No evidence of spy chips, Apple insists in letter to US Congress [u]
Apple hasn't detected unusual transmissions or other evidence servers were infiltrated with Chinese spy chips, the company's VP of Information Security insisted in a letter to Congress on Sunday.

Updated on Oct. 8 with the letter itself, as well as amplifying remarks by Apple
Apple's Vice President of Information Security George Stathakopoulos penned the letter stating that the allegations about the spy chip were made by a single source, and not by Bloomberg's claim of 17 corroborating sources.
Last Thursday, a Bloomberg report claimed that Chinese operatives had managed to sneak a microchip the size of a grain of rice onto 7,000 motherboards produced by Super Micro, which supplied those compromised parts for use in Apple's iCloud data centers. The chip, supposedly designed by the Chinese military, is said to have passed server data on to Chinese interests, and created a backdoor into public-facing networks.
Bloomberg has stuck by its story, claiming that 30 companies were affected in all, another example being Amazon. The report took over a year to produce, and 17 sources, including people inside Apple.
Two government agencies -- the Department of Homeland Security, and the U.K.'s GCHQ -- have cast doubt on the allegations. The Chinese government is known to regularly probe U.S. government and corporate networks, though.
The U.S. National Security Agency has itself resorted to intercepting IT infrastructure such as Cisco routers.

Updated on Oct. 8 with the letter itself, as well as amplifying remarks by Apple
Apple's Vice President of Information Security George Stathakopoulos penned the letter stating that the allegations about the spy chip were made by a single source, and not by Bloomberg's claim of 17 corroborating sources.
Stathakopoulos promised to make himself available to brief Congressional staff.While the story was being reported, we spoke with Bloomberg's reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts.
We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true.
In the end, our internal investigations directly contradict every consequential assertion made in the article-- some of which, we note, were based on a single anonymous source.
Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.
Last Thursday, a Bloomberg report claimed that Chinese operatives had managed to sneak a microchip the size of a grain of rice onto 7,000 motherboards produced by Super Micro, which supplied those compromised parts for use in Apple's iCloud data centers. The chip, supposedly designed by the Chinese military, is said to have passed server data on to Chinese interests, and created a backdoor into public-facing networks.
Bloomberg has stuck by its story, claiming that 30 companies were affected in all, another example being Amazon. The report took over a year to produce, and 17 sources, including people inside Apple.
Two government agencies -- the Department of Homeland Security, and the U.K.'s GCHQ -- have cast doubt on the allegations. The Chinese government is known to regularly probe U.S. government and corporate networks, though.
The U.S. National Security Agency has itself resorted to intercepting IT infrastructure such as Cisco routers.
Comments
Apple did not say: we took our devices apart, looked at each tiny microchip and can verify we only have components that should be there.
However, for a government agency to leave physical evidence and shipping it is sloppy - would it not be much easier to do this in any other software these devices have?
If they have that low level access - actually put it on existing chips would be way more effective.
Bloomberg did a year of research.
As my math teacher said: show your working.
Give government agencies and security companies access to your work.
Presumably, if the source of the attack was Ireland, the chip would be the size of a potato.
If the Chinese do have a device that is the size of a grain of rice and can hack any network and transmit data back to China without being detected, then I have to wonder why they're wasting their time stealing Western IP?
And if they do have such a chip then hacking Apple is the very least we should be worried about.
What Bloomberg has shown so far is anonymous sources that Apple, but nothing else: no memos, no pictures of the chip. After a year of research, they must have something more concrete.
By writing to congress, without being asked to answer any allegations, Apple appears to be trying to force their hand. Either Bloomberg is biding their time for maximum impact, or they're sh*tting themselves and hoping this will just blow over.
There were red flags in the story that made feel suspicious about how Bloomberg published the story to be open ended enough to allow it to dribble out more pieces of the story to stretch the claims as long as possible to November 6th.
For maximum initial impact only Amazon and Apple were named in the story. Twenty-eight other companies were not named. Later Facebook was named. I fully suspect one or two companies will be named each week towards November to keep the story alive. Doing this staggered release of company names ensures Amazon and Apple are mentioned throughout the life of the story.
Another suspicious part of the story was the mentioning of one anonymous source receiving immunity before speaking. Why would only one source need assured immunity? And, which anonymous government agency gave the anonymous source immunity?
This story is going to last for a while and I am looking to see which November candidates mention the Bloomberg claims. Bloomberg knows it can accuse companies without ever having to publish responses to the denials of the accused companies.
If any company chooses to sue Bloomberg, Bloomberg wins because the company would have to give Bloomberg’s lawyers the opportunity to snoop through confidential information that doesn’t necessarily pertain to the story and that information will be “mistakenly” made public.
Unless someone inside Bloomberg feels strongly enough to leak Bloomberg’s year long research we will never know the full story.
I'm a little concerned about Apple's "proprietary security tools" statement because there should be no need for proprietary tools or processes, at least from a security protocol perspective, for the types of security protections that Apple uses versus what any other server operator would use. Even if Apple is performing deep packet inspection (DPI) on content inside standard communication packets one would think that they'd still be constrained in visibility by user-defined encryption secrets that are the basis for Apple's "we don't put in a backdoor" policies. Perhaps what Apple means by "proprietary" has more to do with the processing efficiency and performance of their security tools versus the types of security processes and algorithms they are able to apply. What Apple didn't specifically mention is whether they also have layers of penetration detection - but I assume they do and only felt compelled to mention outbound traffic in the context of this story.
All of this scanning talk kind of assumes that we are still inside the realm of in-band communication networks and standard communication protocols. We've already seen that information can be transported innocuously, even in-band, via content modification, e.g., embedding data in media formats, embedding data in file metadata, trickling out data at super-frame rates, etc. However, if these "magic grains of rice" are somehow working out-of-band, who knows whether any server operator would be prepared to counter such a threat. Of course you'd expect to find supporting infrastructure in the server facilities to allow the out-of-band mechanisms to work, for example a cellular connection or a dedicated connection used by the facility security monitoring service. If you think this is all hairbrained nonsense, keep in mind that most credit card skimmers use out-of-band mechanisms to steal credit card information. I'd imagine state sponsored NSA-quality cyberspies on any side of the ongoing worldwide cyber-domination struggle have more tools, techniques, and resources at their disposal than your average credit card skimmer builder.
The ball is in Bloomberg's court - show us some evidence and let the security scientists have a look at it.
Add to that news this morning that Facebook admits to finding a malware-version firmware update on some lab servers (?!) in 2015 too. That server was also from Supermicro.
"While it learned of the malware on the devices in 2015, it said it is in the process of removing the equipment now. It didn’t explain why that’s still going on three years after it found out about the issues."