an expert source has doubts.

  11. It will be interesting to see how this new development plays out:

Join the discussion in the TidBITS Discourse forum

Participants