Is Bloomberg peddling fake news about Chinese hardware hacking?

Infosec hardware implants

The state of infosec right now (Credit: Colin O’Flynn)

The jury is still out, but this isn’t looking great for Bloomberg:

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. […]

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign. […]

On the possible failure of adequate fact checking, earlier this week one of the security experts that Bloomberg spoke to in order to explain how the claimed spy chip would actually work, Joe Fitzpatrick, gave an interview to Aussie veteran infosec journalist Patrick Gray in which Fitzpatrick said he had told the Bloomberg spy-chip reporters of his doubts that it was feasible and that he was “uncomfortable” with the final article.

An NSA official is also pushing back:

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek’s bombshell “The Big Hack” report about Chinese spies compromising the U.S. tech supply chain.

“I have pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it,” said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

“I’ve got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody’s found anything,” Joyce added.

Twitter user Hector Martin (@marcan42) had a fierce response to Bloomberg’s second story on the alleged Chinese hardware hacking:

Ah, I see, Bloomberg. So instead of a (partial) retraction of your at least half if not fully bullshit China implant story, you’re going to now publish *one guy’s* claim of Ethernet jack implants. When you had <5 days to check anything he provided.

Remember when a certain other security researcher was convinced his Ethernet jacks had implants? Remember all this “evidence”? How *we* knew it was BS? Now consider whether Bloomberg’s technically clueless journalists would know it’s BS.

Seriously, this is just pathetic now. They just went from “1 year and multiple sources” to “<5 days and one guy”. This is just negligence.

https://t.co/eReEXegOHZ

Why is it that every time something like this happens nobody has any hard documentation or analysis results? Ah yes, the best cop-out. “We don’t have it any more, we can’t give you more details”.

So now we have *software* detecting *analog* stuff like the “power consumption” of a *network*.

None of those words go together. At all.

Basically every Ethernet jack I’ve seen in anything but cheapo consumer routers/switches has been metal. How the hell is this an IOC?

Nevermind that… Ethernet jacks don’t have power pins. Where is this module (that uses so much power that it gets hot) magically powering itself from? Nobody runs PoE out to servers. Did they modify the board design to add power pins too?

Commenting on the above thread, Joe Fitzpatrick had this to say:

I was contacted and declined to give comment for this story. I explained this wasn’t the first time this year someone was making this claim.

@marcan42 has experience debunking claims of ‘backdoored’ ethernet jacks. Details in this story are almost identical to last time.

Sepio systems also shared a document with me yesterday. It had juicy details about rogue hardware.

It was a marketing 1-pager.

Whatever the truth of the  matter, Yossi Appleboum, the ex-Israeli intelligence guy cited in Bloomberg’s follow-up story, gets the last word:

We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.

This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.

People think of the supply chain in a very narrow sense between the manufacturer and the customer. Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain. […]

We have a problem. The problem is the hardware supply chain. All of us are dealing with what happened to Supermicro, and whether Amazon knew or did not know. That is not the main issue for me. The main issue is that we have a problem. It is global. This is why I think Supermicro is suffering from the big players. I am talking about the really big players who know that they have the same problem, and they are kind of using the story right now to throw Supermicro under the bus instead of coming out and saying that it is a global problem, let’s fix it and find a solution.

More evidence of massive Chinese hardware hack

Bloomberg has a new story out about China’s alleged tampering with the global hardware supply chain, revealing that an unnamed, major US telecom company discovered a malicious implant in a Supermicro server back in August. The source of the story seems credible (Bloomberg’s previous story on the Supermicro hacking did not name sources.)

If true, the scale of the potential damage from this hardware hacking is almost incomprehensible.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

Brian Krebs has an insightful post about the issue on his security blog. Of particular interest:

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

And he identifies the crux of the issue:

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States. […]

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

The original Bloomberg piece, as he points out, also addresses what he calls “this elephant in the room.” Quote from that piece:

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.

As time goes on, the evidence mounts that offshoring advanced manufacturing to low-cost countries in Asia was an epochal blunder by the US. Now the US is abjectly dependent on a hardware supply chain that may be deeply compromised and there is no obvious way to fix or even detect its vulnerabilities. However, to call this “an insurmountably hard problem” is an exaggeration; it is merely staggeringly hard.

The solution would almost certainly have to involve moving a large amount of high-tech production back to the US. This would be terrifyingly expensive, but the US may not have a choice, and the economic benefits of creating all those new jobs and factories could be enormous.

Anything that has been offshored can be reshored. Anything that was invented in the US can be made in the US. If I’m wrong, please explain how.

US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]