Experts doubt Chinese chip-hacking story

Lucas Niewenhuis Published October 9, 2018

Last week, Bloomberg Businessweek wrote a bombshell report alleging that U.S. federal investigators had found sabotaged hardware built in China and sold widely throughout American supply chains — Apple, Amazon, and even the CIA had been using tampered chips in their data center motherboards, it was claimed.

The companies involved all strenuously denied the story, and Apple went so far as to write “a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article,” according to Reuters. Britain’s National Cyber Security Centre and even the U.S. Department of Homeland Security joined in, saying they had “no reason to doubt denials from Apple and Amazon.com Inc that they had discovered backdoored chips.”

The Bloomberg Businessweek report was based on sources including “three Apple insiders” and “six U.S. officials.” We are told the officials span both the Obama and Trump administrations. “In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks,” Bloomberg says, though most remained anonymous “because of the sensitive, and in some cases classified, nature of the information.”

Now, one of the few named sources in the original story — Joe FitzPatrick, a hardware security expert, who is only quoted in relation to a hypothetical scenario where a piece of “hardware opens whatever door it wants” — says he highly doubts the report is accurate.

FitzPatrick was interviewed on Risky Business, a podcast that features “news and in-depth commentary from security industry luminaries.”
He says that nearly every technical detail in the story appears to have come directly from conversations he had with one of the reporters, Jordan Robertson.
“Either I have excellent foresight, or something else is going on,” FitzPatrick says.
The hack as described “doesn’t make sense because there are so many easier ways to do this… There are software, there are firmware approaches, and the approach that you’re describing, it’s not scalable, it’s not logical, it’s not how I would do it, or how anybody I know would do it.”
The technical details are “jumbled,” but “not outright wrong,” he adds, emphasizing multiple times that he regularly encounters difficulty in getting even software experts to record the details on hardware correctly, let alone journalists — “I didn’t speak with any fact checkers. I see a lot of details that I gave out of context.”
FitzPatrick raised his concerns with Bloomberg as the story was initially described to him before publishing — “Wow, this doesn’t make sense,” he remembers as his reaction — and after publishing, in an email, but both times was reassured that other sources had corroborated the details of the hacking.
Bloomberg stands by its reporting: “The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware,” it told Axios.
And Bloomberg published another story on a different reported hack at Supermicro, which alleges, “Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector”: New evidence of hacked Supermicro hardware found in U.S. telecom (porous paywall).

But other experts have also raised doubts, both because of the technical details and because of the kind of denials the companies have given.

The “grain of rice” size of the alleged chip implant raised red flags for multiple experts.
FitzPatrick points out that the picture of a tiny chip implant featured in the story appears to be the exact same model of a coupler component that he showed the reporters when asked about various microchip components. Some in China also noticed it was a standard component — one skeptical article circulating on WeChat was titled (in Chinese), “The ‘spy chips’ that Bloomberg exposed? I can buy them on Taobao for 1 yuan.”
“It would be amazing for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip,” Zhang Baichuan, a Chinese cybersecurity expert, told SCMP, adding, “The fact is, China’s chip technology is still at a primary stage.”
And the companies’ specific denials make it extremely unlikely they are lying: “The companies [would] risk enforcement by the FTC for engaging in a deceptive act that is likely to harm consumers,” David Vladeck, Georgetown professor and former head of the Federal Trade Commission’s Bureau of Consumer Protection, told Axios.

What does this all mean in the end? One possibility is that someone is lying: either the U.S. government — after all, the damage to Chinese technology reputation is done, and in that sense, it won’t matter if the story is true or not — or the companies. But Axios points out that there is at least one other possibility, though it is unclear if this is more likely:

“It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.”
FitzPatrick, for what it’s worth, also speculated that he thinks this kind of confusion about the technical details could have tripped up either a source or the Bloomberg journalists.

Lucas Niewenhuis is the Newsletter Editor at The China Project. Previously, he has researched China-Africa relations at the Social Science Research Council, interned at the Council on Foreign Relations, and studied Chinese language and culture in Shanghai and Beijing. Read more

Twitter

Suggested for you

Politics & Current Affairs

Cookie	Description
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Description
bcookie	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	This cookie is set by LinkedIn and used for routing.
PugT	This cookie is set by pubmatic.com. The purpose of the cookie is to check when the cookies were last updated on the browser in order to limit the number of calls to the server-side cookie store.

Cookie	Description
__gads	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_omappvp	The cookie is set to identify new vs returning users. The cookie is used in conjunction with _omappvs cookie to determine whether a user is new or returning.
_omappvs	The cookie is used to in conjunction with the _omappvp cookies. If the cookies are set, the user is a returning user. If neither of the cookies are set, the user is a new user.
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location

Cookie	Description
__qca	This cookie is associated with Quantcast and is used for collecting anonymized data to analyze log data from different websites to create reports that enables the website owners and advertisers provide ads for the appropriate audience segments.
_fbp	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
everest_g_v2	The cookie is set under eversttech.net domain. The purpose of the cookie is to map clicks to other events on the client's website.
fr	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
mc	This cookie is associated with Quantserve to track anonymously how a user interact with the website.
personalization_id	This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.
PUBMDCID	This cookie is set by pubmatic.com. The cookie stores an ID that is used to display ads on the users' browser.
TDCPM	The cookie is set by CloudFare service to store a unique ID to identify a returning users device which then is used for targeted advertising.
TDID	The cookie is set by CloudFare service to store a unique ID to identify a returning users device which then is used for targeted advertising.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
uid	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
uuid	To optimize ad relevance by collecting visitor data from multiple websites such as what pages have been loaded.
uuidc	This cookie is used to stores information about how the user uses the website such as what pages have been loaded and any other advertisement before visiting the website. This data is used to provide users with relevant ads.
VISITOR_INFO1_LIVE	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Trending

Trending

Experts doubt Chinese chip-hacking story

Suggested for you

Empires of lies

An African in China brings global sports to Africa — Q&A with Lloyd Randall

Should you be frightened by China’s revision to the anti-espionage law?

From Prince Harry to Harry Potter in China — Q&A with publishing veteran Jo Lusby

Beijing’s global media offensive — Q&A with Josh Kurlantzick

The money behind China’s non-state, nationalist media diet | Live with Lizzi Lee

Subscribe

About

Business Services

Advertise

Trending

Extended Navigation

Trending

Suggested for you