Apple Insiders Say Nobody Internally Knows What's Going On With Bloomberg's China Hack Story

An anonymous reader quotes a report from BuzzFeed News: Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely all denied and expressed confusion with a report earlier this week that the company's servers had been compromised by a Chinese intelligence operation. On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report -- the result of more than a year of reporting and over 100 interviews with intelligence and company sources -- alleged that Chinese spies compromised and infiltrated almost 30 U.S. companies including Apple and Amazon by embedding a tiny microchip inside company servers. Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg's claims.

Reached by BuzzFeed News multiple Apple sources -- three of them very senior executives who work on the security and legal teams -- said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple's internal investigation described it as "endoscopic," noting they had never seen a chip like the one described in the story, let alone found one. "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. "We were given nothing. No hardware. No chips. No emails." Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation -- Bloomberg wrote that Apple "reported the incident to the FBI." A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person's purview and responsibilities are of such a high level that it's unlikely they would not have been aware of government outreach.

Not Sure What to Believe

[crow]

I'm not sure what to believe here.

In support of the story, China does have a long history of industrial espionage and other spying. Many believe that their economic rise was boosted by stolen IP.

On the other hand, the current administration is clearly using allegations against China to balance the revelations that continue to come out about Russian interference. Many of the allegations from this administration towards China appear to be completely fabricated.

But this allegation is much more detailed than anything the administration has been imagining, but the sources are all anonymous.

Re:Not Sure What to Believe

[Zontar+The+Mindless]

This intelligence community and media were the same ones who lied us into Iraq, remember?

*I* remember certain parties within the Bush Administration ignoring their intelligence agencies (and not just their own) and feeding a bunch of crap to the media that was later shown in the media to be just that—crap.

This story has the presumption that Apple

[mykepredko]

Engineers are not intimately involved in the design, support and software maintenance of their products.

I've worked with Apple, Dell and HP server design teams in a past life and it would be highly unlikely that anything could be added to the products by board stuffers without being discovered.

Typically for most vendors, the first failed products go straight to development to understand what the problem is to see if there are any design issues. One of the first thing that is done in the process is a review (usually by a junior engineer/technician) to make sure there haven't been any unapproved part substitutions - anything added at this point would be found. It should also be pointed out that Apple products have WiFi/BT built in which means FCC testing and that requires Apple to verify that the product is identical to what will be going down the line - if the PCB gets changed to add a chip without Apple's prior approval and validation by repeating the FCC testing then, based on the contracts I've seen and been a part of, Apple would be demanding huge amounts of compensation as well as making the vendor pay to roll the field.

This doesn't mean that Apple hasn't added the chips for US/other governmental snooping just that it's highly unlikely that the manufacturing partners added something without Apple's approval.

Re:This story has the presumption that Apple

[mykepredko]

Two comments back.

1. The servers in question aren't Apple hardware (that isn't set out in the article) as an AC pointed out. Doing a bit of research, the servers in question are Teradata "Extreme Data Appliances".

2. When I was at Celestica, I was part of the team responsible for building Apple products - as a sub, you don't mess with the BoMs, much less the schematic/PCB layout without Apple review and approval without facing HUGE penalties (the least of which is losing the business). This is true for any Tier 1 vendor.

Too much talking. Too few acting.

[aglider]

Please, take a sample of those servers, open them and let a bunch of experts to investigate.
Is it that difficult?

Does the chip in question even exist?

[timholman]

"I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine.

My colleagues and I were discussing this story last week. My research group has done some work in secure computing, and we were frankly surprised that someone would bother to add a compromised piece of hardware to a motherboard.

Software intrusions always provide plausible deniability to the attacker, which is critical to state-sponsored espionage. But a hardware hack, where someone succeeds in adding a component to a motherboard without the knowledge of the designer, is far more difficult and far more dangerous. A device in hand can be reverse-engineered, and forensics performed to determine exactly when and how it was inserted into the manufacturing chain. Experts can even determine the exact IC fab in which the chip was manufactured.

On top of that, a company that allows its manufacturing process to be compromised has essentially ruined itself. What customer would trust it again? Sure, it is possible that the Chinese government would be willing to spend the money to create a company that could be sacrificed to a state espionage effort, but the problem remains that if the espionage is uncovered, no one will trust any installed hardware purchased from them.

Software intrusions remain extremely successful. The Chinese purportedly breached the OPM and copied all of the personnel files for every U.S. citizen with a security clearance back in 2014, but to this day no one can be entirely sure who was behind it. Likewise, Russia constantly denies its own state-sponsored hacks. For that matter, so does the U.S.A., and everyone else. Why give up such a successful exploit vector in favor of one that provides an undeniable trail back to the perpetrator?

So exactly what is the story behind this Bloomberg article, and where is the proof that the hack actually happened? Someone needs to produce some hardware as proof. This story is definitely becoming even more interesting.

Re:BuzzFeed "News" ... Bloomberg "News" ...Clear n

[Jahoda]

Oh, well, thank god then you've linked to such quality blogs proving the "Fake News" from Bloomberg whose "opposition to president Trump knows know bounds". I know blogspot and "godsavethepoints" are where I go when I'm looking for cutting edge investigative journalism and not a fart sniffing boomer echo chamber about muh fake news.

Bloomberg got pwn3d

[mveloso]

Quite frankly, Bloomberg got fooled by a bunch of people who, for whatever reason, gave them this story.

Why would people do this? I can think of a bunch of reasons off the top of my head:

* someone wanted SuperMicro to play ball, and they refused. This is payback.
* someone wanted SuperMicro's stock to fall, and fall a lot.
* someone wanted to demonstrate they could get the press to print anything, no matter how ridiculous.
* someone wanted to teach Bloomberg a lesson
* someone wanted to throw doubt on the Chinese supply chain. The one that supplies like all the electronics to the US.
* someone wanted China to share some of the attention

It could be all of the above. But really, the story is bullshit. The superchip is a story cooked up to fool reporters, reporters who are smart enough fool themselves into thinking they understand how computers work.

What I'm surprised at is that they didn't ask anyone in the industry about the details. You can always theoretically wire something into a mobo and hide it. You can't practically get something that small to do everything they said it could do. Even James Patterson could tell the difference.

two and a half theories on this

[goombah99]

Here's a couple possible scenarios.

1. The source of this is some spooky agency but they don't want people to know it was them that figured it out. SO the attribution went to Amazon discovering it. A plausible cover story at first as long as no one scratched too deep. the story was socialized within the government enough that every one believed it to be true so that's all bloomberg heard was this succefully engineered echo chamber of a story everyone believed was true. The chip part being true and the cover story of it's origin obfuscated.

The reason this would happen in this hasty way is that for obvious reasons the Trump administration needed to get out a story that shows china is a bad trading partner. SO timing was rushed. The three letter agency would not want it's discovery revealed because it like to shield sources and methods. So the compromise was blame it on amazon.

2. For whatever reason apple and amazon dumped some server farms or strategies. Later they realized they had dodged a bullet when the chip issue or mal frimware showed up in supermicro. They have to be really careful here because they could be sued for bad faith in the sales contracts and failure to disclose if it could be made to look like they knew for sure the Supermicro was poison. So they are trying very hard to say they had no knowledge of this (at the time) so this doesn't become a contractual issue.

Both of these stories might be true

Re:Apple's full-court press against this story

[angel'o'sphere]

Why is Apple trying so hard to deny a story that Bloomberg insists is accurate and very well sourced?
Because the Bloomberg story is bollocks?
No idea, but the stuff they wrote about Germanies renewable energy was usually all the time I bothered to read it: bollocks.

Re:ah, the good old times

[AmiMoJo]

It's more like the opposite; the myths never die. Remember that famous slide that Snowden leaked showing the timeline of when the NSA infiltrated Apple, Google, Microsoft and various other tech companies? All denied they were helping the NSA but many people still believe that they are, even long after further slides showed that they were actually attacked and later took steps to prevent data collection based on the leaked info.