Department of Homeland Security chimes in on iCloud server spy chip allegations
The United States Department of Homeland Security has added to the growing chorus of voices siding with Apple and Amazon versus the blockbuster report that Apple's iCloud and Siri security was violated by a China-planted spy chip.
The statement, issued by DHS on Saturday doesn't delve into any detail about why it believes that the Bloomberg report from Thursday is flawed, and sides with Apple and Amazon in the matter.
After the report was published, both Apple and Amazon issued strongly worded statements very specifically refuting the claims. The denial, and continued clarifications after the fact goes well beyond anything Apple has distributed. Apple continues to categorically deny all assertions in Bloomberg's story, and offers point-by-point rebuttal to certain facts and figures.
Bloomberg is standing by its investigation -- claiming 30 companies were affected, but only naming two -- saying the report took more than a year to compile and involved more than 100 interviews. The publication cites 17 sources from government agencies and companies involved in the alleged hack, including senior insiders at Apple.
At least one of Bloomberg's sources appears to have changed its mind after publication.
The statement, issued by DHS on Saturday doesn't delve into any detail about why it believes that the Bloomberg report from Thursday is flawed, and sides with Apple and Amazon in the matter.
Thursday's story claimed Chinese operatives managed to sneak a microchip the size of a grain of rice onto 7000 motherboards produced by Supermicro, which supplied those compromised parts for use in Apple's iCloud data centers. The chip, supposedly designed by the Chinese military, allegedly passed the data on the servers to Chinese interests, and gave a back-door into Apple's public-facing networks to the alleged perpetrators.The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.
Information and communications technology supply chain security is core to DHS's cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.
Just this month - National Cybersecurity Awareness Month - we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation's collective cybersecurity and risk management efforts.
After the report was published, both Apple and Amazon issued strongly worded statements very specifically refuting the claims. The denial, and continued clarifications after the fact goes well beyond anything Apple has distributed. Apple continues to categorically deny all assertions in Bloomberg's story, and offers point-by-point rebuttal to certain facts and figures.
Bloomberg is standing by its investigation -- claiming 30 companies were affected, but only naming two -- saying the report took more than a year to compile and involved more than 100 interviews. The publication cites 17 sources from government agencies and companies involved in the alleged hack, including senior insiders at Apple.
At least one of Bloomberg's sources appears to have changed its mind after publication.
Comments
Didn't Bloomberg actually say it wasn't known if any of the 7000 servers already in use were compromised? I don't them saying anywhere in the article that they were, only that Apple had 7000 in use that potentially could have been. Of note Apple claims no servers were sent back to Supermicro, but in 2015 the supplier themselves said exactly that, Apple was returning recently purchased servers. No reason for Supermicro to say Apple sent servers back unless they had.
After reading the article, I was under the impression that Apple shipped the servers back due to firmware issues, not any hardware shortcoming.
...That's an odd response if true isn't it, and didn't originate from the Bloomberg story either. Those statements of supposed fact were made by Supermicro themselves as quoted and reported by The Information a couple years back.
So three current incongruencies stand out to me as of this morning:
-Apple (PR) said they didn't send servers back, just cancelled further purchases sometime later for unrelated reasons. Supermicro themselves on the record says that's not correct, Apple was already sending back servers previously sold to them after the unofficial firmware version was discovered on at least one server.
- According again to Supermicro executives speaking on the record:
When a suspicious firmware update was discovered on an Apple server previously purchased from Supermicro in 2015 and were advised it did not come from them despite what Apple believed at the time Apple stopped communication on the issue rather than pursuing it with Supermicro to get to the bottom of it.
-No current Apple executive has been willing to be quoted on the record disputing the Bloomberg story, only communicating "anonymously" with one publication. Any statements attributed to "Apple" have come only from the PR department AFAIK, no specific Apple executive so far willing to go on the record themselves.
Apple's former Chief Legal Officer and executive Bruce Sewell was offered as evidence and spoke on the record, but he's retired and no longer represents them. Where's the current Chief Legal Officer's statement rather the the retired's?
But I'm still siding with Apple and Amazon, just not nearly as convinced as I was 48 hours ago.
What part of the post are you disagreeing with? Obviously if I was "all-knowing" I'd already know the answers to the story inconsistencies I mentioned. How about you, anything pertinent and informative to add? You completely comfortable with Apple executives speaking only if "off the record"?
Personally I'll be much more assured when Apple's current chief legal officer Katherine Adams speaks on the record rather than their retired one. I suspect she may at some point.
Aren't you curious how Apple got that version even tho the server supplier says it's not theirs? You can be positive Apple was, but yet chose to stop communicating with Supermicro to find out? That doesn't make sense to me unless the investigation on how it happened was taken out of their hands. Otherwise it sounds plainly dumb to drop it. What about you?
As far as you saying you don't think it's unusual that no exec has commented on the record, the whole Apple response to this has been unusual. Can you remember them ever being so involved or vehement in a story denial? Yet not one exec chiming in themselves. Cook or some other Apple exec has never shied away from commenting in the past when he feels Apple has been unfairly painted. This is the most vocal they have ever been AFAIK and the lack of "on the record" comments from any of then seems, well... odd in light of that.
"In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.
Your current argument is that Apple hasn't responded from the top. I'm not seeing that as meaningful, one way or another.
To be clear I'm not claiming any conspiracies either as you would know if you read what I wrote which you presumably did. I have questions on a couple of things and far from claiming a bunch of agencies are in cahoots to hide the truth. You obviously prefer not to acknowledge there could be any questions, everything is perfectly clear to you. It's all good,
LOL
https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/
Lots of IT people commenting on this. Bottom line, unlikely that a component could be added on the board, it would be discovered. Hiding the component within the board layers is technically difficult, would have to be small to avoid discovery by X-Ray, and other means. Even then, monitoring network traffic would have likely found any transmissions pretty quickly.
All in all, attempting to decide who is telling the truth based on the veracity of the statements, or the elevation of the company official posting it, is a fool's errand.
The Chinese govt is engaging right now in the greatest theft of American intellectual property and tech by ALL means possible. Goal: bring down the US economy. This is real. Anyone who thinks it’s some joke is totally uninformed. Just today NPR published a story exactly about what the Chinese govt is doing to us:
China Makes A Big Play In Silicon Valley - NPR https://apple.news/ALymw-5ufTZGdpRdRMc03DQ