The jury is still out, but this isn’t looking great for Bloomberg:
The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. […]
Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign. […]
On the possible failure of adequate fact checking, earlier this week one of the security experts that Bloomberg spoke to in order to explain how the claimed spy chip would actually work, Joe Fitzpatrick, gave an interview to Aussie veteran infosec journalist Patrick Gray in which Fitzpatrick said he had told the Bloomberg spy-chip reporters of his doubts that it was feasible and that he was “uncomfortable” with the final article.
An NSA official is also pushing back:
Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek’s bombshell “The Big Hack” report about Chinese spies compromising the U.S. tech supply chain.
“I have pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it,” said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.
“I’ve got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody’s found anything,” Joyce added.
Twitter user Hector Martin (@marcan42) had a fierce response to Bloomberg’s second story on the alleged Chinese hardware hacking:
Ah, I see, Bloomberg. So instead of a (partial) retraction of your at least half if not fully bullshit China implant story, you’re going to now publish *one guy’s* claim of Ethernet jack implants. When you had <5 days to check anything he provided.
Remember when a certain other security researcher was convinced his Ethernet jacks had implants? Remember all this “evidence”? How *we* knew it was BS? Now consider whether Bloomberg’s technically clueless journalists would know it’s BS.
Seriously, this is just pathetic now. They just went from “1 year and multiple sources” to “<5 days and one guy”. This is just negligence.
Why is it that every time something like this happens nobody has any hard documentation or analysis results? Ah yes, the best cop-out. “We don’t have it any more, we can’t give you more details”.
So now we have *software* detecting *analog* stuff like the “power consumption” of a *network*.
None of those words go together. At all.
Basically every Ethernet jack I’ve seen in anything but cheapo consumer routers/switches has been metal. How the hell is this an IOC?
Nevermind that… Ethernet jacks don’t have power pins. Where is this module (that uses so much power that it gets hot) magically powering itself from? Nobody runs PoE out to servers. Did they modify the board design to add power pins too?
Commenting on the above thread, Joe Fitzpatrick had this to say:
I was contacted and declined to give comment for this story. I explained this wasn’t the first time this year someone was making this claim.
@marcan42 has experience debunking claims of ‘backdoored’ ethernet jacks. Details in this story are almost identical to last time.
Sepio systems also shared a document with me yesterday. It had juicy details about rogue hardware.
It was a marketing 1-pager.
Whatever the truth of the matter, Yossi Appleboum, the ex-Israeli intelligence guy cited in Bloomberg’s follow-up story, gets the last word:
We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.
This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.
People think of the supply chain in a very narrow sense between the manufacturer and the customer. Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain. […]
We have a problem. The problem is the hardware supply chain. All of us are dealing with what happened to Supermicro, and whether Amazon knew or did not know. That is not the main issue for me. The main issue is that we have a problem. It is global. This is why I think Supermicro is suffering from the big players. I am talking about the really big players who know that they have the same problem, and they are kind of using the story right now to throw Supermicro under the bus instead of coming out and saying that it is a global problem, let’s fix it and find a solution.