- A Bloomberg report from last week alleged that Chinese spies had been able to malicious chips into servers made by SuperMicro, an American company.
- All parties involved have denied the report, including, most recently, secretary of the Department of Homeland Security, during a Senate hearing.
- Security professionals are also increasingly distancing themselves from the claims.
Last week, Bloomberg published a bombshell report about how Chinese spies managed to implant chips into computer servers made by SuperMicro, an American company.
If true, the report raised questions about whether sensitive US government and corporate data may have been accessed by Chinese spies, and whether it’s all data stored on PCs is essentially at risk.
But since then, a series of statements from government officials and information security professionals – including some named in the stories – have cast doubt about the report’s main claims.
On Wednesday, the secretary of the Department of Homeland Security denied the report in a Senate hearing – the strongest on-the-record government denial yet.
“With respect to the article, we at DHS do not have any evidence that supports the article,” Kirstjen Nielsen said on Wednesday. “We have no reason to doubt what the companies have said.”
(During the same hearing, FBI Director Chris Wray said that he couldn’t confirm nor deny the existence of any investigation into compromised SuperMicro equipment, which was claimed in the Bloomberg report.)
Nielsen’s denial comes on the same day as a senior NSA official said that he worries that “we’re chasing shadows right now.”
“I have pretty great access, [and yet] I don’t have a lead to pull from the government side,” Rob Joyce, perhaps the most public-facing NSA cybersecurity official, said at a U.S. Chamber of Commerce meeting.
“We’re just befuddled,” Joyce said, according to Cyberscoop.
Alex Stamos, Facebook’s former head of security, calledJoyce’s denial “the most damning point” against the story that he had seen.
The increasing doubt about Bloomberg’s claims come as lawmakers demand additional answers based on the series of reports. Sens. Richard Blumenthal and Marco Rubio asked SuperMicro to cooperate with law enforcement in a sharply worded letter on Tuesday. Senator John Thune also sent letters to Amazon and Apple, which Bloomberg said had purchased compromised servers.
Sources walk back
But government officials aren’t the only people who are now having second thoughts about the stories.
One prominent hardware security expert, Joe Fitzpatrck, who was named in the story, ended up doing a revealing podcast with a trade outlet that’s more technical than Bloomberg, Risky Business.
Journalists who write stories based on anonymous sources often call up experts to fill out some of the more general parts of a story and improve the story’s flow.
But Fitzpatrick said that’s not what happened.
“I feel like I have a good grasp at what’s possible and what’s available and how to do it just from my practice,” Fitzpatrick explained. “But it was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.”
He went on to say that he heard about the story’s specifics in late August and sent an email expressing major doubt. “I heard the story and it didn’t make sense to me. And that’s what I said. I said, ‘Wow I don’t have any more information for you, but this doesn’t make sense.'”
Several notable information security professionals used Fitzpatrick’s quotes as a jumping-off point to express their doubts with the story:
I just listened to this from start to finish and it seems Occam’s razor just cut the Bloomberg story to ribbons. https://t.co/C7nbu0EtYu
— matt blaze (@mattblaze) October 8, 2018
Incredible, really, that no Bloomberg fact-checker ever called Joe Fitz.
— Thomas Rid (@RidT) October 9, 2018
Bloomberg sticks by its story
— Bloomberg Crypto (@crypto) October 4, 2018
Bloomberg’s report was obviously explosive and had immediate effects.
Super Micro lost over 40% of its value the day of the report. Apple and Amazon, which the report said had bought compromised servers, fiercely denied the report in public statements.
While Bloomberg put out a statement that said that it stood by its reporting shortly after the first story, the loudest institutional support for the story came in a followup story by Bloomberg that said new evidence of hacked Supermicro hardware was found in a U.S. telecom.
Bloomberg didn’t name the affected telecom.
“The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China,” according to the Bloomberg followup report.
But even the source for the followup now says he’s “angry” about how the story turned out.
“I want to be quoted. I am angry and I am nervous and I hate what happened to the story. Everyone misses the main issue,” which is that it’s an overall problem with the hardware supply chain, not a SuperMicro-specific issue, Yossi Appleboum told Serve The Home.
But everyone says it’s possible
But the tricky thing about Bloomberg’s story is that nearly everyone agrees something like it could happen, it just didn’t happen the way the report suggests.
Security experts agree that the security of the factories that make electronics is an ongoing issue, even if no malicious chips have been found yet.
“What we can tell you though, is it’s a very real and emerging threat that we’re worried about,” Sec. Nielsen said shortly after saying she had no evidence in favour of the story.
And as one manufacturing expert told Business Insider, “I don’t actually think it’s hard to inject stuff that the brand or design team didn’t intentionally ask for.”
Chinese industrial espionage has been an issue for many years, and it’s a talking point for President Donald Trump, who accused Chinese exchange students of being “spies” earlier this year in a conversation with CEOs including Apple CEO Tim Cook.
But there is evidence that Chinese spies do spy on American companies. Earlier this week, a Chinese officer was extradited to the United States to face espionage charges related to stealing secrets from companies including GE Aviation.
The FBI also arrested a Chinese national earlier this year who had worked for Apple and allegedly was taking self-driving car information to a little-known Chinese startup.
So there’s a lot of evidence that there are spies who are actively working to steal American industrial secrets. Just maybe not with malicious chips inserted through the supply chain – yet.
Business Insider Emails & Alerts
Site highlights each day to your inbox.