• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Did Bloomberg Swallow A Fake Chinese Apple Chip?

William Parcher

Show me the monkey!
William Parcher
Joined
Jul 26, 2005
Messages
27,471
The highly reputable Bloomberg Businessweek has published a report saying that China installed super tiny chips on motherboards which allowed them to hack into the Apple iCloud. Apple says it never happened.


Bloomberg Businessweek said:
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

...Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China...
Click to expand...

https://www.bloomberg.com/news/feat...ny-chip-to-infiltrate-america-s-top-companies



Apple Inc. said:
The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures...
Click to expand...

https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
 
The evidence that Apple offered to refute the claim is weak.

I'm more inclined to believe that there is a grain of truth (At least the size of a rice kernel) to Bloomberg's report. Considering the implications and secrecy of national security, Apple/Amazon had no choice but to lie and deny to consumers.

Did you see this?
FaceBook said:
“In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs,” Facebook said in an emailed statement.
Click to expand...
And then
Apple said:
In its denial that a chip attack had reached its server network, Apple did acknowledge to Bloomberg Businessweek that it had encountered malware downloaded from Supermicro’s customer portal. Apple said the infection occurred in 2016, months after the events described by Facebook
Click to expand...
Seems like a long time for hackers to have been identified by FaceBook and then still have been able to infect Apple equipment. You'd think the portal would have been secured by Supermicro’s over that long of a time period.
 
SS, your two quotes relate to malware. But this claim is about hardware. A chip that isn't supposed to be there was soldered to a motherboard.
 
Reuters said:
Britain’s national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple Inc and Amazon.com Inc challenging a Bloomberg report that their systems contained malicious computer chips inserted by Chinese intelligence services...

...Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc , a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.'"

Baker and the FBI declined to comment Friday.
Click to expand...

https://www.reuters.com/article/us-...apple-amazon-china-hack-denials-idUSKCN1MF1DN
 
You can guarantee that China is doing everything it can to spy on other governements. Actually, to spy on it's own people as well, now that I think of it. The vulnerability of the onboard management systems has long been known as a weak point in computer security.
 
I'm a little skeptical of someone saying a categorical denial is now a non denial. And I've been watching way too many Louis Rossmann videos but just swapping out a component is going to a little more complex than described in the article. And finding it would not present a problem.

Goto 1:00 to see latest software for PCB's.

That leaves the nefarious big companies "in" on the deception. Hmmmmm.
 
William Parcher said:
SS, your two quotes relate to malware. But this claim is about hardware. A chip that isn't supposed to be there was soldered to a motherboard.
Click to expand...
I understand soft vs hardware. I mentioned the software debacle for 2 reasons.

1. The fact that SuperMirco was notified of the malware on their portal by FaceBook and Apple's subsequent infection many months later allows me to make a judgment that SuperMicro is not doing a good job protecting the integrity and security of their infrastructure, which includes the supply chain for their hardware.

2. The use of Press Releases were used to corroborate Bloomberg's article. Apple publicly announced that they dropped SuperMicro as a supplier because of the malware downloaded from SuperMirco's portal. Bloomberg's anonymous source claimed that Apple's discovery of malicious hardware also played a role in that decision. Apple has denied that they have any knowledge of malicious components on SuperMicro hardware.
 
US Department of Homeland Security said:
The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.
Click to expand...

https://www.dhs.gov/news/2018/10/06...dia-reports-potential-supply-chain-compromise

The government has no reason to doubt what Apple and Amazon are saying (denying).
 
It has been my impression for some time that Bloomberg Businessweek tends to post anti-Apple articles. I have not tried to quantify or scientifically document this but my memory is that that they are often among the first to post negative reviews of new Apple releases, doomsday predictions of the likely commercial success/market share of new Apple products (often wrong), and exaggerations of any bugs.

I do not know the basis of this: if they are financially linked to Microsoft in some way, if the editor identified as a Windows fanboy in high school, if Steve Jobs had an affair with the assistant editor's mother (and denied it of course), or if their office MacBook Pro has a keyboard problem that Apple refuses to fix. But frankly I do not see Bloomberg Businessweek as truly neutral in this regard.

I use Apple products but I am not an unrestrained fanboy. They irritate me from time to time, sometimes quite intensely. There is much truth in many of the criticisms I have read. But I also realize that many product and services reviews and news articles in the tech field are often designed to quitely manipulate consumers and investors for the financial gain of one company over another.
 
Reuters said:
Apple Inc’s top security officer told Congress on Sunday (today) that it had found no sign of suspicious transmissions or other evidence that it had been penetrated in a sophisticated attack on its supply chain.

Apple Vice President for Information Security George Stathakopoulos wrote in a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article published on Thursday, including that chips inside servers sold to Apple by Super Micro Computer Inc allowed for backdoor transmissions to China.

“Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found,” he wrote in the letter provided to Reuters...
Click to expand...

https://www.reuters.com/article/us-...CN1MH0YQ?feedType=RSS&feedName=technologyNews
 
The wording of the denial by the Chinese government is peculiar. They essentially said, "We are victims too."
 
techcrunch said:
What lends more credence to this second Bloomberg story than the first is that a security researcher said he inspected the implant first-hand...Yossi Appleboum, co-founder of Sepio Systems and former Israeli intelligence officer, provided Bloomberg with evidence and documentation...that the alleged implant was introduced at the factory where the telecom’s equipment was built. Entire article
Click to expand...
..
 
You must log in or register to reply here.

Back
Top Bottom