Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

Spy chips that send data on the internet?

[AHuxley]

The problem with the discovery of the extra chip is the need to use the internet to send back the data.
Advanced AV and firewalls along with really skilled staff selected on merit are going to notice that "extra" data moving out from deep in their secure networks.

Thats why most advanced nations have resort to different methods to collect their data.
1. Short distance data transmission thats not on the internet.
2. Staff/visitors/friends/a person with split loyalty on the inside to collect data later in a way that's never detected as an outgoing internet connection.
3. The use of a PRISM like big brand understanding to move the data out.

What could have happened?

1. NSA and GCHQ found the chips early and often and then created vast amounts of junk information to see how the networks and chips sent the junk data out.
2. The clandestine services found the chip and have been using it for their own missions but did not stop it as it was a free spying tool.
3. Very different and unexpected nations found the chips and have been using it as a free spy tool.
4. Criminals, faith groups, cults, ex and former clandestine services staff and groups doing industrial espionage have found the chip and used it for their own data collection?
5. National police forces found the chips and wanted to try a way to get around crypto.

The real fail with this is having to use the internet and never get detected.
Smart people with real skills will notice extra data on their secure networks.

Smell test

[gtwrek]

I like the analysis going on over here:https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

As a hardware designer, it's an interesting idea to think of attack vectors through "NO STUFF" parts of the BOM. Most PCBs have "NO STUFF" parts of some sort - either for legacy or prototyping reasons.

The idea of some nefarious third party reverse engineering a "NO STUFF" and forming an attack vector with that is well, news to me. I can easily understand a thing like this slipping through a QC check

It would certainly be a difficult attack to construct. But many of todays "software" attacks are quite complicated. Certainly not outside the scope of a state-entity IMHO.

Interesting times in any event, and something to think about.
 

Re: The Story Is Probably Accurate

[nnull]

I'm inclined to believe the story. I was able to enter factories in China where supposedly companies wanted to protect their "Intellectual Property" (I'm not going to name who, but big known brands), take photos and do whatever I wanted, all because the landlord (who is my friend) also has government connections. No one is going to report it and no one is going to say anything. I was treated like a king visiting his kingdom. This seems to be pretty typical in China. I've also witnessed machines being copied right next to the Germans installing theirs.

So I can see the Chinese government easily pulling this off. Employees are easily bribed, threatened and/or coerced into doing things. Most don't want any problems with the government. Anyone can believe what they want, I've seen it first hand and anyone telling you otherwise is lying through their teeth. They could easily build another production and R&D line to secretly add whatever they want in the same damn factory, the corporate management would never know what it's for nor would they dare ask. The only revealing factor would be Chinese gossip, because they like to talk and show off.

Re:SV better pray it's clickbait fearmongering

[Spazmania]

Rand's Atlas Shrugged was first and foremost a work of science fiction. Spoiler alert: the book's mystery-man hero is the inventor of a free energy reactor. To see the book as something else you really have to start with an agenda.

Not only that, it was a work of science fiction with an unusually clever premise: What if the Elon Musks, Larry Pages, Warren Buffets and Jeff Bezos' of the world all got pissed off and decided to go on strike, just like union blue collar workers do?

You don't have to buy in to Rand's political philosophies. I certainly don't. But she wrote an intriguing book.

Easy to exfiltrate data slowly. Nano differences

[raymorris]

It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.

You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.

With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.

You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.

Re:Easy to prove...

[arglebargle_xiv]

Nonononono, this just proves how clever the Yellow Peril really is! We'll never, ever find any one of these magical unicorn chips, because they're just so clever at hiding them from us. And we know that they've hidden them on our motherboards (even though no-one has ever seen one) because they're so good at this. There, try shooting holes in that irrefutable logic.

Re: Easy to prove...

[Archtech]

A subset of them were modified, you buffoon. Good luck finding one now.

So what you are saying is that enough were modified to present a real threat - but not enough for any to be found.

Paranoid, much?

Re:Easy to prove...

[Archtech]

Given Bloomberg's reputation...

Given the New York Times' reputation, the Washington Post's reputation, The Times' reputation, The Guardian's reputation, the BBC's reputation...

We have entered an era in which the reputations of yesteryear mean absolutely nothing. All that matters is who owns the corporation.