UK Cyber Security Agency Backs Apple, Amazon China Hack Denials

An anonymous reader quotes a report from Reuters: Britain's national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple and Amazon challenging a Bloomberg report that their systems contained malicious computer chips inserted by Chinese intelligence services. "We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple," said the National Cyber Security Centre, a unit of Britain's eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company's cloud-computing unit.

"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us," it said. Apple's recently retired general counsel, Bruce Sewell, told Reuters he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips. "I got on the phone with him personally and said, 'Do you know anything about this?," Sewell said of his conversation with Baker. "He said, 'I've never heard of this, but give me 24 hours to make sure.' He called me back 24 hours later and said 'Nobody here knows what this story is about.'" The U.S. Department of Homeland Security said on Saturday that it too had no reason to doubt statements from companies that have denied the Bloomberg report.

"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise," DHS said in a statement. "Like our partners in the UK, the National Cyber Security Center, at this time we have no reason to doubt the statements from the companies named in the story," it said.

They contain Xeon chips

Therefore, their systems have backdoors.

Careful wording

[93+Escort+Wagon]

First - given the unusually specific, no-bones-about-it wording used by Apple in their denial, I believe their statement. Some of the other companies, though, seemed to be giving themselves a bit of maneuvering room.

But both the UK’s and US’s spy agency statements basically just say “we have seen no evidence as of yet”. It’s a very careful statement which doesn’t really mean much.

Re:Need help from nerds

[BenJeremy]

The chips were for inserting exploitable code/backdoors into firmware. There will be no "command and control" going on unless somebody targets your box.

6 pins... PIC chips were used for something similar 20 years ago for Playstations - inserting a sequence along a serial line. In this case, probably intercepting/modifying something on a JTAG line or an I2C bus. It might even be sophisticated enough to return the original bit of code it was meant to replace on a flash memory read (if done serially). It requires explicit knowledge of the hardware and software, and likely was enabled by insiders (as was the design that allowed them to install the chip)

Re:Need help from nerds

[dissy]

Without intimate knowledge on the circuit boards original design, it would be next to impossible to find anything differing from the original.
In other words you would need a before and after to compare with each other.

The SuperMicro systems you and I have were designed to be sold to the general public, so there's next to no way in hell SM will be giving out their board layout files.

That's part of the stories problem, it explicitly names a few huge cloud providers who ARE privy to such info.
Perhaps a more basic or even a special model, but Apple and Amazon make their own huge customization to those designs to send back to SM and essentially order millions of them to be made.

Bloomberg is claiming some of his anonymous sources are involved with those companies and designing their custom systems, so in those companies cases they do have a "before" cad file to start from.
The anonymous sources are making claims that the original custom cad file and the actual manufactured servers they order differ from each other by this one chip.

So unless you work at a company large enough to get this kind of treatment from manufacturers like super micro, there's no way for us to know. And if you are, go talk to your engineers, they likely already did this with numerous machines and beat you to the punch.

Super micro could know by comparing their cad files to what's being sold, presuming they aren't in on this officially. I'd say either option would destroy their reputation so badly however it's unlikely they would admit it even if they weren't involved but found out, and zero chance they would admit it if they were involved.