This article is more than 1 year old
Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials
Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong
Updated UK spymasters and US Homeland Security officials have supported Western tech companies' denials that Chinese agents were able to smuggle hidden surveillance chips into Super Micro servers.
Mainstream media megastructure Bloomberg reported last week that Beijing's military intelligence pressured or bribed a Chinese manufacturing subcontractor of US-based Super Micro to include a small secret spy chip in the server maker's motherboards. The supposedly grain-of-rice-sized chips were inserted to give China a backdoor into the computers, allowing data to be silently altered or stolen from afar by the Chinese government, Bloomberg's numerous sources claimed.
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?READ MORE
Among the 30 or so organizations that apparently received these bugged machines, ranging from a major bank to US government contractors, were Apple and Amazon, according to Bloomberg's sources. Rather than run the usual "we do not comment on rumor or speculation, especially regarding national security" lines via spokespeople, Apple, Amazon, and Super Micro issued scathing rebuttals, denying the wiretapped servers ever existed nor were ever shipped nor were ever received. They also denied holding internal investigations with the FBI.
The companies have since been backed by security agencies of two key Five Eyes nations, the UK and America. Crucially, the agencies stopped short of saying Bloomberg got it wrong – they're just agreeing with those who claim Bloomberg got it wrong.
Britain's National Cyber Security Center – part of spying nerve-center GCHQ – kicked off the weekend by saying: “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple. The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”
Then on Saturday, Uncle Sam's Department of Homeland Security concurred in no uncertain terms:
Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.
If that was a shot, then here's a chaser: Reuters reporting that Apple and the FBI's top lawyers having no idea what Bloomberg was on about:
Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.
“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”
Infosec pros have also started criticizing Bloomberg for the lack of hard data and technical information to support the story, beyond its 17 anonymous sources. One particularly annoying thing is that the graphics used in the blockbuster article – depicting the spy chip and its placement on the board – look to be purely illustrative, making it difficult to verify the claims or even check if a server motherboard has one of Beijing's bugs.
Top software vulnerability hunter Tavis Ormandy, of Google's Project Zero, summed up the difficulty of believing anonymous sources versus on-the-record denials: “We can't prove [the spy chip] doesn't exist any more than we can prove sasquatch doesn't exist. This is starting to feel like chemtrail territory.”
On the one hand, you have Bloomberg, which has rigorous and extremely high editorial standards: article errors requiring corrections can be career-ending. It is bonkers to think it would have screwed up a story this huge.
On the other hand, we have unusually direct denials from tech companies – the kind that if found to be lies would fall foul of securities fraud laws – and now government officials supporting those rebuttals. If tech giants and governments had spent a little less energy spinning their way out of sticky situations in the past, their statements could be taken a little more seriously.
Ultimately, at least more people are now aware of supply chain security, an area that deserves extra scrutiny. ®
Updated to add
Apple has doubled down on its denial of Bloomberg's Super Micro spy chip bombshell in a letter this week to the US House and Senate commerce committees. Specifically, it's addressed to the House Committee on Commerce, Science and Transportation, and the Senate Committee on Energy and Commerce.
Signed by VP for information security George Stathakopoulos, the missive provides a more detailed rebuttal of the story than Cupertino offered in its public statement last week.
Stathakopoulos wrote: “In the end, our internal investigations contradict every consequential assertion made in the article – some of which, we note, were based on a single anonymous source.
“Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server”, the letter added, and as for the FBI, Apple asserted that it didn't contact the Feds, and the Feds didn't contact Apple.
The letter also made the point that if the chips were exfiltrating data, they would need to communicate with the outside world.
“In the situation Bloomberg describes, the so-called compromised servers were allegedly making outbound connections. Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.”