Both Apple and Amazon have released VERY STRONG denial statements that bring the whole Bloomberg narrative into question. It's also convenient that no one has yet been able to verify or find any of these mysterious Chinese chips on any of the Supermicro servers in the wild.<p>So what is the real story here? Did Bloomberg reporters deliberately deceive everyone or were they deceived by the US IC ("intelligence community") as a way to scare technology companies from doing business in China?<p>Someone at the SEC should scrutinize SMCI shorts at the very least.
<i>In an appearance this morning on Bloomberg Television, reporter Jordan Robertson made further claims about the supposed discovery of malicious chips, saying, “In Apple’s case, our understanding is it was a random spot check of some problematic servers that led to this detection.”
As we have previously informed Bloomberg, this is completely untrue. Apple has never found malicious chips in our servers.
Finally, in response to questions we have received from other news organisations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.</i><p>It can’t get much clearer than that. The whole story is quite weird. I don’t know who should be believed but I’ve never read any such vehement denial. If Apple is lying they risk quite a bit of credibility here
From 2016:
Report: Apple designing its own servers to avoid snooping
Apple suspects that servers are intercepted and modified during shipping.<p>"Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter," the report said. "At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips."
<a href="https://arstechnica.com/information-technology/2016/03/report-apple-designing-its-own-servers-to-avoid-snooping/" rel="nofollow">https://arstechnica.com/information-technology/2016/03/repor...</a>
The Norwegian National Security Authority (<a href="https://nsm.stat.no/english/" rel="nofollow">https://nsm.stat.no/english/</a>) is quoted in a norwegian paper today saying they knew about problems with Super Micro since at least june. <a href="https://www.vg.no/nyheter/i/xRkLep/storavis-hevder-kina-installerte-spionverktoey-i-maskinvare" rel="nofollow">https://www.vg.no/nyheter/i/xRkLep/storavis-hevder-kina-inst...</a>
I mean what was the alternative? To admit that your supply chain is compromised and blame directly the government of the country where you produce (and sell to a level) all of your hardware?<p>That would be a huge blow in the credibility of the company and would raise serious questions on why they did not move the manufacturing elsewhere.
It's hard to say what the truth is here, but what I will say is if that Bloomberg reporter doesn't have substantial evidence to prove that claim he could be in serious trouble. SuperMicro's stock was down 50% straight after that articles release, and it's not looking so hot right now either.
He could be looking down the barrel of an SEC investigation very soon.
> "As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections."<p>They do not have equipment to detect this kind of attack, period. It's not viable for each device, and it's not even viable for sampling a subset of devices from a given production batch. Some components are physically inaccessible and would require desoldering of other components to even access them in any way.<p>These kinds of attacks cannot be generically detected in any economically feasible way; it must be prevented by drastically clamping down the supply chain and the logistics chain.
Regardless of whether this particular case is true or not, given the crucial role of computer systems in so many key institutions, it seems to me extremely risky to trust Chinese suppliers not to try to compromise critical infrastructure.<p>Then again, I understand that it could be argued that, if this is confirmed, to me it would seem quite rash from the Chinese, given that they would have known all along that such a scheme would be discovered sooner or later. It is one thing to plant a device as part of a spy operation, quite another to consistently compromise a whole supply chain.<p>Whichever is the case, the national interest and commercial interests seem to be seriously incompatible with one another when it comes to outsourcing such critical infrastructure to China, this seems obvious to me, regardless of the China policy of who is in government in US.
> Despite numerous discussions across multiple teams and organisations, no one at Apple has ever heard of this investigation.<p>If this is some kind of ongoing national security issue with nondisclosure requirement authorized by the Director of the FBI, like this big breach could be, people involved are not allowed to talk about it even inside their company.<p>Of course it would be advisable to inform higher ups in the Apple so that they would not issue a denial.
I would say one specific detail (I haven't looked at it though) would challenge the truth of the rebuttal of both Amazon and Apple is that if it is confirmed that both have severed ties with Supermicro around the same time, the coincidence would really seem odd then.
DoD contracts for the military require the hardware to be sourced and made in the US to prevent compromise. I wonder if one day we will see the DoD require any Cloud contractor that has DoD datacenters to source from the US or NAFTA countries...and what impact that would have. I've heard ramblings about a lot of companies moving their manufacturing and sourcing from China to Vietnam already.
Companies don’t give vehement denials like this unless they’re telling the truth. People claiming gag orders are crazy, mostly for thinking that Apple, or anyone else for that matter, would ever sign a document forcing them to lie to their customers (I’m not saying they wouldn’t lie, just that they wouldn’t sign anything that would force them to do so).
Very strong denial. Frankly, if true and Apple is saying this kind of a "no" shareholders will sue.<p>Two possibilities:
Left hand doesn't know (or can't know) what the right hand is doing at Apple. Top secret?<p>Bloomberg was a victim of a hoax, some nation state (huh huhm!) wants to target China for something so they need a story.<p>Based on what I've read here these past days, I'm leaning towards the second one. Apple can hire the best or all Infosec companies in the world if security was compromised. In other words, they'd know by now, even if they missed it originally. Cat and mouse and all...
Bloomberg needs to make a statement about all of this, either doubling down or issuing an apology. Either ways, we need a follow up and conclusion. Can we HN-ers tweet-request them (politely) to follow up?
This article sounded a bit weird to me from the technical level, but I just assumed it could be lack of clear understanding on the nitty-gritty from the journalist, or just me not knowing about hardware enough to know what's possible and how.<p>Given this is all getting a little fishy I'll share what had me thinking:<p>1. The article mentions "they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet..."<p>Servers tend to run on VPNs. This being a dormant backdoor is believable, but then the article mentions:<p>> "American investigators eventually figured out who else had been hit. Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected."<p>Which makes me believe the devices were active and somehow circumvented corporate VPNs. I'm unsure how undetectable this could be using the system's network stack (or if it would be possible at all)-- would the claim then be that this tiny device shipped with a whole TCP/IP layer and some sort of very powerful wireless capability?<p>2. It continues with: "and preparing the device’s operating system to accept this new code"<p>Is this possible? Where would a device like this need to be wired to be able to write to memory with some arbitrary payload to do this? From the pictures it looks like it has 6 pins maximum-- could this do? If so, wouldn't this mean this device would need to do some next-level signal processing that would probably require advanced computation? Could said computation be done by a processing unit that fits the size of this chip?<p>Moreover, assuming it takes control of the OS independently would imply there's some decent amounts of memory in here, to hold the payload, etc. no? But if it's just a backdoor that doesn't take control of the OS, then how is it communicating over the internet with other machines like the article claims?<p>Again, I might be wrong and things that I don't think possible might. I'm mostly just curious to know if my intuition is too naive. Please comment below if you know more about these things than I do.<p>EDIT: I was really disappointed that the article itself didn't go into these technicalities, because IMO this would be an impressive feat and newsworthy by itself. The lack of alternative coverage in sources more close to technical expertise was weird to me.
FYI: "Britain’s national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple and Amazon that refuted a Bloomberg story that their systems contained malicious computer chips inserted by Chinese intelligence. [...]"<p><a href="https://www.reuters.com/article/us-china-cyber-britain/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials-idUSKCN1MF1DN" rel="nofollow">https://www.reuters.com/article/us-china-cyber-britain/uk-cy...</a>
Incredibly interesting story and discussion, this is why i come to this site.<p>Isn't this practice known, if not common, in the infosec/intelligence communities at the nation level? There's lots of stories of hardware exploits in copy machines, faxes, etc that took place during the Cold War.
The rice is indeed small, but it is not small on an IC chip. When people check the chip, they usually use a tool called microscope, like this <a href="https://goo.gl/1XK4YK" rel="nofollow">https://goo.gl/1XK4YK</a>.
The cynic in me wonders about the plausibility of all this.<p>Firstly, why would you add a new chip to a board, rather than alter an existing one? That would be essentially undetectable.<p>Secondly, why Bloomberg? It's an odd organisation to get a scoop on something like this.<p>Thirdly, they talk of the PLA approaching plant owners and such; to do all this, a lot of people would need to know about it, from the top to the bottom. I imagine that would be very difficult to keep secret.<p>Finally, the timing is very suspicious - it comes with midterms approaching, and Trump and China arguing over trade tarrifs; it would serve the political narrative well for China to be painted as the 'bugbear de jour', and this also plays to the MAGA crowd.
Political mind games.<p>Right now, most of the tech industry, and a good portion of the news media are at odds with the executive branch of the government.<p>This article puts at least one popular news outlet against several tech industry giants. Divide.<p>What comes after divide? ...and who has the most to gain? I doubt it's <i>actually</i> our executive branch. I think they could be getting played just as much as Bloomberg and the Tech industry.
Consider that Apple also stated this a few years back:<p>>"We have never heard of PRISM. We do not provide any government agency direct access to our servers, and any government agency requesting customer data must get a court order."<p>Their whole business is built around lying to customers.
This will be interesting to follow, it's very unlikely there is not some truth to this. The fact that Apple and others are pushing so strongly against the story (very defensive) which makes me believe they are hiding something for sure.
They complain too much...<p>Apple apparently entirely dropped Supermicro as a supplier over a few weeks when they were planning a large order(source: theregister.co.uk).<p>The ones who should strongly deny such a story, if it is indeed incorrect, are Supermicro. Is there a statement from them?<p>Edit: yes, there is. They are "not aware of any investigation".
That tells me all I need to know...