Bloomberg Businessweek has dropped a bombshell: Chinese intelligence — agents of the People's Liberation Army — forced factories in China to add tiny spy chips to server boards being manufactured for industry-leading Super Micro, to be sold to industry giants like Apple and Amazon. Their boards and servers literally provide the hearts and minds for many of the world's data centers, large and small. And, the report says, they've been hacked at the hardware level.
December 11, 2018: Super Micro: No 'Big Hack' malicious chips found in motherboards
A third party audit of Super Micro motherboards, old and new, has found zero evidence of the 'big hack' hardware spy chips Bloomberg alleged were sold to Amazon, Apple, and dozens of other tech companies.
Given Apple and Amazon's strong denials and the lack of any corroborating reporting from other outlets like The Washington Post or the New York Times, this is looking worse and worse for Bloomberg.
October 7, 2018: Named source in "The Big Hack" has doubts about the story
A new episode of RISKY.BIZ reveals that the ' "Big Hack" technical source Joe Fitzpatrick has concerns about Bloomberg's reporting...'
October 7, 2018: Apple VP of Information Security tells Congress no signs of Big Hack
October 6, 2018: DHS says it has 'no reason to doubt statements' on Big Hack from Apple & Amazon
From the U.S. Department of Homeland Security:
October 5, 2018: Former Apple General Counsel, Bruce Sewell: Nobody at the FBI knew what the SuperMicro story was about
Bruce Sewell retired earlier this year after a long and successful career culminating in his time as Apple General Counsel. Here's what he had to say about the Super Micro story as reported by Bloomberg.
According to Bloomberg, the hardware hack was discovered when Amazon decided to buy Super Micro customer, and streaming video disruptor Elemental Technologies, but first had sample servers sent to Canada for a security evaluation.
The result, again according to Bloomberg:
If true, it's impossible to downplay the severity of this: Compromised steaming servers running in the centers of not only the world's biggest technology companies but the intelligence and defense apparatus of the U.S. Government.
(Bloomberg doesn't state whether any other countries use these servers in similar ways but, given Super Micro's position in the market, it's difficult to imagine they don't.)
Now, hardware attacks are nothing new. We've seen everything from Juice-Jacking, which compromised USB ports to inject malware into any device that tried to connect to them, to interception attacks where agencies, including U.S. intelligence agencies according to Edward Snowdown, grabbed devices during transit and compromise them before they got to their destination.
What this alleges, though, is deeper and far wider ranging than any of that.
Here's how the attack supposedly worked:
- A Chinese military unit designed and manufactured microchips as small as a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.
- The microchips were inserted at Chinese factories that supplied Supermicro, one of the world's biggest sellers of server motherboards.
- The compromised motherboards were built into servers assembled by Supermicro.
- The sabotaged servers made their way inside data centers operated by dozens of companies.
To get the chips into the motherboards, Bloomberg says an ages-old bride/threat model was used. Plant managers at the factories where production had been outsourced were offered money and, if that didn't work, threatened with business-closing inspections.
And here's what Bloomberg says they did:
There's been some debate about the technical accuracy and acumen of Bloomberg's reporting. So much so, with something this important, I wish they'd engaged a high-level information security expert as technical editor before publishing.
Whether a chip, as described, can do what's being described and whether or not the group being described could produce such a chip are among the debate topics.
Bloomberg alleges these compromised broads found their way into over 30 U.S. companies, including banks, U.S. military and defense agencies, Amazon, and similarly right up there in the headline, Apple.
Now, issues between Apple and Super Micro have been reported before.
In February of 2017, The Information (opens in new tab) wrote:
At the time, Apple's response to The Information was:
The servers were described as being used by the Apple-aquired Topsy Labs team to improve App Store and Siri Search, something echoed by Bloomberg.
Why Apple would wait so long to take action, given the severity of the circumstances alleged, isn't addressed by Bloomberg.
Apple's response to Bloomberg was, in a word, savage. I've been covering Apple for a decade and I can't recall ever seeing anything as aggressive or encompassing as this.
Here's what Apple shared with me and other outlets — and, yeah, I know, so much reading so far.. so much… but this is important and really has to be presented in full to be understood in full:
Apple has since greatly expanded on that, including denying any gag order or secrecy obligation is in place, in a Newsroom (opens in new tab) post.
Just as I was about to post this, Amazon (opens in new tab) also pushed out a refutation every bit as aggressive and encompassing. I'll spare you the full text of that, but will share the best part here and link to the full statement above.
Here you have what should be one of the most respected business publications in the industry with a years-long report that, presumably, had it's fact checkers fact checks fact checked, and on the other side, the biggest tech companies in the world, public companies that are subject to the SEC and shareholder lawsuits, issuing statements that contradict it in the strongest terms possible.
About the only thing everyone agrees on is that there's no evidence any customer data — any of our data — has been compromised.
Now, just as I pointed out The Information had previously reported on Apple and Super Micro, I'd be remiss if I didn't point out that Bloomberg has gotten Apple wrong in the past, including and especially its reports that iPhone X wasn't selling — something that I called at the time a failure verging on malpractice that, combined with similar coverage from similar outlets, needed to be carefully vetted for potential market manipulation by the usual hedge fund suspects.
Bloomberg also holds the distinction of drawing the previous aggressive PR response record when it claimed Apple had sacrificed Face ID security in order to increase manufacturing yields. Something that was almost Steve Jobs-ian in its terse fury.
So, where does this leave us?
One, Bloomberg could have gotten this catastrophically wrong. Through some mix of broken telephone, rumor mutation, and the constant need to get Apple into headlines, the story as written could have elements of truth but in broad strokes and details simply not have gotten it right. For a major publication, that would be a bloody nose to say the least. Though, we now live in a day and age where previously career-ending incidents sometimes aren't even remembered a few hours later.
Two, Apple and Amazon could be lying. A gag order would result in no comment, compartmentalization — where executives know things PR does not — may fly for a standard rebuttal but not anything as extreme as we're seeing. This isn't PR in the dark. This is PR unleashed, Kraken style. They're not even parsing words or hiding attribution. They're closing holes and stamping their names. And, as public companies, that's more than risking a bloody nose. It's risking the liver shot of federal investigation and civil lawsuits. There's no crime that we know of here to cover up. Apple, Amazon, and others are victims. No risk assessment makes that make sense.
Three, something else entirely could be going on. As with iPhone X sales reports being manipulated for stock shorting purposes, there could be elements at play trying to manipulate companies, markets, and sentiments in aid of or againt anything and everything from trade agreements to security agendas. That's an incredibly conspiratorial stance to take on any of this, but given how media can and will be manipulated these days, it's better leaving nothing on the table.
No matter what you choose personally to believe, the risk is so great here because eventually the truth will come out. If there is or was an FBI investigation, that will come out. And that's where none of this makes any sense.
I'm an optimist. I like to believe Bloomberg would fact-check the hell out of all of this before printing world one. That they would have it cold. But I also like to believe no public company would risk refuting it this strong if they weren't dead sure it was wrong.
The various accounts can't be reconciled. There are no multiple truths here. Someone got it wrong under circumstances where getting it wrong is catastrophic.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
The problem is the Internet which will conflate, elaborate, spin, mold, and modify Bloomberg’s claims as confirmed fact.
Study: 91 Percent of Apple Contributions Went to Democrats https://pjmedia.com/trending/study-91-percent-of-apple-contributions-wen...
Except nobody has done that. Every media outlet I've seen has excoriated Bloomberg for this nonsense
This is very likely a mistake on Bloomberg's part. The type of attack that is described is very upstream in the supply chain, where you need to spread to thousands of servers for you to potentially get one to your target (AWS or Apple). With something this widespread someone would have detected it, not just a 3rd party research company doing due diligence. Many cybersecurity experts and even NSA themselves uses Supermicro server hardware. It won't take long at all for any of the black/white hat community to have found this within these three years. And say if it's really hidden well, like not altering any BMC firmware at all unless it's where it's suppose to be, now that this is in public's knowledge, everyone is in full gear trying to find this. Just like what I was just doing, and you know what? Nothing was found. I would be very surprise, China was able to pull something this big through without anyone knowing for three whole year.
America, guilty until proven.
And another thing. All the headlines are scream ing APPLE and AMAZON. What about the other 30 companies? Who are they? I have not read a single article that answers that question. Did Bloomberg release the names of those 30 companies or did they just tag Apple and Amazon because they are the biggest?
If you look at Bloomberg's story they spent a year researching it and have multiple sources. It is most likely correct, almost certainly correct. However it is in no one's interest to publicise this. Not in Apple, or Amazon or the government. I think the government have known about this for some time and are quietly behind the scenes been altering their supply chain rules. Large companies probably know about it as well. Ultimately production needs to be moved away from China but this will take careful planning, and take years, and nobody wants a panic in the meantime. It is a very delicate situation. I don't think China can be trusted.
Time will most likely tell but so far no corroboration by anybody, not even independent researchers and even some of their named sources claim they don't know what Bloomberg is talking about (more precisely, one source was asked to describe how, theoretically, this could be done and was surprised to find out that Bloomberg was able to verify about every single sentence he said; that<s suspicious). If no third party is able to find any proof, Bloomberg will need to show what they have at some point.
Other theory: somebody fed a made up story to Bloomberg...
“To get the chips into the motherboards, Bloomberg says an ages-old bride/threat model was used“ So someone’s wife was threatened?
The Bloomberg story makes no sense. This chip magically intercepts OS code? What OS? What code? Windows? Linux? Which Linux? Solaris? This tiny chip is supposedly doing real-time analysis of the running OS, figuring out when “data” is coming across, not OS code? Huh? What data? Customer data? MP3 data? How is this chip supposed to know the difference between jpg/exe/drivers/OS code/actual data? All that is moving is a stream of bits. This reeks of accountants talking about programmers. Bloomberg is a financial reporting service. The people there generally have no clue about how hardware/software works. They are tracking stocks/market capitalization/sales trends and such. They mention Apple and Amazon only because they are #1 and #3 in market capitalization, so it is “important news”.
without reading the whole story i think something happened and nobody wanna talk about. let say the story is true? oh boy
If this is journalism, why hasn’t the veracity of the independent report been ascertained and documented before you ran this story?
Get the best of iMore in in your inbox, every day!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.