Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

Easy to prove...

[RyanRife8866]

This is easily proven or disproven, take a server in question, or perhaps a random sampling of the supposedly hacked equipment and see if it has the "chip" they claim is there.

Re:Easy to prove...

[Spazmania]

Exactly. They should have been able to lay their hands on at least one of the hacked servers.

Personally, I grew suspicious when Bloomberg started talking about "signal conditioning couplers," a part which does not actually exist on server motherboards. Maybe they meant the little capacitors marked 103 which condition the power on the advanced electronics boards so they don't have localized voltage sags and surges as the chips change activity and draw more or less power? I don't know but if their sources don't have the basics right, what are the odds they have the rest of it right?

Re:Easy to prove...

[arglebargle_xiv]

Nonononono, this just proves how clever the Yellow Peril really is! We'll never, ever find any one of these magical unicorn chips, because they're just so clever at hiding them from us. And we know that they've hidden them on our motherboards (even though no-one has ever seen one) because they're so good at this. There, try shooting holes in that irrefutable logic.

Re: Easy to prove...

[Archtech]

A subset of them were modified, you buffoon. Good luck finding one now.

So what you are saying is that enough were modified to present a real threat - but not enough for any to be found.

Paranoid, much?

Re: Easy to prove...

[Archtech]

A subset of them were modified, you buffoon. Good luck finding one now.

And by the way, adding gratuitous personal insults to your comment weakens it. It cries aloud that you have no facts or logical arguments.

Re:Easy to prove...

[Archtech]

Given Bloomberg's reputation...

Given the New York Times' reputation, the Washington Post's reputation, The Times' reputation, The Guardian's reputation, the BBC's reputation...

We have entered an era in which the reputations of yesteryear mean absolutely nothing. All that matters is who owns the corporation.

Re: Easy to prove...

[Archtech]

The one and only way to ensure your countries secrets are secure is to make 100% of your components inside your country borders by companies only ran by your counties citizens and only employs your country citizens and even them is subject to stringent testing and oversight.

Citizens, moreover, who have no secret ideological sympathies and who are absolutely not tempted by the offer of enormous sums of money.

In your own words, good luck with that.

Spy chips that send data on the internet?

[AHuxley]

The problem with the discovery of the extra chip is the need to use the internet to send back the data.
Advanced AV and firewalls along with really skilled staff selected on merit are going to notice that "extra" data moving out from deep in their secure networks.

Thats why most advanced nations have resort to different methods to collect their data.
1. Short distance data transmission thats not on the internet.
2. Staff/visitors/friends/a person with split loyalty on the inside to collect data later in a way that's never detected as an outgoing internet connection.
3. The use of a PRISM like big brand understanding to move the data out.

What could have happened?

1. NSA and GCHQ found the chips early and often and then created vast amounts of junk information to see how the networks and chips sent the junk data out.
2. The clandestine services found the chip and have been using it for their own missions but did not stop it as it was a free spying tool.
3. Very different and unexpected nations found the chips and have been using it as a free spy tool.
4. Criminals, faith groups, cults, ex and former clandestine services staff and groups doing industrial espionage have found the chip and used it for their own data collection?
5. National police forces found the chips and wanted to try a way to get around crypto.

The real fail with this is having to use the internet and never get detected.
Smart people with real skills will notice extra data on their secure networks.

The Story Is Probably Accurate

[OpenSourceAllTheWay]

China's Communist Party designed education system is so restrictive, tightly scripted and based on rote-learning that even "educated" Chinese simply cannot excel at creative tasks like disruptive innovation, R&D and creating original product ideas or designs. When Chinese students go to universities abroad in the UK, U.S. and other Western countries, they tend to work very hard, but fail woefully at tasks that involve critical thinking, questioning established methods or developing original approaches to tackling problems old and new. China has money to burn, a workforce that works cheap and hard, thousands of factories that can make almost anything, but is not, at present, capable of pulling off American-style innovation and inventing because of its lousy education system. So China has to look abroad for "ideas" - it has to steal them from where they are most plentiful. The concept of Intellectual Property Rights is also woefully underdeveloped in China - culturally, this country has no problem whatsoever copying or stealing the fruits of someone else's labor. This is why nobody even bothers to patent ideas in China - a patent provides no protection whatsoever in China. So yes, the "rogue chips on motherboards" story sounds exactly like something the Chinese government would do. Amazon and Apple are probably terrified of losing tens of billions of Dollars in future product sales in China, so they are flat out denying that any such "rogue chips" were ever found. The rogue chips probably do exist, and are designed to do exactly what Bloomberg claims - steal ideas.

Re: The Story Is Probably Accurate

[nnull]

I'm inclined to believe the story. I was able to enter factories in China where supposedly companies wanted to protect their "Intellectual Property" (I'm not going to name who, but big known brands), take photos and do whatever I wanted, all because the landlord (who is my friend) also has government connections. No one is going to report it and no one is going to say anything. I was treated like a king visiting his kingdom. This seems to be pretty typical in China. I've also witnessed machines being copied right next to the Germans installing theirs.

So I can see the Chinese government easily pulling this off. Employees are easily bribed, threatened and/or coerced into doing things. Most don't want any problems with the government. Anyone can believe what they want, I've seen it first hand and anyone telling you otherwise is lying through their teeth. They could easily build another production and R&D line to secretly add whatever they want in the same damn factory, the corporate management would never know what it's for nor would they dare ask. The only revealing factor would be Chinese gossip, because they like to talk and show off.

Smell test

[gtwrek]

I like the analysis going on over here:https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

As a hardware designer, it's an interesting idea to think of attack vectors through "NO STUFF" parts of the BOM. Most PCBs have "NO STUFF" parts of some sort - either for legacy or prototyping reasons.

The idea of some nefarious third party reverse engineering a "NO STUFF" and forming an attack vector with that is well, news to me. I can easily understand a thing like this slipping through a QC check

It would certainly be a difficult attack to construct. But many of todays "software" attacks are quite complicated. Certainly not outside the scope of a state-entity IMHO.

Interesting times in any event, and something to think about.
 

Re:SV better pray it's clickbait fearmongering

[Spazmania]

Rand's Atlas Shrugged was first and foremost a work of science fiction. Spoiler alert: the book's mystery-man hero is the inventor of a free energy reactor. To see the book as something else you really have to start with an agenda.

Not only that, it was a work of science fiction with an unusually clever premise: What if the Elon Musks, Larry Pages, Warren Buffets and Jeff Bezos' of the world all got pissed off and decided to go on strike, just like union blue collar workers do?

You don't have to buy in to Rand's political philosophies. I certainly don't. But she wrote an intriguing book.

Easy to exfiltrate data slowly. Nano differences

[raymorris]

It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.

You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.

With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.

You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.

I guess I'm a little confused

[holophrastic]

Having not read the Bloomberg article, because I've been busy this week, is Bloomberg just reporting on what sources have said?

That isn't investigative journalism. That's just reporting gossip.

Can't Bloomberg just grab a device, open it up, and pay someone reputable to actually have a look and then confirm this whole thing? Why am I left needing to trust anonymous-source reporting? Go make it nonymous! Any nonymous will do.

Doesn't pass a sniff test

How exactly do you hide the wires? I get that the chip is supposed to be super small, but it it must be wired in somehow. A chip to intercept a gigabit ethernet and you're 8 wires in, 8 wires out, and power and ground, so we're looking at 18 unexplained traces on the circuit board. If its sniff to the processor, we're looking at hundreds, (128 bit data path/64 bit address etc.). Perhaps it's USB chip, but then how does it get network access.

How exactly do you hide the heat? This thing is supposedly running like a processor examining data, how the f*** does it dissipate the heat. Espcially when its 'between' layers on a circuit board as claimed in the original story.

How would it be explained? If this is a US designed motherboard that's been sent off to China for manufacture, how would you explain these extra connections and extra chip to the designers? How would it pass QA? "Oh we added a signal conditioner" wouldn't pass the smell test for them. If it was a Chinese designed motherboard, why is it being imported by an In-Q-tel (CIA) funded company?

If it was a Chinese designed motherboard, wouldn't the spy stuff be stuck into existing chips? e.g. some code in the Southbridge.

How was knowledge of this kept secret? The story claims lots of big server companies knew about it, and yet it only leaks now and by Bloomberg? Really?

Why isn't there a million photographs of supermicro motherboards with suspicious chips flagged, ten minutes after the article came out 2 days ago. I imagine if you owned a supermicro motherboard and read that, the first thing you'd do it photograph any suspicious chips and say "is this the spy chip?" on the internet.

Why would it be a separate chip and not a module on a SOC chip? Or in microcode.

The idea of the Chinese spying on servers sounds VERY plausible/likely, just not the way this article says they did.

I can Occam Razor an alternative explanation. China is in a trade war with USA, USA wants to demonize China to justify the trade war. Makes false claim using CIA funded company to a non-tech outlet that doesn't know the questions to ask.

I reserve judgement till I see the actual chips myself. If it was iFixit doing xRay scans and analysis of the chip my view would change....