Apple Categorically Denies Businessweek’s China Hack Report

Originally published at: https://tidbits.com/2018/10/08/apple-categorically-denies-businessweeks-china-hack-report/

Bloomberg Businessweek last week published a bombshell article that alleges that Chinese spies inserted a malicious chip into servers used by Apple and other technology companies. Apple has unequivocally denied everything. Who to believe?

Although there have been some suggestions that such an attack is technically feasible, our contacts with hardware manufacturing experience are extremely dubious that this particular one could have taken place as described without anyone noticing, and our contacts in security reporting haven’t heard anything about this from their sources. So we are currently assuming that Apple is telling the truth about not having found malicious chips in its servers.

Something that also raises a question mark for me is that any outside firm or outsider would benefit enormously by revealing their identities as well as details about what exactly went wrong with the chips.

But Businessweek isn’t a fly-by-night publication, and there are too many sources quoted and details given for the reporters to just be confused. So unless it’s all an elaborate fiction that somehow snuck by the publication’s editors, we remain unable to explain why Businessweek published the piece in the face of such categorical denials.

I have enormous respect for Bloomberg and Business Week, and I have the highest respect for their reporting. But publications I also have the highest respect for have, with the best intentions, published stories that proved to be horrendously wrong. A few examples:

Janet Cooke at the Washington Post, who won a Pulitzer for what turned out to be fake news:

https://www.washingtonpost.com/archive/lifestyle/1996/05/09/janet-cookes-untold-story/23151d68-3abd-449a-a053-d72793939d85/?utm_term=.b912fe254fcb

Jason Blair at the New York Times:

https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html

Stephen Glass at the New Republic:

https://www.vanityfair.com/magazine/1998/09/bissinger199809

(Shattered Glass, the movie about this scandal, is excellent; especially since as it foreshadows how digital footprints and social media can affect the gathering and publication of news.)

In each case, their editors were duped by reporters who could craft very readable text about stories that audiences would want to believe and who would buy, and hopefully subscribe, to the journals.

Bloomberg has reportedly published unfounded articles in the past, but can’t find the reference right now.

At best, I suppose both sides could be partially correct.

-Al-

This is old news that has somehow recently gained credence. We learned from Snowden et al. that the NSA compromised routers by injecting chips or code in-transit from manufacture (or Amazon?). Something similar could be slipped into the supply chain. The denials seem crafted to deny this in “servers”. Maybe true. What about desktops, laptops, or phones? From my blog, TechWite, in Feb. 2015: “I met an insider years ago (p.s. – Pre-Snowden), who told me he was convinced Lenovo had code embedded in the computer ROM that allowed Chinese authorities full access to the device. He gave up on trying to expose this security “flaw” after everyone, including the FBI, told him he was paranoid. So, who’s paranoid now?”—Christo

Homeland’s response of “no reason to doubt” falls a little short of a complete denial.

To me this reporting seems a little too convenient for the adminstration’s ongoing campaign to convince everyone to support their potentially expensive china trade war.

The timing is highly suspicious. Smack in the middle of the build-up for a massive trade war with China. Also, I don’t like the fact that government institutions like DHS or the British NCSC appear to be frantically backing up private companies. Sure, the US government might have a vested interest since Apple and Amazon are major US corporations. But what’s in it for the Brits?

OTOH, this is a rather outrageous scenario and apparently it did have the expected effect on Supermicro stock. So that would make you wonder if the story is essentially just a means to manipulating the stock market in a desired fashion.

I really don’t know which side to believe at this point.

Bloomberg has a new Chinese hardware hacking story based on a single report that Supermicro has not responded to yet: https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg

An interesting development

https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom?utm_campaign=news&utm_medium=bd&utm_source=applenews

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

Jordan Robertsonupdated an hour ago

Yes I mentioned that one earlier today.

Doesn’t appear to be directly related to the previous article though.

-Al-

Another take on this latest article, comments on how big a problem this could well be and suggestion that an SEC investigation is in order.

Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro

https://www.servethehome.com/yossi-appleboum-disagrees-bloomberg-is-positioning-his-research-against-supermicro/

-Al-

The containment of the story within Supermicro always worried me I have to say. The strategy and execution seem so evolved I found it hard to believe that they would have had only one target. I think it’s probably safe to expect more stories about alternate approaches.

And it all speaks to the ever lengthening list of items the public are losing their faith in so it beholdens companies to speak clearly and forthrightly here, much as Apple did. It has all the hallmarks of a sticky idea, it’s going to be difficult to counter.

I think what we are most likely to find out is that Bloomberg got it (almost) 100% wrong. They got hold of some misunderstood comment and talked to people who didn’t have actual facts and blew up a story that simply wasn’t there.

I follow a few security people on twitter and one of them (and people he is re-tweeting) are expressing strong doubts about this new Ethernet jacking story.

Good overall story expressing doubts with updates about the new Bloomberg story: https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack

And the main twitter thread I saw yesterday expressing doubt (retweeted by Google researcher Tavis Ormandy): https://twitter.com/marcan42/status/1049687546945392640

Another, from one of the expert sources of the first story who has since that he has doubts about the original Apple/Amazon story:

And not that supply chain spying isn’t or couldn’t be a problem, it just sounds as if these two stories aren’t evidence of it. Or at least that security researchers need some more detail In order to comment with confidence about it, and even an expert source has doubts.

It will be interesting to see how this new development plays out:

Tim Cook is now calling for Bloomberg to retract the story, which is unprecedented.

Super Micro’s audit turned up nothing.

It’s a year later and several articles are revisiting the topic. There’s still no proof that any of Bloomberg’s claims were true.