Last week, Bloomberg Businessweek wrote a bombshell report alleging that U.S. federal investigators had found sabotaged hardware built in China and sold widely throughout American supply chains — Apple, Amazon, and even the CIA had been using tampered chips in their data center motherboards, it was claimed.
The companies involved all strenuously denied the story, and Apple went so far as to write “a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article,” according to Reuters. Britain’s National Cyber Security Centre and even the U.S. Department of Homeland Security joined in, saying they had “no reason to doubt denials from Apple and Amazon.com Inc that they had discovered backdoored chips.”
The Bloomberg Businessweek report was based on sources including “three Apple insiders” and “six U.S. officials.” We are told the officials span both the Obama and Trump administrations. “In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks,” Bloomberg says, though most remained anonymous “because of the sensitive, and in some cases classified, nature of the information.”
Now, one of the few named sources in the original story — Joe FitzPatrick, a hardware security expert, who is only quoted in relation to a hypothetical scenario where a piece of “hardware opens whatever door it wants” — says he highly doubts the report is accurate.
- FitzPatrick was interviewed on Risky Business, a podcast that features “news and in-depth commentary from security industry luminaries.”
- He says that nearly every technical detail in the story appears to have come directly from conversations he had with one of the reporters, Jordan Robertson.
- “Either I have excellent foresight, or something else is going on,” FitzPatrick says.
- The hack as described “doesn’t make sense because there are so many easier ways to do this… There are software, there are firmware approaches, and the approach that you’re describing, it’s not scalable, it’s not logical, it’s not how I would do it, or how anybody I know would do it.”
- The technical details are “jumbled,” but “not outright wrong,” he adds, emphasizing multiple times that he regularly encounters difficulty in getting even software experts to record the details on hardware correctly, let alone journalists — “I didn’t speak with any fact checkers. I see a lot of details that I gave out of context.”
- FitzPatrick raised his concerns with Bloomberg as the story was initially described to him before publishing — “Wow, this doesn’t make sense,” he remembers as his reaction — and after publishing, in an email, but both times was reassured that other sources had corroborated the details of the hacking.
- Bloomberg stands by its reporting: “The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware,” it told Axios.
- And Bloomberg published another story on a different reported hack at Supermicro, which alleges, “Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector”: New evidence of hacked Supermicro hardware found in U.S. telecom (porous paywall).
But other experts have also raised doubts, both because of the technical details and because of the kind of denials the companies have given.
- The “grain of rice” size of the alleged chip implant raised red flags for multiple experts.
- FitzPatrick points out that the picture of a tiny chip implant featured in the story appears to be the exact same model of a coupler component that he showed the reporters when asked about various microchip components. Some in China also noticed it was a standard component — one skeptical article circulating on WeChat was titled (in Chinese), “The ‘spy chips’ that Bloomberg exposed? I can buy them on Taobao for 1 yuan.”
- “It would be amazing for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip,” Zhang Baichuan, a Chinese cybersecurity expert, told SCMP, adding, “The fact is, China’s chip technology is still at a primary stage.”
- And the companies’ specific denials make it extremely unlikely they are lying: “The companies [would] risk enforcement by the FTC for engaging in a deceptive act that is likely to harm consumers,” David Vladeck, Georgetown professor and former head of the Federal Trade Commission’s Bureau of Consumer Protection, told Axios.
What does this all mean in the end? One possibility is that someone is lying: either the U.S. government — after all, the damage to Chinese technology reputation is done, and in that sense, it won’t matter if the story is true or not — or the companies. But Axios points out that there is at least one other possibility, though it is unclear if this is more likely:
- “It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.”
- FitzPatrick, for what it’s worth, also speculated that he thinks this kind of confusion about the technical details could have tripped up either a source or the Bloomberg journalists.