Cake
  • Log In
  • Sign Up
    • Richard

      Bloomberg Businessweek reports that a Chinese espionage agency successfully planted microchip back doors on servers built in China for Supermicro, San Jose, CA, a major supplier of motherboards to many companies including Apple, Amazon and the US military. At least 30 companies are believed to have been compromised. Bloomberg cites 17 (unnamed) sources including American intelligence officials and insiders at Amazon and Apple. All of the companies have denied the report, which is what one would expect.

      This is pretty scary stuff, IMO. Is there any way to prove that hardware has not been compromised?

    • Dracula

      That'll teach "them" new meanings of outsourcing. But I guess why is this a surprise, Trojan horses were invented a while back?

    • Chris
      Chris MacAskill

      Hmmm, wow. I wasn't sure what to make of Apple's denial:

      Apple did acknowledge to Bloomberg Businessweek that it had encountered malware downloaded from Supermicro’s customer portal. Apple said the infection occurred in 2016, months after the events described by Facebook, and involved a single Windows-based server in one of the company’s labs. The malware was on a network card driver, which is distinct from firmware and allows an operating system and a piece of hardware to communicate. This was the reason Apple gave for dropping Supermicro as a supplier later that year.

      I agree with Richard, such in-depth reporting like this with so many sources has a way of turning out to be true despite adamant early denials. 🤷‍♂️Usually, though, adamant denials don't come from shiny brands like Amazon and Apple, do they?

    • yaypie

      This is a really weird situation.

      On the one hand, Bloomberg's story is full of specific details, seems well-researched, and is apparently based on information from many sources. On the other hand, companies like Apple, Amazon, and Super Micro are are vehemently denying it.

      Apple's denial is comprehensive and scathing. For a company that rarely offers more than a sentence — if that — when asked for comment, it says a lot that Apple not only commented but released a lengthy and detailed statement denying virtually every claim Bloomberg made. They're serious about this.

      Amazon's denial is similarly scathing.

      Bloomberg Businessweek has a pretty solid reputation, but it's hard not to wonder if they've gotten something seriously wrong here. All their sources are anonymous, and the denials leave no room for interpretation. Something is definitely fishy.

    • Richard

      Vehement denials would be expected given the gravity of the report. I'm cynical enough to think they may all be lying nevertheless, though I'm not assuming that.

      We may never know. What worries me, though, is the very possibility of undetectable hardware subversion. We know from the Edward Snowden revelations that the NSA regularly intercepted computer and networking equipment en route and modified it for spying. Building spying into the board itself seems like a logical next step. China certainly has the technical sophistication and political culture to do so. I just wonder whether the US (or anybody else) has the ability to detect and prevent it.

    • Dracula

      All this talk about a "chip" with no technical details almost sounds like it's made up. Just saying.

    • dr

      Personally, I find this kind of threat pretty plausible, and I'm not surprised, either, that it was picked up by teams who were vetting the hardware for use in government systems, because the kind of due diligence described is accurate to what I've understood about how things*ought* to be done. It is also plausible that many successful infiltrations have been executed on targets who don't have the ability or awareness to combat this attack vector.

      As to how extensive the real consequence is, you have to keep in mind, the most sensitive targets have many layers of protection, and even something with low level access would also need other compromised components of the network to succeed in it's task of communicating out to an awaiting server witha malicious payload. Those networks are closed (unless compromised) and communication attempts would fail. That doesn't exactly give me warm fuzzy feeling of security of course. Plenty of government business *is* tired to relatively open networks.

      Besides the governments, Telco players are also extremely cautious of what goes into their backbone networks, for similar reasons, and*extensive* testing is done which takesa long time and tons of effort. Winning a hardware supply contract with a Telco provider is a very long sale cycle.

    • Toly

      I started off firmly in the middle once the story and company press releases were released. From yesterday to today I've drifted more towards believing Apple over Bloomberg.

      On one hand the strong denials that came from Apple and Amazon don't use general language but very specific and broad statements. Saying things like:

      No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it.

      They aren't just denying the claim of a vulnerability but even denying the fact that there's a gag order in place. With wording like that Apple stands to lose a lot of credibility without much room to budge if it comes out that these allegations were true. Bloomberg might just be an unwitting party propogating a fabricated (not by them) story to benefit the China negotiations.

      On the other hand you've got a tinfoil hat scenario where government that can and has forced companies to deny the existence of programs and investigations.

      Someone's credibility is going to take a severe blow and at this point I don't think it will be the tech companies.

    • Chris
      Chris MacAskill
    • yaypie

      Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc , a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

      “I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

      This just gets weirder and weirder.

    • yaypie

      The plot thickens! These same Bloomberg reporters apparently have a history of writing sensational stories that later turn out to be wrong while citing anonymous sources.

    • dr

      Maybe someone is profiting from supermicro's stock decline. The thing witha hardware hack is that it leaves a physical trail so is very possible to prove/disprove whether sucha tampered board exists. All you need is one.

    • Gedrog

      Old hat isn't it Chinese are doing it Americans are doing it no one needs to bug you anymore we have bugged ourselves, nowadays anyone with the sufficient knowledge can take over your smartphone computer etc. It is just pointing to the chip on the left the chip on the right is the american spy chip carefully integrated into the more complex components ;-)

    You've been invited!