Bloomberg's iCloud spy chip attack allegations technically impossible

Posted:
in General Discussion edited October 2018
A report claiming Chinese spy chips were secretly implanted into Super Micro servers used by Apple and other tech firms has been dealt another blow, with a delve into how secure servers work criticizing the report's lack of detail for the hack and insisting the claimed technique would have been implausible to pull off.

Inside one of Apple's U.S. data centers
Inside one of Apple's U.S. data centers


The original Bloomberg report alleging the existence of the spy chips has been refuted by many companies already, but while there have been declarations that it hasn't happened and doubts from both security experts and government agencies over its occurrence, there has been little explanation as to why the report is incorrect.

The deep dive by server-focused publication Serve The Home is a detailed and technical exploration over some of the report's claims, with the site noting numerous issues with Bloomberg's account. The description of how the hack worked is said to include "some fairly astounding plausibility and feasibility gaps," and is notably light on details and difficult to navigate.

The main issue with the report's claims is the description that the chips are "connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off." The chips are also claimed to be able to tell the connected device to connect to external computers, and to install code received from these servers into the device's operating system.

The claim of telling the device to communicate externally is noted as false due to basic industry security practices, namely that BMCs are typically networked separately from Internet-facing connections. The firms identified in the report, including Apple and Amazon, are also likely to have better security protections than the average small to medium enterprise, which would include hardened security for BMCs, making such attacks as described practically impossible.

The accessing of sensitive code on crashed or turned-off machines is also dismissed, as "This is not how this technology works." When the BMC is powered on, data stores and the processor are not turned on, and are not able to be directly communicated with in this state. In short, if the server storage is not on, it is inaccessible, and no supposed code injection could be performed at all.

Another section objected to in the investigation is the claim the spy chips would manipulate instructions that tells the server what to do when data moves across the motherboard, tweaking code in temporary memory en route to the processor. This is seemingly not plausible as the supposed implanted hardware "does not have the pin count nor the processing power to perform this interception."

In summing up the lengthy examination, Serve The Home insists Bloomberg needs to "present credible and verifiable information to prove this story is true," as the presented hack simply would not work. If such evidence or information is not available, Bloomberg should retract the story and investigate how it passed editorial muster.

Graphic illustrating size of supposed Chinese spy chip allegedly embedded in Apple servers. Source: Bloomberg Businessweek
Graphic illustrating size of supposed Chinese spy chip allegedly embedded in Apple servers.
Source: Bloomberg Businessweek



On October 4, a Bloomberg report based on a multi-year investigation claimed that Apple, Amazon, and 30 other companies had been the victim of an espionage campaign in which rice-sized chips had been planted on motherboards made by Super Micro. Once delivered, the motherboards supposedly created a backdoor into infrastructure like Apple's iCloud.

Apple was quick to deny allegations, insisting that it had conducted a "massive, granular, and siloed investigation."

Amazon also issued a very clear denial of the story.

"There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon said in its statement, refuting several specific claims, and specifically citing that there was no modified hardware found.

Several subsequent accounts have cast further doubt, such as one from the senior advisor for Cybersecurity Strategy to the director of the U.S. National Security Agency. Additionally, The U.S. Department of Homeland Security commented that it had "no reason to doubt" the positions of Apple and Amazon.

On Friday, Tim Cook also spoke about Bloomberg's allegations. Apple's CEO denied the report, and took issue with how the story's reporters communicated with Apple.

"There is no truth in their story about Apple," Cook said on Friday. "They need to do that right thing and retract it."

"I was involved in our response to this story from the beginning," said Cook. "I personally talked to the Bloomberg reporters along with Bruce Sewell who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions. Each time they brought this up to us, the story changed and each time we investigated we found nothing."

"We turned the company upside down. Email searches, datacenter records, financial records, shipment records," Cook added. "We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."

On Monday, Super Micro said that it would continue to investigate the allegations found in the report. At the same time, Super Micro CEO Charles Liang echoed Cook's call for a retraction.

"Bloomberg's recent story has created unwarranted confusion and concern for our customers, and has caused our customers, and us, harm," Liang said. "Bloomberg should act responsibly and retract its unsupported allegations that malicious hardware components were implanted on our motherboards during the manufacturing process."

Bloomberg hasn't backed down from its claims, and U.S. senators have asked Super Micro for answers.

AppleInsider will be at the fall "There's more in the making" event, where we expect new iPad Pros, and maybe even new Macs! Keep up with our coverage by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
bb-15
«1

Comments

  • Reply 1 of 34
    jasenj1jasenj1 Posts: 910member
    That's what they want you to think!
    GeorgeBMac
  • Reply 2 of 34
    MacProMacPro Posts: 18,011member
    jasenj1 said:
    That's what they want you to think!
    LOL. well, remember our illustrious leader now has access to area 51 so expect great things soon.
    edited October 2018 GeorgeBMacSpamSandwich
  • Reply 3 of 34
    GeorgeBMacGeorgeBMac Posts: 3,890member
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    edited October 2018 williamlondon
  • Reply 4 of 34
    radarthekatradarthekat Posts: 2,973moderator
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 
    jbdragonmagman1979randominternetpersonericthehalfbeewilliamlondonwatto_cobrajony0
  • Reply 5 of 34
    dewmedewme Posts: 1,946member
    The Bloomberg story went off the rails soon after it was published. Since then it’s fallen off of whatever it is that “off the rails” stories fall off of after having already fallen off the rails. But at least this week they are no longer alone in that dark and sordid place. 
    magman1979watto_cobra
  • Reply 6 of 34
    jbdragonjbdragon Posts: 1,994member
    This should be a easy story for Bloomberg to prove since they've been working on it for over a year. Lets start with pulling out one of these servers with the chip. Let the experts look and check it out and see if it even exists in the first place before worrying about any company that may have been using them.
    randominternetpersonwatto_cobra
  • Reply 7 of 34
    What popped into my head...

    OutdoorAppDeveloperSpamSandwichrandominternetpersonwatto_cobra
  • Reply 8 of 34
    In the style of Oolon Colluphid: „Well, that about wraps it up for Bloomberg“.
    bb-15watto_cobra
  • Reply 9 of 34
    If Bloomberg really knew how a tiny chip could do everything they claim in the story, they should patent it and make billions of dollars by licensing the technology.
    edited October 2018 watto_cobra
  • Reply 10 of 34
    GeorgeBMacGeorgeBMac Posts: 3,890member
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 
    Conspiracist?   LOL...   Actually, quite the opposite.
    Bloomberg presented a wide range of detailed evidence of what happened and how.  All we have on the other side is outrage and blanket denial.

    I'll go with the facts as they are presented and unfold.   We've heard part of this story but, since it is still under federal investigation there is likely more to unfold.    

    Sorry, but your personal insults won't change either the facts or my opinion.
  • Reply 11 of 34
    GeorgeBMacGeorgeBMac Posts: 3,890member
    If Bloomberg really knew how a tiny chip could do everything they claim in the story, they should patent it and make billions of dollars by licensing the technology.
    It's not Bloomberg making the claim.  It's a whole bunch of high level Intelligence officials and industry insiders.  Bloomberg merely reports what they say happened.
  • Reply 12 of 34
    GeorgeBMacGeorgeBMac Posts: 3,890member
    jbdragon said:
    This should be a easy story for Bloomberg to prove since they've been working on it for over a year. Lets start with pulling out one of these servers with the chip. Let the experts look and check it out and see if it even exists in the first place before worrying about any company that may have been using them.
    Since, according to the article, this happened back in 2014 and 2015 -- which initiated the federal investigation, it's unlikely that these servers haven't already been either checked or pulled.   Even the article itself points out that out.   In the specific case of Apple (who was just one of the 30 or so):

    "As for Apple, one of the three senior insiders says that in the summer of 2015, a few weeks after it identified the malicious chips, the company started removing all Supermicro servers from its data centers, a process Apple referred to internally as “going to zero.” Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident." 
  • Reply 13 of 34
    There’s also the issue of how did they get there in the first place? It can’t be at manufacture because that would require retooling as the boards are printed circuit boards and the idea that a handful of spies are sitting at these machines manually soldering these chips to the boards seems somewhat laughable.

    The article does mention “on delivery” but surely someone at Apple and Amazon would have noticed someone soldering chips onto out of the box machines because this is NOT common practice in any way shape or form. In my 18 years in IT I have never seen anyone soldering something to a server that has just been opened out of the box. DIMMs and CPUs and GPUs and network cards etc but these clip in and do not require soldering and that’s even in the early 90s when IT was in its infancy.

    Businessweek has lied to get sales and should be punished with all the weight of the law for its refusal to retract a blatant lie.
    watto_cobra
  • Reply 14 of 34
    cgWerkscgWerks Posts: 1,957member
    I wish there was as much effort put into debunking the rest of the stories in the MSM.
    VintageAudiowatto_cobra
  • Reply 15 of 34
    Mike WuertheleMike Wuerthele Posts: 4,199administrator
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 
    Conspiracist?   LOL...   Actually, quite the opposite.
    Bloomberg presented a wide range of detailed evidence of what happened and how.  All we have on the other side is outrage and blanket denial.

    I'll go with the facts as they are presented and unfold.   We've heard part of this story but, since it is still under federal investigation there is likely more to unfold.    

    Sorry, but your personal insults won't change either the facts or my opinion.
    Bloomberg presented no proof at all. All they have are allegations and a strung-together theory that doesn't hold up. Logically, how are you asking for Apple and Amazon to prove a negative?

    Denials from a company under SEC laws and regulations versus Bloomberg with no real accountability to speak of? Yeah, guess which I'm going with.
    edited October 2018 cgWerksmagman1979bb-15randominternetpersonkiltedgreenericthehalfbeewatto_cobrajony0
  • Reply 16 of 34
    knowitallknowitall Posts: 1,182member
    “broodje aap”
    watto_cobra
  • Reply 17 of 34
    cgWerkscgWerks Posts: 1,957member
    Mike Wuerthele said:
    Bloomberg presented no proof at all. All they have are allegations and a strung-together theory that doesn't hold up. Logically, how are you asking for Apple and Amazon to prove a negative?

    Denials from a company under SEC laws and regulations versus Bloomberg with no real accountability to speak of? Yeah, guess which I'm going with.
    You're just an old-school journalist, Mike. :)
    All that proof and reliable sources stuff, sheesh.
    watto_cobra
  • Reply 18 of 34
    magman1979magman1979 Posts: 1,110member
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Seems to me your head is deeply buried in the sand right now, such a shame, but to be expected for a Trumper...

    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 
    Conspiracist?   LOL...   Actually, quite the opposite.
    Bloomberg presented a wide range of detailed evidence of what happened and how.  All we have on the other side is outrage and blanket denial.

    I'll go with the facts as they are presented and unfold.   We've heard part of this story but, since it is still under federal investigation there is likely more to unfold.    

    Sorry, but your personal insults won't change either the facts or my opinion.

    Facts??? What facts? Bloomberg presented ZERO evidence and only THEORIES... They could EASILY have gotten their hands on one of the “supposed” servers that have been compromised in their claimed fashion to show to the world their article is credible, but they have ZERO evidence, as you seem to think they do. Wake up and stop being a blind troll!

    We now have security experts and scientists / engineers providing DETAILED technical rebuttals as to why the Bloomberg story is nonsensical, but you are just refusing to listen to them, and instead are persisting to have your head in the sand! Eventually you’ll croak under there with no oxygen!

    If Bloomberg really knew how a tiny chip could do everything they claim in the story, they should patent it and make billions of dollars by licensing the technology.
    It's not Bloomberg making the claim.  It's a whole bunch of high level Intelligence officials and industry insiders.  Bloomberg merely reports what they say happened.
    And what good is the claims of “industry insiders” when they cannot provide even a tiny SHRED of evidence to backup their claims to provide some credibility? This can be done without exposing their identities and keeping them anonymous.

    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 

    Can you ban this troll please??? His spam-polluting garbage is getting tiresome and hijacking legitimate threads here...
    watto_cobrajony0
  • Reply 19 of 34
    cgWerkscgWerks Posts: 1,957member
    ...  It wasn't long ago that science "proved" the "the Negro" was not human ...
    Seems to me your head is deeply buried in the sand right now, such a shame, but to be expected for a Trumper...
    It wasn't just the scientists either, the media was all over it too. https://humanzoos.org
    Then, there's the idea our food pyramid is built on... that grains are a big part of a good diet and fat is bad for you.
    Science, like most other sources of knowledge, can be in error, and more importantly, corrupted by human nature.

    magman1979 said:
    Bloomberg presented ZERO evidence and only THEORIES... 
    Not untypical for the MSM these days... or worse, propaganda (i.e.: they are all fed the story to portray, and just put it out there verbatim).
    magman1979
  • Reply 20 of 34
    tzeshantzeshan Posts: 1,876member
    "That couldn't ever happen" with our system is the claim of pretty much every security system -- until it happens.  It wasn't long ago that science "proved" the "the Negro" was not human and man could not ever fly.

    It will be interesting to see if they are able to bury this embarrassing story.  It's possible since, in these times, truth seems to be whatever one wants it to be or what serves one's purpose the best.
    Again with more of this claptrap nonsense?  Nothing will convince you because you have the mind of a conspiracist.  You should read up on what that implies about you more than what it implies about the world you live in. 
    Conspiracist?   LOL...   Actually, quite the opposite.
    Bloomberg presented a wide range of detailed evidence of what happened and how.  All we have on the other side is outrage and blanket denial.

    I'll go with the facts as they are presented and unfold.   We've heard part of this story but, since it is still under federal investigation there is likely more to unfold.    

    Sorry, but your personal insults won't change either the facts or my opinion.
    You have no idea what is evidence. Anonymous evidence is not evidence. After two thousand years of learning how to find truths, the western culture still fails to educate everyone what makes an evidence. 
    magman1979watto_cobra
Sign In or Register to comment.