The security community is voicing increasing doubts about the Bloomberg Chinese chip hacking report

Secretary
of Homeland Security Kirstjen Nielsen.

Oliver
de Ros/AP Photo

• A Bloomberg report from last week alleged that Chinese
  spies had been able to malicious chips into servers made by
  SuperMicro, an American company.
• All parties involved have denied the report, including, most
  recently, secretary of the Department of Homeland Security,
  during a Senate hearing.
• Security professionals are also increasingly distancing
  themselves from the claims. 

Last week, Bloomberg published
a bombshell report about how Chinese spies managed to implant
chips into computer servers made by SuperMicro, an American
company.

If true, the report raised questions about whether sensitive US
government and corporate data may have been accessed by Chinese
spies, and whether it’s all data stored on PCs is essentially at
risk.

But since then, a series of statements from government officials
and information security professionals — including some named in
the stories — have cast doubt about the report’s main
claims. 

On Wednesday, the secretary of the Department of Homeland
Security denied the report in a Senate hearing — the strongest
on-the-record government denial yet. 

“With respect to the article, we at DHS do not have any evidence
that supports the article,” Kirstjen Nielsen said on Wednesday.
“We have no reason to doubt what the companies have said.”

(During the same hearing, FBI Director Chris Wray said that he
couldn’t confirm nor deny the existence of any investigation into
compromised SuperMicro equipment, which was claimed in the
Bloomberg report.)

Nielsen’s denial comes on the same day as a senior NSA official
said that he worries that “we’re chasing shadows right now.”

“I have pretty great access, [and yet] I don’t have a lead to
pull from the government side,” Rob Joyce, perhaps the most
public-facing NSA cybersecurity official, said at a U.S. Chamber
of Commerce meeting.Open Compute Project

“We’re just befuddled,” Joyce said,
according to Cyberscoop. 

Alex Stamos, Facebook’s former head of security, called
Joyce’s denial “the most damning point” against the story that he
had seen. 

The increasing doubt about Bloomberg’s claims come as lawmakers
demand additional answers based on the series of reports. Sens.
Richard Blumenthal and Marco Rubio asked SuperMicro to cooperate
with law enforcement in a sharply worded letter on Tuesday.
Senator John Thune also sent letters to Amazon and Apple, which
Bloomberg said had purchased compromised servers. 

Sources walk back 

NSA advisor Rob
Joyce

USENIX Enigma
Conference

But government officials aren’t the only people who are now
having second thoughts about the stories. 

One prominent hardware security expert, Joe Fitzpatrck, who was
named in the story, ended up doing a revealing podcast with a
trade outlet that’s more technical than Bloomberg, Risky
Business.

Journalists who write stories based on anonymous sources often
call up experts to fill out some of the more general parts of a
story and improve the story’s flow. 

But Fitzpatrick said that’s not what happened.

“I feel like I have a good grasp at what’s possible and what’s
available and how to do it just from my practice,” Fitzpatrick
explained. “But it was surprising to me that in a scenario where
I would describe these things and then he would go and confirm
these and 100% of what I described was confirmed by sources.”

He went on to say that he heard about the story’s specifics in
late August and sent an email expressing major doubt. “I heard
the story and it didn’t make sense to me. And that’s what I said.
I said, ‘Wow I don’t have any more information for you, but this
doesn’t make sense.'”

Several notable information security professionals used
Fitzpatrick’s quotes as a jumping-off point to express their
doubts with the story: 

Bloomberg sticks by its story

Bloomberg’s report was obviously explosive and had immediate
effects.

Super Micro lost over 40% of its value the day of the report.
Apple and Amazon, which the report said had bought compromised
servers, fiercely denied the report in public statements. 

While Bloomberg put out a statement that said that it stood by
its reporting shortly after the first story, the loudest
institutional support for the story came in a followup story by
Bloomberg that said new evidence of hacked Supermicro
hardware was found in a U.S. telecom.

Bloomberg didn’t name the affected telecom. 

“The more recent manipulation is different from the one described
in the Bloomberg Businessweek report last week, but it shares key
characteristics: They’re both designed to give attackers
invisible access to data on a computer network in which the
server is installed; and the alterations were found to have been
made at the factory as the motherboard was being produced by a
Supermicro subcontractor in China,” according to the Bloomberg
followup report. 

But even the source for the followup now says he’s “angry” about
how the story turned out. 

“I want to be quoted. I am angry and I am nervous and I hate what
happened to the story. Everyone misses the main issue,” which is
that it’s an overall problem with the hardware supply chain, not
a SuperMicro-specific issue,
Yossi Appleboum told Serve The Home. 

But everyone says it’s possible

President
Donald Trump speaks during a dinner with business leaders at
Trump National Golf Club in Bedminster, New Jersey on Aug. 7,
2018.
AP Photo/Carolyn
Kaster

But the tricky thing about Bloomberg’s story is that nearly
everyone agrees something like it could happen, it
just didn’t happen the way the report suggests. 

Security experts agree that the security of the factories that
make electronics is an ongoing issue, even if no malicious chips
have been found yet. 

“What we can tell you though, is it’s a very real and emerging
threat that we’re worried about,” Sec. Nielsen said shortly after
saying she had no evidence in favor of the story. 

And as one manufacturing expert
told Business Insider, “I don’t actually think it’s hard to
inject stuff that the brand or design team didn’t intentionally
ask for.”

Chinese industrial espionage has been an issue for many years,
and it’s a talking point for President Donald Trump, who accused
Chinese exchange students of being “spies”
earlier this year in a conversation with CEOs including Apple CEO
Tim Cook. 

But there is evidence that Chinese spies do spy on American
companies. Earlier this week, a Chinese officer was extradited to
the United States to face espionage charges related to stealing
secrets from companies
including GE Aviation. 

The FBI also arrested a Chinese national earlier this
year who had worked for Apple and allegedly was taking
self-driving car information to a little-known Chinese
startup. 

So there’s a lot of evidence that there are spies who are
actively working to steal American industrial secrets. Just maybe
not with malicious chips inserted through the supply chain —
yet.