Security researcher cited in Bloomberg's China spy chip investigation casts doubt on story...

Posted:
in General Discussion edited October 9
Security researcher Joe Fitzpatrick, one of the few sources named in Bloomberg Businessweek's bombshell China hack investigation, in a podcast this week said he felt uneasy after reading the article in part because its claims almost perfectly echoed theories on hardware implants he shared with journalist Jordan Robertson.


Graphic illustrating size of supposed Chinese spy chip allegedly embedded in Apple servers.
Source: Bloomberg Businessweek


Fitzpatrick detailed his dealings with Bloomberg to Patrick Gray of Risky Business in a podcast published on Monday.

The security specialist first spoke with Robertson last year, just prior to giving a presentation on hardware implants at the DEF CON hacking convention. The impetus behind Robertson's questioning was not made clear to Fitzpatrick until last month.

In his conversations with the journalist, Fitzpatrick detailed how hardware implants work, specifically noting successful proof-of-concept devices he demonstrated at Black Hat in 2016. While he is a security researcher, Fitzpatrick is not in the business of selling such devices to customers -- let alone nation states -- and is for the most part working off theories derived from years of teaching others how to secure their own hardware.

When asked what, exactly, he found strange about Bloomberg's claims, Fitzpatrick said, "It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources."

Further, the story as told "doesn't really make sense." As Fitzpatrick notes, there are easier, more cost-effective methods of attaining backdoor access into a target computer network.

Bloomberg in its article claimed Chinese operatives managed to sneak a microchip smaller than a grain of rice onto motherboards produced by hardware supplier Supermicro. Supposedly designed by the Chinese military, the chip acted as a "stealth doorway onto any network" and offered "long-term stealth access" to attached computer systems.

Nearly 30 companies were reportedly impacted by the breach, though only Amazon and Apple were mentioned by named in the story. Both companies have released strongly worded denials, with Apple characterizing the report as "wrong and misinformed."

"Spreading hardware fear, uncertainty and doubt is entirely in my financial gain, but it doesn't make sense because there are so many easier ways to do this," Fitzpatrick said, referring to the purported hardware implant. "There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It's not logical. It's not how I would do it. Or how anyone I know would do it."

Fitzpatrick said as much to Robertson in an email exchange, pointing out the described backdoor attack can be just as easily accomplished by remotely modifying the firmware of "most BMCs" (baseboard management controllers) as many run outdated software. He went on to ask whether the additional hardware sources supposedly discovered on the boards were merely counterfeit prevention, bypassing implants or some other functional component added by a legitimate third-party.

In one email exchange, he cautioned that inexperienced observers might mistake combination hardware -- flash storage and a micro controller, for example -- as a hardware implant. The Bloomberg investigation claims the spy chips were incorporated into another, inconspicuous component that took on the appearance of signal conditioning couplers.

Robertson in an emailed reply confirmed that the idea "sounded crazy," but said "lots of sources" corroborated the information. Fitzpatrick was not convinced.

"And you know I'm still skeptical. I followed up being like, 'Yeah, okay if they wanted to backdoor every single Supermicro motherboard, I guess this is the approach that makes sense," he told Gray. "But I still in my mind I couldn't rationalize that this is the approach any one would choose to take."

Robertson was unable to produce photographic evidence of the chips in question, saying they were described to him by protected sources. Indeed, Robertson in September asked Fitzpatrick what a "signal amplifier or coupler" looks like, suggesting the publication narrowed the attack package down to that particular component. Fitzpatrick sent Robertson a link to a very small signal coupler sold by Mouser Electronics.

"Turns out that's the exact coupler in all the images in the story," Fitzpatrick said.

While the illustration used in the Bloomberg story is just that, Fitzpatrick argues similar components would be an unlikely choice for the attack vector described. Larger, albeit less conspicuous hardware is available, namely chips that mimic the SOIC-8 package. Further, pint-size signal couplers are not standard fare for server motherboards that do not include Wi-Fi or LTE.

"But it's just not the easiest package to choose to use with something like this, it's not a package you'd expect to find in a motherboard," he said. "It's something where if it's on your motherboard you'd be like, 'What the heck is that doing there for?'"

Whether the Supermicro boards in question integrated wireless radio technologies is unclear.

Bloomberg stands by its original reporting. The year-long investigation incorporates information from 17 sources, some of whom work or worked for the allegedly impacted companies or the U.S. government.

"As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear," a Bloomberg News spokesperson said in a statement to AppleInsider. "Our reporters and editors thoroughly vet every story before publication, and this was no exception."

Apple executives and high-ranking security engineers said an internal investigation into Bloomberg's claims revealed no evidence of the hardware tampering in question, nor did the company identify unrelated incidents from which the allegations could have conceivably arisen.

Apple said much the same in a letter to Congress issued over the weekend.

For his part, Fitzpatrick said Bloomberg's account of what transpired, if anything, is suspect.

"I have the expertise to look at he technical details and I have the knowledge to look at the technical details and see that they're jumbled. They're not outright wrong, but they are theoretical," he said. "I don't have the knowledge to know the other conversations -- the other 17 sources and what they said, but I can infer based on the technical side of things that the non-technical side of things may be jumbled the same way."

Updated with response from Bloomberg spokesperson.
«1

Comments

  • Reply 1 of 36
    chasmchasm Posts: 857member
    That Bloomberg hasn't named any other sources, offered any proof or confirmation, can't point to a single compromised server, and doesn't name any of the other 30 companies allegedly affected -- which would include the US military -- tells you everything you need to know about this story.
    tycho_macuserbackstabmagman1979beowulfschmidtradarthekatlkruppjony0watto_cobra
  • Reply 2 of 36
    I hope Apple finally sues Bloomberg for libel over this.
    magman1979radarthekatwatto_cobra
  • Reply 3 of 36
    StrangeDaysStrangeDays Posts: 5,629member
    "Spreading hardware fear, uncertainty and doubt is entirely in my financial gain...”

    Indeed, FUD dispensing is a real thing. Some people and orgs do it for financial gain. Others, just because. 
    magman1979watto_cobra
  • Reply 4 of 36
    StrangeDaysStrangeDays Posts: 5,629member
    joekewe said:
    I hope Apple finally sues Bloomberg for libel over this.
    Unlikely, as that would require intentional falsehood and malicious intent. If Bloomberg is just stupid, and/or got played, that doesn’t meet the bar.
    watto_cobra
  • Reply 5 of 36
    tzeshantzeshan Posts: 1,757member
    Bloomberg fabricated the story. It said nearly 30 companies were reportedly impacted by the breach. This is the confession that Bloomberg fabricated the story. Because if 30 companies were impacted, the chip is easily detected. Otherwise how would it know 30 companies were impacted? I am still marveled why Bloomberg was not able to secure a single affected server if so many companies were affected. 
    backstabfotoformatmagman1979radarthekat
  • Reply 6 of 36
    I hate to be the guy that says it, but..... Fake news. 

    Thats you Bloomberg.  You are fake news.   That being said, maybe you can do some real investigative reporting and figure out who really was infiltrated. 
    magman1979radarthekatwatto_cobra
  • Reply 7 of 36
    foggyhillfoggyhill Posts: 4,758member
    teknishn said:
    I hate to be the guy that says it, but..... Fake news. 

    Thats you Bloomberg.  You are fake news.   That being said, maybe you can do some real investigative reporting and figure out who really was infiltrated. 
    This is not "fake news",a very merely badly made story. There is a good chance this will damage Bloomberg's credibility long term.

    Fake news usually have an agenda to decieve from the get go,
    It's often no based on anything, or have any source at all. it can and is often invented wholly.
    This is like most shit level crap coming out of Fox "News" who is now almost on infowar level of "reporting" (most of the day, there is no "news" to be found down there).
    Purveyor of "Fake news" are rarely concerned with veracity, and integrity, getting the "news" in front of the most eye balls possible is the only objective. Most often, those that generate "fake news" don't do for the money, merely the effect they have on opinions and discourse.
    fastasleepGeorgeBMacdewmeMplsPlostkiwi
  • Reply 8 of 36
    backstabbackstab Posts: 110member
    chasm said:
    That Bloomberg hasn't named any other sources, offered any proof or confirmation, can't point to a single compromised server, and doesn't name any of the other 30 companies allegedly affected -- which would include the US military -- tells you everything you need to know about this story.
    Exactly.
    magman1979radarthekatwatto_cobra
  • Reply 9 of 36
    backstabbackstab Posts: 110member

    tzeshan said:
    Bloomberg fabricated the story. It said nearly 30 companies were reportedly impacted by the breach. This is the confession that Bloomberg fabricated the story. Because if 30 companies were impacted, the chip is easily detected. Otherwise how would it know 30 companies were impacted? I am still marveled why Bloomberg was not able to secure a single affected server if so many companies were affected. 
    Exactly.
    magman1979watto_cobra
  • Reply 10 of 36
    revenantrevenant Posts: 477member
    this is not a badly written or poorly researched story. this was made with intent to show china infiltrated a manufacturing process and implemented their spy chip. Fitzpatrick seems to have filled in some gaps. there is more than potential for libel here. it was purposefully made up to sow seeds of contention.
    irelandradarthekatdanhwatto_cobra
  • Reply 11 of 36
    A classic stage magician trick is to say warch here while the actual trick happens elsewhere. This story apears more and more constructed - why would someone do this?
    watto_cobra
  • Reply 12 of 36
    jbookmarcjbookmarc Posts: 1unconfirmed, member
    I guess commentators in here are under gag order as well!
  • Reply 13 of 36
    YvLyYvLy Posts: 66member
    OUCH. This will hurt Bloomberg for a long long time. Credibility? What credibility?
    watto_cobra
  • Reply 14 of 36
    GeorgeBMacGeorgeBMac Posts: 2,909member
    joekewe said:
    I hope Apple finally sues Bloomberg for libel over this.
    Apple was not a target of the article.   Just part of the crowd. 
    watto_cobra
  • Reply 15 of 36
    Rayz2016Rayz2016 Posts: 4,220member
    chasm said:
    That Bloomberg hasn't named any other sources, offered any proof or confirmation, can't point to a single compromised server, and doesn't name any of the other 30 companies allegedly affected -- which would include the US military -- tells you everything you need to know about this story.
    It's certainly starting to look very bad for Bloomberg. They need to start producing some solid evidence soon, because this is looking less convincing by the hour.

    Having said that, the only people who were convinced were those who were so desperate to drag Apple down that they just kept pointing to the same empty statements from Bloomberg and closed their eyes to the complete and continuing lack of solid evidence.

    One person here, for example, tried to push the notion that it must be true because SuperMicro had said Apple had returned servers, and Apple didn't mention returning servers to SuperMicro in its response to the allegations. That is not evidence; that is wishful thinking (the servers that Apple returned were from the development labs; Apple says they do not use Supermicro servers in the data center, which is where the allegations are focussed), and that is what Bloomberg seems to have been guilty of for the past year: taking something they want to be true, and then trying to string together a serious of tenuous links and expert opinions to form a case that they hope people will believe.

    A friend of mine recently completed his PhD, and when I asked him what was the secret of a successful long term research project, finished his pint and said, "Come up with the theory, then spend five years trying to prove that the theory you came up with is wrong. If you can't do it, then the chances are you won't look a tit at your viva. Always work to the assumption that you've made a hideously embarrassing mistake."

    That is how good science works. It's how good journalism should work.

    Remember that guy who thought that he'd discovered a way to bypass Apple's screen lock by continually transmitting numeric passcodes through the lightning port? This is the same problem we're seeing here.  He wanted to believe he was right, so he bypassed peer review and went straight to the press.

    If Bloomberg cannot provide any solid evidence, then what they'll probably try next is the classic Gator Play: try to sew enough Fear, Uncertainty and Doubt in Apple's version of events so that no one can say for sure that Bloomberg was duped or made the whole thing up.

    But if Bloomberg does have solid evidence, now is the time to show it.
    hubbaxstompyStrangeDayswatto_cobra
  • Reply 16 of 36
    GeorgeBMacGeorgeBMac Posts: 2,909member
    I'm not sure why people are assuming that this article was incorrect.   Push back does not equal rebuttal.   It's a common error.

    Essentially, what Bloomberg reported has been floating around for a decade:   Avoiding Chinese hardware because it may / probably / does contain spy devices to interrupt our systems.  And, in this case, these motherboards were designed and produced by a Chinese company -- the only difference being they moved the Chinese over onto U.S. soil to pose as a U.S. company.

    I suspect that there is more going on here than any of us know.
  • Reply 17 of 36
    You cannot sue a media outlet for mistakes; only if the article was intentionally written to deceive and you have to prove damages. 

    My guess is that  would be very difficult to prove. 
    StrangeDays
  • Reply 18 of 36
    gatorguygatorguy Posts: 19,293member
    Rayz2016 said:
    chasm said:
    That Bloomberg hasn't named any other sources, offered any proof or confirmation, can't point to a single compromised server, and doesn't name any of the other 30 companies allegedly affected -- which would include the US military -- tells you everything you need to know about this story.
    It's certainly starting to look very bad for Bloomberg. They need to start producing some solid evidence soon, because this is looking less convincing by the hour.

    One person here, for example, tried to push the notion that it must be true because SuperMicro had said Apple had returned servers, and Apple didn't mention returning servers to SuperMicro in its response to the allegations. That is not evidence; that is wishful thinking...
    One person here is trying to push the notion that some other AI member claimed the Bloomberg story must be true because Supermicro said Apple returned servers. That's not evidence any member did any such thing, that's simply wishful thinking on your part AFAICT.

    You know full well that I've stated for days that I'm on Apple's side on this. I'm just not to the point of dismissing the whole Bloomberg story as entirely fictitious, tho my biggest question of why no one from Apple was stepping up to put their name in a denial was taken care of on Sunday. Hard to tell what your honest position is. Are you convinced Bloomberg made the whole thing up, lied 100% about Apple and Amazon and any involvement in Chinese subterfuge, or are you accepting that some parts of the story may be true even if some of it is (way) off-base, or are you somewhere else on the story?   

    It's perfectly OK to disagree or agree with things folks actually say. Not so much to make it up to be something it was not just because of a personal issue you might have. If you're going to call out other members by name at least do so with honesty. If you have to make stuff up to portray yourself and your position as "better" you already lost the high ground.
    Bad Rayz.... 
    edited October 9
  • Reply 19 of 36
    dws-2dws-2 Posts: 197member
    The reporters got duped, either by their own wishes for a great story, or by a key source who wanted to play them. This can happen, even to smart people, when they want to believe something, especially if it seems like it would be a fun and exciting scoop that would launch their careers. 

    What’s most surprising to me is the sheer lack of any sort of evidence: no documents, no sources, no confirmable details. With this level of evidence, you could literally make up any story you wanted.
    dewmeradarthekatstompyStrangeDayslostkiwi
  • Reply 20 of 36
    freediverxfreediverx Posts: 1,400member
    revenant said:
    this is not a badly written or poorly researched story. this was made with intent to show china infiltrated a manufacturing process and implemented their spy chip. Fitzpatrick seems to have filled in some gaps. there is more than potential for libel here. it was purposefully made up to sow seeds of contention.
    I predict that we'll eventually see a link between the Bloomberg story and the Trump administration.
    StrangeDays
Sign In or Register to comment.