Slashdot Mirror

← Back to Stories (view on slashdot.org)

In an Unprecedented Move, Apple CEO Tim Cook Calls For Bloomberg To Retract Its Chinese Spy Chip Story (buzzfeednews.com)

Posted by msmash on from the unprecedented dept.

John Paczkowski and Joseph Bernstein, reporting for BuzzFeed News: Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that the company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim. Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create "a stealth doorway" into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. [...] "We turned the company upside down," Cook said. "Email searches, datacenter records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this." A Bloomberg spokesperson said, "We stand by our story and are confident in our reporting and sources."

25 of 162 comments (clear)

  1. And if the article was actually false... by iCEBaLM · · Score: 5, Insightful

    ... he would be suing, not asking for a retraction.

    1. Re:And if the article was actually false... by decep · · Score: 5, Insightful

      Tim Cook is a smart man. Suing lends credence to the story.

      Also, he probably does not feel Bloomberg had any malice toward Apple in their story. By not suing, he is just calling the reporters overzealous idiots.

      Never attribute malice that which may be explained by stupidity. You just do not sue stupid.

    2. Re:And if the article was actually false... by Junta · · Score: 2, Insightful

      Well actualy, not suing leads credence to the story... If you go to court, then you are putting yourself more at risk than just asking for a retraction.

      However for Apple, I think asking for a retraction and trying to do it the 'gentle' way makes sense, they can't show significant fiscal harm.

      I would however not be surprised to see SuperMicro go full on lawsuit, they can easily show a lot of financial harm.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:And if the article was actually false... by Locke2005 · · Score: 2

      Suing opens them up to discovery about their security procedures... I don't think that would be in the company's best interests. Not a big fan of "security through obscurity", but you're better off having hackers know as little as possible about how you protect your servers.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    4. Re:And if the article was actually false... by jellomizer · · Score: 2

      Why bother suing when just asking politely would do?
      A legal suit will mean Apple (a secretive by nature company) will need to publicly show its proof, figure out what it damage is....
      Also politically Cook probably still wants to stay in good graces with the press. Especially as Trump is cutting more and more ties. The press is under a lot of pressure right now with violence against them, Apple doesn't need unnecessary negative press for fighting the media too.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:And if the article was actually false... by jellomizer · · Score: 2

      Well for one, a trade war started with terrifs, raising probably raising the cost.
      Changes to the supply chain SuperMicro may not have been able to meet demand.
      Boost in Cost, sometimes a vendor get cocky and tries to raise the stakes only for it to massively backfire.
      Being that spyware was put on the chips, they probably didn't pass Apple and Amazons QC Requirements.
      Big companies are often really tough on vendors in general. Apple has Dumped Motorola to IBM, to Intel (There is even talk on dumping Intel)
      Contracting with similar quarterly schedules.
      The reason why it isn't discussed is because it isn't an uncommon thing.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:And if the article was actually false... by slashdot_commentator · · Score: 2

      The thing about suing, it's a spite reaction. One rarely gets out ahead financially, even when winning a civil lawsuit. It's more about killing parasites rather than letting them suck on you. It can also be used to force a set of future actions or agreement to the competitor that one is suing. And then there's the Streisand Effect. In other words, one doesn't bother suing even if they have a slam dunk case; they're still losing money prosecuting the suit.

      In this case, it would be a reputation suit. Sometimes public legal vindication is worth the money you sink into the lawsuit. In this case, there are probably national security issues which make the suit outcome murky, what gets revealed in discovery may be more damaging than not suing, and they're suing the 4th estate, which is a difficult standard to beat in US courts.

      --
      There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
    7. Re:And if the article was actually false... by mirthful1 · · Score: 5, Insightful

      Discovery would be fascinating for sure. For both parties. But Bloomberg can shield themselves behind anonymous sources who will likely never come forward. "Well, we're simply reporting what we were told..." At some point this gets to be about credibility. Apple has a LOT, especially when it comes to privacy. They stood up to the FBI 100%. Bloomberg BusinessWeek? Not a perfect record, to say the least. Given what I've read so far, I'm increasingly skeptical of the core story. Something happened a couple years ago, no doubt. How much is first hand and how much is 2nd hand hearsay? *shrug* But fun story... and even that leads me to lean towards BusinessWeek blew this story up because of the stuff going on with China.

    8. Re:And if the article was actually false... by slashdot_commentator · · Score: 5, Informative

      Nope. You don't understand how US civil suits work.

      The plaintiff (Apple/Amazon) only needs to demonstrate that it was harmed and what was said by the defendant was untrue. BUT Bloomberg is a journalistic entity, so the plaintiff is also required to "prove" malicious intent in order to win the lawsuit. It is exceedingly difficult to successfully sue news media in the US.

      --
      There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
    9. Re:And if the article was actually false... by Chris+Mattern · · Score: 5, Insightful

      In my opinion, assuming Tim Cook is in the right, it's reasonable to ask for a retraction first, and then sue if that's denied. You don't have to (and to my mind shouldn't) always dial your lawyers first.

    10. Re:And if the article was actually false... by Anubis+IV · · Score: 5, Insightful

      Why did both Apple and Amazon dump SuperMicro at roughly the same time?

      They didn't. Apple dumped SuperMicro in 2016 (i.e. a year after they allegedly found the chips) after an unrelated firmware incident. Amazon was still using SuperMicro boards as of earlier this year, which they even mentioned in their initial response to Bloomberg:

      [I]n June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware. As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.

      I don't know where people got the false idea that they dumped SuperMicro at the same time. Moreover, if these malicious chips were real, the timeline makes no sense. Apple discovered these chips back in mid-2015, but then didn't dump SuperMicro for a full year? And Amazon knew about them too in 2015, but then didn't dump SuperMicro for three full years? It makes no sense.

    11. Re:And if the article was actually false... by rogoshen1 · · Score: 3, Informative

      you also lose a bit of secrecy if you sue. suddenly things get opened up (even if it's behind an NDA) that you don't necessarily want opened up.

    12. Re: And if the article was actually false... by MachineShedFred · · Score: 4, Insightful

      How do you prove that you weren't hacked? What kind of dispositive evidence do you think they could come up with?

      How about Bloomberg proves they were, or comes up with a sample of the hardware? Around these parts, you need to prove claims, not disprove them.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    13. Re:And if the article was actually false... by MachineShedFred · · Score: 2

      So you think that if they wholesale replaced hundreds of servers in their datacenters, that there wouldn't be any emails or records as to why? Or if they replaced their primary provider of datacenter hardware, there wouldn't be any documentation or emails kicked around at any level as to why?

      Business doesn't work like that. "Hey, let's toss tens of millions of dollars of servers because no reason! Okay!"

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  2. Re:Tim, did you look in the SERVERS? by Junta · · Score: 3

    Because such findings would be documented, since the allegation is that they *discovered* such chips.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. The chip story is probably fake by xenog · · Score: 4, Interesting

    I was reading in Ars Technica an article about Russian spies hacking athlete's doping test results. In the comment section someone I suspect to be a Russian troll was expressing mild outrage at the fact that Ars ran an article on that subject but hadn't yet mentioned anything about the Chinese chip hacking conspiracy, linking to the Bloomberg article. Both the quasi-science-fiction Bloomberg article allegations and the circumstances that led me to read it make me suspicious that it is probably fabricated. I don't think that Bloomberg journalists lied, but I consider it likely that they were fed false information that ended up in that article.

  4. Re:Tim, did you look in the SERVERS? by guruevi · · Score: 5, Insightful

    This is more about owning a fleet of thousands of cars across states and continents and then someone says "Dude, your car's gas tank had a hole punched in it by a police officer before it shipped to you from China". Then you do indeed go through the financial records and say "dude, we never purchased a car directly from China, moreover, nobody ever noticed a leak and nobody even reported a puddle of gas in any of our parking lots"

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  5. Re:"There's no truth to this." Child like nonsense by Jahoda · · Score: 3, Insightful

    What is a nock on Apple is that Cook is a child like idiot who denies an obvious problem

    And you have knowledge of this problem, and Tim Cook is an "idiot" because how? Because you are super sure that this must be the case? Because you see through the lies of Tim Cook to the truth of the incompetence of Apple Inc?

    But to flat out deny that essentially any nation state had ever compromised their supply chain is pathetic.

    Sure thing, internet dude. Whatever you say. You know the truth

  6. I miss the days... by slack_justyb · · Score: 5, Insightful

    You know I miss the days when stories like this would pop up and the first thing everyone would do is produce actual proof. The story literally says that China planted chips in their servers, but since the planted would have happened before the actual knowing where the board was going, they would have had to planted thousands of chips into boards in hopes of hitting a good target. So that said, finding one of these chips out in the wild shouldn't be that difficult and yet, zero people have produced an actual chip to show the story true. We literally have the Fermi paradox here. SMB would have had to produce tens of thousands of these boards that would have ended up everywhere from some CIA bunker to some NAS server in a rando University. At some point, someone, somewhere would have uncovered this and barring some complex and massive cover story conspiracy, would have seen this story and ran to side with Bloomberg to validate their claim. And yet that has not happened

    So there is obviously something up here.

    One, it isn't as widespread as Bloomberg paints and the Chinese got incredibly lucky with where their hacked boards went in that they're all sitting in Apple/Amazon/CIA places where no one in their right mind would come forward.

    Two, it isn't as widespread as Bloomberg paints and there's maybe 1,000 - 100 boards out there and only one actually hit the target and the rest will be like finding a needle in a haystack.

    Three, it is as widespread as Bloomberg paints it and everyone is a complete moron at finding these things.

    Four, it is as widespread as Bloomberg paints it and the Chinese have invented a completely inconceivable clandestine process for hiding chips that far exceeds anything previously thought possible.

    Five, China has somehow invaded every aspect of the reseller market for these boards and anything that's left their intended target has been brought back via these channels to China to prevent the boards from leaking out to other sources.

    And hell there's likely more outcomes here than I'm covering but the point remains that given the massive claims that Bloomberg has made, some sort of hard proof should turn up and yet none has. That lack of hard proof makes me seriously question the accuracy of the story. It's an incredible claim, none the less, but count me as non-believer till I see some hard proof here. There's people who will see Cook's request as some sort of "proof" but that's just the deep down cynicism talking. This massive claim has been made, and Bloomberg really needs to back it up with something. And not that weak sauce story they printed about the researcher who found blah-blah-blah on the Ethernet port. Yeah, we all already knew about that trick. No I want to see this duplicitous capacitor or resistor looking chip that's somehow so well made that you can't tell the difference between it and an actual cap/resistor and somehow invades the board enough to leak useful info or make susceptible to an outside actor in a way that's undetectable. Because the engineering feat required to get that done isn't something I would normally attribute to Chinese scientist.

    Yes, Apple and Amazon have both sued SMB before for crappy firmware. And if the story said, "They're putting super hidden firmware inside the board" I'll be honest with you, I'd be on the believer side having beers with the buds there. But this chip thing is a whole another level. Bloomberg needs to put up or shut up at this point. I'll be more than happy to eat my words if proof come across the table till then, I just don't buy this story.

    1. Re:I miss the days... by Areyoukiddingme · · Score: 2

      You know I miss the days when stories like this would pop up and the first thing everyone would do is produce actual proof. The story literally says that China planted chips in their servers, but since the planted would have happened before the actual knowing where the board was going, they would have had to planted thousands of chips into boards in hopes of hitting a good target.

      You have no understanding of the scale at which the cloud providers operate. Google, Facebook, Amazon, Apple, even Yahoo buy so many machines that they're ordering literally thousands at a time. Huge orders that the manufacturer damn well knows are going to one and only one customer, because they don't have thousands of boards just sitting on a shelf waiting for orders (it's called Just In Time Inventory management).

      Further, Google and Facebook, at least, and probably all of them are so big that they're getting custom-designed boards specifically for themselves, which are not available to the general public at all. These customers are so big that the major manufacturers will happily do bespoke manufacturing (and charge concomitantly).

      So a compromised board or two in a shipment of a thousand is quite easy to place at a single customer, and then no, we on the outside have no chance of seeing the evidence, if any, because there would be no misplaced compromising chips. The ones shipped, if there was more than one, will all be under the control of an entity with an overwhelming incentive, both financial and legal, to deny, deny, deny.

      No I want to see this duplicitous capacitor or resistor looking chip that's somehow so well made that you can't tell the difference between it and an actual cap/resistor and somehow invades the board enough to leak useful info or make susceptible to an outside actor in a way that's undetectable.

      I can believe the story is true, and that the named companies were victims. I see no reason to believe the technique was ever all that widespread, specifically because it is detectable. Bloomberg doesn't claim that it was all that widespread. They claim that Apple, out of an abundance of caution after finding one compromised board, removed all boards from that manufacturer. The Bloomberg article made it perfectly clear that the reason they have a story to write at all is because the major cloud providers have extremely good network traffic monitoring tools, saw the rogue network traffic, and started investigating. As far as Chinese Intelligence is concerned, this was an expensive failure. It only works in the bubble of the stereotypical lazy, sloppy American that a good deal of the rest of the world believes. As it turns out, not all Americans are sloppy.

  7. Re:Tim, did you look in the SERVERS? by Junta · · Score: 5, Insightful

    The claim is that it happened in 2015, on servers that would be decommisioned by now.

    Part of the claim was that Apple reported the discovery.

    So it would be 'Ford says they had gas tanks with holes in them in their 2015 F150s" and Ford saying "We checked and show no documentation supporting this claim". They didn't have to start recalling all F150s to check gas tanks for whole because some random person claimed that *Ford* claimed it. There would be an expectation that the accusation would be supported by some sort of evidence.

    Here, the one named source of the original story came forward to say that he was the one who provided an actual picture of a signal coupler, and that the tone of the interviewer was basically that some *other* expert had answered 'hmm.. maybe a signal coupler?' and hypothesis upon hypothesis added up to 'we have *confirmed* that this specific pictured chip is a chinese plant'.

    The most likely theory was that in 2015 SuperMicro had some accindental infection on something, and that a security team said 'other vendors have better security practices'. These 'reporters' for bloomberg, however, weren't satisfied and went running vague idea through multiple sources divorced from the actual occurrence and each time asking 'well, hypothetically...' and then presenting the result as fact.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  8. Re:"There's no truth to this." Child like nonsense by brunes69 · · Score: 2

    Did you read the aricle?

    The article did not say "we suspect a nation state has the capability to compromise Apple's supply chain". Nor did the article did not say "a nation state has at some point compromised Apple's supply chain". Either of these could be forgiven.

    The article said "this specific nation state compromised Apple's supply chain in this exact way with this exact method during this time window". It was *extremely specific*, and provably false.

  9. Some insight from another motherboard vendor by jacks+smirking+reven · · Score: 5, Interesting

    I got this email from Corvalent's mailing list (Corvalent is an industrial/embedded manufacturer). Had some of their insight into the whole ordeal which i found interesting.

    What is Corvalent’s Insight on Hardware Hacking?

    “It is our technical opinion that modifications of hardware, firmware and/or software are all possible ways to interfere with the normal operation of boards. Each of them has advantages and disadvantages, including technical complexity, ease of detection, and cost of implementation,” said Martin Rudloff, Corvalent’s CTO. “Typically this means that for someone to deploy an attack of the scope reported by Bloomberg in its Super Micro feature, the target must be specific and worthwhile in order to justify the high cost involved. Targeting only one or a few major companies would also minimize the risk of discovery.”

    “Without deeper knowledge of the hardware and the software running on a server, information gathered from it may not allow a thief to decode or understand what the data means. And without knowing the end users’ security measures, we find it unlikely that the information could be forwarded to an external recipient,” added Rudloff.

    Curiosity kicked in when we were discussing the level of difficulty in modifying the RJ45, so we decided to open one and check it out firsthand. As you can see below, it is very hard to open the metal enclosure without damaging it. The interior is fully packed, leaving little space to add additional circuitry. A fully assembled modified unit would probably be a better choice, but would involve the highly sophisticated effort of tapping into the supply chain and replacing the original parts with counterfeits.

      Should we Question Such a Significant Story?

    Bloomberg is a trusted new source with impeccable standards for truth and accuracy in reporting. Even so, it is possible that the story is incorrect. Sources provided data they understood to be accurate and truthful based on reports seen by them only; however, these were not shared with Bloomberg directly. There are technical inconsistencies to consider as well.

    It should be possible to detect oddities in network traffic coming from a BMC behaving in unexpected ways. Alterations to the kernel and software stack should also set off alarms during or after system boot.

    The chip pictured in the Bloomberg story fits on the tip of a pencil, yet it purportedly holds enough data to replace the data extracted from the BMC, alter the existing OS, and implement backdoor system access. This means the chip must either be larger than pictured or is using new lithography.

    Why go to the trouble of placing a new chip on the board instead of a backdoor version of one already certified as part of the design?

    Strong and specific denials by Amazon and Apple – different from the usual ‘we do not discuss issues of security as a matter of policy’– further stress the story’s validity.

  10. Re:Unprecedented? by WankerWeasel · · Score: 2

    That wasn't retracted at the request of Apple. It was retracted because NPR found that they had misreported but there was no request for retraction made by Apple. Swing and a miss. Try again.

  11. Re:"There's no truth to this." Child like nonsense by painandgreed · · Score: 4, Informative

    It was *extremely specific*, and provably false.

    Assuming it's false. And if it is false, why isn't Apple out there actually proving that it's false, rather than oh-so-gently asking for a retraction (pretty please)?

    And how do you prove that something never happened? Bloomberg claims that at least three Apple employees informed them that compromised server were found. Both Bloomberg and Apple say that Bloomberg then informed Apple, Apple investigated, and found no evidence of any of this happening. They don't even know which employees, so they can't even ask them. So, there is a giant conspiracy to keep Apple upper management from finding out about this or there is a giant conspiracy keeping not just all Apple employees that know about this from speaking out publically, but also the other "almost 30 companies" that these chips were also found out according to Bloomberg, including Amazon, Elemental, and the US government. Plus the security company in Canada that supposedly found the chips in question when Amazon found strangeness and sent them to be checked out. Amazon has also stated they have found no evidence of this ever happening and have no idea what Bloomberg is talking about, right in the original article.