Bloomberg Businessweek has dropped a bombshell: Chinese intelligence — agents of the People's Liberation Army — forced factories in China to add tiny spy chips to server boards being manufactured for industry-leading Super Micro, to be sold to industry giants like Apple and Amazon. Their boards and servers literally provide the hearts and minds for many of the world's data centers, large and small. And, the report says, they've been hacked at the hardware level.
December 11, 2018: Super Micro: No 'Big Hack' malicious chips found in motherboards
A third party audit of Super Micro motherboards, old and new, has found zero evidence of the 'big hack' hardware spy chips Bloomberg alleged were sold to Amazon, Apple, and dozens of other tech companies.
Given Apple and Amazon's strong denials and the lack of any corroborating reporting from other outlets like The Washington Post or the New York Times, this is looking worse and worse for Bloomberg.
October 7, 2018: Named source in "The Big Hack" has doubts about the story
A new episode of RISKY.BIZ reveals that the ' "Big Hack" technical source Joe Fitzpatrick has concerns about Bloomberg's reporting...'
October 7, 2018: Apple VP of Information Security tells Congress no signs of Big Hack
October 6, 2018: DHS says it has 'no reason to doubt statements' on Big Hack from Apple & Amazon
From the U.S. Department of Homeland Security:
October 5, 2018: Former Apple General Counsel, Bruce Sewell: Nobody at the FBI knew what the SuperMicro story was about
Bruce Sewell retired earlier this year after a long and successful career culminating in his time as Apple General Counsel. Here's what he had to say about the Super Micro story as reported by Bloomberg.
According to Bloomberg, the hardware hack was discovered when Amazon decided to buy Super Micro customer, and streaming video disruptor Elemental Technologies, but first had sample servers sent to Canada for a security evaluation.
The result, again according to Bloomberg:
If true, it's impossible to downplay the severity of this: Compromised steaming servers running in the centers of not only the world's biggest technology companies but the intelligence and defense apparatus of the U.S. Government.
(Bloomberg doesn't state whether any other countries use these servers in similar ways but, given Super Micro's position in the market, it's difficult to imagine they don't.)
Now, hardware attacks are nothing new. We've seen everything from Juice-Jacking, which compromised USB ports to inject malware into any device that tried to connect to them, to interception attacks where agencies, including U.S. intelligence agencies according to Edward Snowdown, grabbed devices during transit and compromise them before they got to their destination.
What this alleges, though, is deeper and far wider ranging than any of that.
Here's how the attack supposedly worked:
- A Chinese military unit designed and manufactured microchips as small as a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.
- The microchips were inserted at Chinese factories that supplied Supermicro, one of the world's biggest sellers of server motherboards.
- The compromised motherboards were built into servers assembled by Supermicro.
- The sabotaged servers made their way inside data centers operated by dozens of companies.
To get the chips into the motherboards, Bloomberg says an ages-old bride/threat model was used. Plant managers at the factories where production had been outsourced were offered money and, if that didn't work, threatened with business-closing inspections.
And here's what Bloomberg says they did:
There's been some debate about the technical accuracy and acumen of Bloomberg's reporting. So much so, with something this important, I wish they'd engaged a high-level information security expert as technical editor before publishing.
Whether a chip, as described, can do what's being described and whether or not the group being described could produce such a chip are among the debate topics.
Bloomberg alleges these compromised broads found their way into over 30 U.S. companies, including banks, U.S. military and defense agencies, Amazon, and similarly right up there in the headline, Apple.
Now, issues between Apple and Super Micro have been reported before.
In February of 2017, The Information wrote:
At the time, Apple's response to The Information was:
The servers were described as being used by the Apple-aquired Topsy Labs team to improve App Store and Siri Search, something echoed by Bloomberg.
Why Apple would wait so long to take action, given the severity of the circumstances alleged, isn't addressed by Bloomberg.
Apple's response to Bloomberg was, in a word, savage. I've been covering Apple for a decade and I can't recall ever seeing anything as aggressive or encompassing as this.
Here's what Apple shared with me and other outlets — and, yeah, I know, so much reading so far.. so much… but this is important and really has to be presented in full to be understood in full:
Apple has since greatly expanded on that, including denying any gag order or secrecy obligation is in place, in a Newsroom post.
Just as I was about to post this, Amazon also pushed out a refutation every bit as aggressive and encompassing. I'll spare you the full text of that, but will share the best part here and link to the full statement above.
Here you have what should be one of the most respected business publications in the industry with a years-long report that, presumably, had it's fact checkers fact checks fact checked, and on the other side, the biggest tech companies in the world, public companies that are subject to the SEC and shareholder lawsuits, issuing statements that contradict it in the strongest terms possible.
About the only thing everyone agrees on is that there's no evidence any customer data — any of our data — has been compromised.
Now, just as I pointed out The Information had previously reported on Apple and Super Micro, I'd be remiss if I didn't point out that Bloomberg has gotten Apple wrong in the past, including and especially its reports that iPhone X wasn't selling — something that I called at the time a failure verging on malpractice that, combined with similar coverage from similar outlets, needed to be carefully vetted for potential market manipulation by the usual hedge fund suspects.
Bloomberg also holds the distinction of drawing the previous aggressive PR response record when it claimed Apple had sacrificed Face ID security in order to increase manufacturing yields. Something that was almost Steve Jobs-ian in its terse fury.
So, where does this leave us?
One, Bloomberg could have gotten this catastrophically wrong. Through some mix of broken telephone, rumor mutation, and the constant need to get Apple into headlines, the story as written could have elements of truth but in broad strokes and details simply not have gotten it right. For a major publication, that would be a bloody nose to say the least. Though, we now live in a day and age where previously career-ending incidents sometimes aren't even remembered a few hours later.
Two, Apple and Amazon could be lying. A gag order would result in no comment, compartmentalization — where executives know things PR does not — may fly for a standard rebuttal but not anything as extreme as we're seeing. This isn't PR in the dark. This is PR unleashed, Kraken style. They're not even parsing words or hiding attribution. They're closing holes and stamping their names. And, as public companies, that's more than risking a bloody nose. It's risking the liver shot of federal investigation and civil lawsuits. There's no crime that we know of here to cover up. Apple, Amazon, and others are victims. No risk assessment makes that make sense.
Three, something else entirely could be going on. As with iPhone X sales reports being manipulated for stock shorting purposes, there could be elements at play trying to manipulate companies, markets, and sentiments in aid of or againt anything and everything from trade agreements to security agendas. That's an incredibly conspiratorial stance to take on any of this, but given how media can and will be manipulated these days, it's better leaving nothing on the table.
No matter what you choose personally to believe, the risk is so great here because eventually the truth will come out. If there is or was an FBI investigation, that will come out. And that's where none of this makes any sense.
I'm an optimist. I like to believe Bloomberg would fact-check the hell out of all of this before printing world one. That they would have it cold. But I also like to believe no public company would risk refuting it this strong if they weren't dead sure it was wrong.
The various accounts can't be reconciled. There are no multiple truths here. Someone got it wrong under circumstances where getting it wrong is catastrophic.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.