No evidence of spy chips, Apple insists in letter to US Congress [u]

Posted:
in General Discussion edited October 2018
Apple hasn't detected unusual transmissions or other evidence servers were infiltrated with Chinese spy chips, the company's VP of Information Security insisted in a letter to Congress on Sunday.

Apple's Mesa data center


Updated on Oct. 8 with the letter itself, as well as amplifying remarks by Apple

Apple's Vice President of Information Security George Stathakopoulos penned the letter stating that the allegations about the spy chip were made by a single source, and not by Bloomberg's claim of 17 corroborating sources.
While the story was being reported, we spoke with Bloomberg's reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts.

We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true.

In the end, our internal investigations directly contradict every consequential assertion made in the article-- some of which, we note, were based on a single anonymous source.

Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.
Stathakopoulos promised to make himself available to brief Congressional staff.

Last Thursday, a Bloomberg report claimed that Chinese operatives had managed to sneak a microchip the size of a grain of rice onto 7,000 motherboards produced by Super Micro, which supplied those compromised parts for use in Apple's iCloud data centers. The chip, supposedly designed by the Chinese military, is said to have passed server data on to Chinese interests, and created a backdoor into public-facing networks.

Bloomberg has stuck by its story, claiming that 30 companies were affected in all, another example being Amazon. The report took over a year to produce, and 17 sources, including people inside Apple.

Two government agencies -- the Department of Homeland Security, and the U.K.'s GCHQ -- have cast doubt on the allegations. The Chinese government is known to regularly probe U.S. government and corporate networks, though.

The U.S. National Security Agency has itself resorted to intercepting IT infrastructure such as Cisco routers.

«13

Comments

  • Reply 1 of 41
    wood1208wood1208 Posts: 2,905member
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    edited October 2018 williamlondon
  • Reply 2 of 41
    StrangeDaysStrangeDays Posts: 12,834member
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    Delusional conspiracy nonsense.
    Rayz2016asdasdwilliamlondonlkruppirelandmacseekerchasmjony0watto_cobra
  • Reply 3 of 41
    tzeshantzeshan Posts: 2,351member
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    You have hallucination. Go see a doctor to get some drugs. 
    chasmwatto_cobra
  • Reply 4 of 41
    wood1208wood1208 Posts: 2,905member
    tzeshan said:
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    You have hallucination. Go see a doctor to get some drugs. 
    It is fact that Chinese government(state run agencies) have stake in many Chinese corporation. Everyone knows that Chinese government also employs many to hack into network of foreign companies and steal design,plans, trade secret,etc. Chinese government makes it harder for others to do business in China, Than, overlook Chinese companies copying other's products,,stealing IP.  Basically China has no respect of others hard work and R&D cost but wants to get ahead with whatever works for them. This is fact and if anyone is delusional about it than they need help from mental professional. USA has enough with China and all of these long standing issues became the part of trade war between US-China..
    edited October 2018 williamlondon
  • Reply 5 of 41
    lovemnlovemn Posts: 52member
    That or Bloomberg may have needed more money to give to leftist organizations that he shorted aapl. 
    watto_cobra
  • Reply 6 of 41
    tzeshantzeshan Posts: 2,351member
    wood1208 said:
    tzeshan said:
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    You have hallucination. Go see a doctor to get some drugs. 
    It is fact that Chinese government(state run agencies) have stake in many Chinese corporation. Everyone knows that Chinese government also employs many to hack into network of foreign companies and steal design,plans, trade secret,etc. Chinese government makes it harder for others to do business in China, Than, overlook Chinese companies copying other's products,,stealing IP.  Basically China has no respect of others hard work and R&D cost but wants to get ahead with whatever works for them. This is fact and if anyone is delusional about it than they need help from mental professional. USA has enough with China and all of these long standing issues became the part of trade war between US-China..
    Your words contradict with Bloomberg. Bloomberg thinks Chinese government is technologically very advanced that it can hack Apple servers.  Then why Chinese government needs to steal from foreign companies? Contradiction, contradiction, contradiction. 
    watto_cobra
  • Reply 7 of 41
    CelTanCelTan Posts: 46member
    “There are tiny microchips embedded” and “we have not found any suspicious outbound traffic” are not mutually exclusive. 

    Apple did not say: we took our devices apart, looked at each tiny microchip and can verify we only have components that should be there. 

    However, for a government agency to leave physical evidence and shipping it is sloppy - would it not be much easier to do this in any other software these devices have? 
    If they have that low level access - actually put it on existing chips would be way more effective. 

    Bloomberg did a year of research. 

    As my math teacher said: show your working. 

    Give government agencies and security companies access to your work. 


  • Reply 8 of 41
    backstabbackstab Posts: 138member
    CelTan said:
    “There are tiny microchips embedded” 


    "Just because we say so".
    mwhiteStrangeDays
  • Reply 9 of 41
    Rayz2016Rayz2016 Posts: 6,957member
    I think the 'size of a grain of rice' thing was a nice touch.

    Presumably, if the source of the attack was Ireland, the chip would be the size of a potato.


    mwhitehubbaxstompythtjony0
  • Reply 10 of 41
    Rayz2016Rayz2016 Posts: 6,957member

    tzeshan said:
    wood1208 said:
    tzeshan said:
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    You have hallucination. Go see a doctor to get some drugs. 
    It is fact that Chinese government(state run agencies) have stake in many Chinese corporation. Everyone knows that Chinese government also employs many to hack into network of foreign companies and steal design,plans, trade secret,etc. Chinese government makes it harder for others to do business in China, Than, overlook Chinese companies copying other's products,,stealing IP.  Basically China has no respect of others hard work and R&D cost but wants to get ahead with whatever works for them. This is fact and if anyone is delusional about it than they need help from mental professional. USA has enough with China and all of these long standing issues became the part of trade war between US-China..
    Your words contradict with Bloomberg. Bloomberg thinks Chinese government is technologically very advanced that it can hack Apple servers.  Then why Chinese government needs to steal from foreign companies? Contradiction, contradiction, contradiction. 

    If the Chinese do have a device that is the size of a grain of rice and can hack any network and transmit data back to China without being detected, then I have to wonder why they're wasting their time stealing Western IP?

    And if they do have such a chip then hacking Apple is the very least we should be worried about.

    dewmehubbaxStrangeDaysjony0
  • Reply 11 of 41
    Rayz2016Rayz2016 Posts: 6,957member
    CelTan said:
    “There are tiny microchips embedded” and “we have not found any suspicious outbound traffic” are not mutually exclusive. 

    Apple did not say: we took our devices apart, looked at each tiny microchip and can verify we only have components that should be there. 

    However, for a government agency to leave physical evidence and shipping it is sloppy - would it not be much easier to do this in any other software these devices have? 
    If they have that low level access - actually put it on existing chips would be way more effective. 

    Bloomberg did a year of research. 

    As my math teacher said: show your working. 

    Give government agencies and security companies access to your work. 



    What Bloomberg has shown so far is anonymous sources that Apple, but nothing else: no memos, no pictures of the chip. After a year of research, they must have something more concrete.

    By writing to congress, without being asked to answer any allegations, Apple appears to be trying to force their hand. Either Bloomberg is biding their time for maximum impact, or they're sh*tting themselves and hoping this will just blow over.
    mwhite
  • Reply 12 of 41
    maestro64maestro64 Posts: 5,043member
    This exactly what I said before it's easy to scan for our bound traffic that has no reason to exist unless something all of the sudden is sending it. I use little snitch and this exactly what it does it tell you if the hardware or software is attempting to send data that did not originate from your own activity. Any network security person worth their pay knows to monitor out going traffic.
  • Reply 13 of 41
    pk22901pk22901 Posts: 153member
    Bloomberg only needs to find and deliver 1 motherboard with 1 "grain of rice" on it. That's 1 motherboard out of 50M+ delivered? Should be easy to do. Show it.
    mwhite
  • Reply 14 of 41
    When the Bloomberg story became public I wondered if Bloomberg was the only news organization duped with disinformation geared towards stoking antagonism towards China during the US-initiated trade war and to discredit Bloomberg’s owner’s political position.

    There were red flags in the story that made feel suspicious about how Bloomberg published the story to be open ended enough to allow it to dribble out more pieces of the story to stretch the claims as long as possible to November 6th. 

    For maximum initial impact only Amazon and  Apple were named in the story. Twenty-eight other companies were not named. Later Facebook was named. I fully suspect one or two companies will be named each week towards November to keep the story alive. Doing this staggered release of company names ensures Amazon and Apple are mentioned throughout the life of the story. 

    Another suspicious part of the story was the mentioning of one anonymous source receiving immunity before speaking. Why would only one source need assured immunity? And, which anonymous government agency gave the anonymous source immunity?

    This story is going to last for a while and I am looking to see which November candidates mention the Bloomberg claims. Bloomberg knows it can accuse companies without ever having to publish responses to the denials of the accused companies.

    If any company chooses to sue Bloomberg, Bloomberg wins because the company would have to give Bloomberg’s lawyers the opportunity to snoop through confidential information that doesn’t necessarily pertain to the story and that information will be “mistakenly” made public. 

    Unless someone inside Bloomberg feels strongly enough to leak Bloomberg’s year long research we will never know the full story.
    dewmehubbaxcharlesgresStrangeDays
  • Reply 15 of 41
    GeorgeBMacGeorgeBMac Posts: 11,421member
    Yawn...
    The real moral of this story is that modern warfare has left the arena of bombs and bullets and entered the realm of cyber.

    In fact in 2016 the U.S. and other democratic countries were attacked in a supposedly one-sidedcyber war and have yet to figure out a response to it.

    Did this (or something related) happen?   Probably.   Or, even if it didn't, it most likely will.  
    And, what is the best way to attack the U.S.?   Is it with a bomb or missile?  Or, is it by taking out its essential infrastructure:  voting systems, electrical grids, medical systems, etc, etc, etc, etc,....   It's simple, cheap and the protagonist can deny all claims.

    And, it will spread:   cyber warfare will expand from the realm of superpowers to the third world countries eager for an edge.

    And, as demonstrated by the attacks during the last election as well as the one quickly approaching are totally, completely, unprepared to defend ourselves.
    dewmewilliamlondon
  • Reply 16 of 41
    dewmedewme Posts: 5,335member
    Apple and others named in the Bloomberg report, as well as those trying to determine whether the incident took place, really need to lean on scientific method and insist that physical evidence be produced that can be independently verified. Everything else being bantered about, whether political or claims about mental health, need to be filtered out of the discussion and let the technical security scientists do their work. All Bloomberg has to do is produce a single board, just one, that has the "magic grain of rice" device implanted on it so it can be analyzed. That's the beginning and end of the story

    I'm a little concerned about Apple's "proprietary security tools" statement because there should be no need for proprietary tools or processes, at least from a security protocol perspective, for the types of security protections that Apple uses versus what any other server operator would use. Even if Apple is performing deep packet inspection (DPI) on content inside standard communication packets one would think that they'd still be constrained in visibility by user-defined encryption secrets that are the basis for Apple's "we don't put in a backdoor" policies. Perhaps what Apple means by "proprietary" has more to do with the processing efficiency and performance of their security tools versus the types of security processes and algorithms they are able to apply. What Apple didn't specifically mention is whether they also have layers of penetration detection - but I assume they do and only felt compelled to mention outbound traffic in the context of this story.  

    All of this scanning talk kind of assumes that we are still inside the realm of in-band communication networks and standard communication protocols. We've already seen that information can be transported innocuously, even in-band, via content modification, e.g., embedding data in media formats, embedding data in file metadata, trickling out data at super-frame rates, etc. However, if these "magic grains of rice" are somehow working out-of-band, who knows whether any server operator would be prepared to counter such a threat. Of course you'd expect to find supporting infrastructure in the server facilities to allow the out-of-band mechanisms to work, for example a cellular connection or a dedicated connection used by the facility security monitoring service. If you think this is all hairbrained nonsense, keep in mind that most credit card skimmers use out-of-band mechanisms to steal credit card information. I'd imagine state sponsored NSA-quality cyberspies on any side of the ongoing worldwide cyber-domination struggle have more tools, techniques, and resources at their disposal than your average credit card skimmer builder. 

    The ball is in Bloomberg's court - show us some evidence and let the security scientists have a look at it.


  • Reply 17 of 41
    gatorguygatorguy Posts: 24,176member
    FWIW The Information last year reported that back in 2015 or 2016 Apple began photographing every server board and having their engineers go thru each image and identify every chip and what's its purpose for being there is. That does juxtapose with the server story even if some of the "facts" Bloomberg reported are screwed up. 

    Add to that news this morning that Facebook admits to finding a malware-version firmware update on some lab servers (?!) in 2015 too. That server was also from Supermicro. 
    "While it learned of the malware on the devices in 2015, it said it is in the process of removing the equipment now. It didn’t explain why that’s still going on three years after it found out about the issues."


    edited October 2018 muthuk_vanalingamGeorgeBMac
  • Reply 18 of 41
    wood1208wood1208 Posts: 2,905member
    Rayz2016 said:

    tzeshan said:
    wood1208 said:
    tzeshan said:
    wood1208 said:
    I as Apple telling you everyone including US congress that there was no spying by Chinese. Now, leave us alone as we have to do business in China and can't afford to alienate upset Chinese government.
    You have hallucination. Go see a doctor to get some drugs. 
    It is fact that Chinese government(state run agencies) have stake in many Chinese corporation. Everyone knows that Chinese government also employs many to hack into network of foreign companies and steal design,plans, trade secret,etc. Chinese government makes it harder for others to do business in China, Than, overlook Chinese companies copying other's products,,stealing IP.  Basically China has no respect of others hard work and R&D cost but wants to get ahead with whatever works for them. This is fact and if anyone is delusional about it than they need help from mental professional. USA has enough with China and all of these long standing issues became the part of trade war between US-China..
    Your words contradict with Bloomberg. Bloomberg thinks Chinese government is technologically very advanced that it can hack Apple servers.  Then why Chinese government needs to steal from foreign companies? Contradiction, contradiction, contradiction. 

    If the Chinese do have a device that is the size of a grain of rice and can hack any network and transmit data back to China without being detected, then I have to wonder why they're wasting their time stealing Western IP?

    And if they do have such a chip then hacking Apple is the very least we should be worried about.

    Apple deny such spying because if Apple agrees than it becomes nightmare appearing in front of senate,congregational committees that gives bad,bad rep like facebook facing. On top, alienate Chinese hurting their business in China. If China is so advanced than why hack Apple ? May be to pass Apple's future plan,designs to domestic companies like Hawaii to give them head start and make there products better. Also, collect Apple's users data(SS#) to use against Apple and USA if needed..So, don't be naive what hacked information can be used for. People have lost their life savings in bank due to hacked account information. At this point, China is mostly interested in industrial espionage, stealing trade secret to build their own industries fast. Read on "China's 2025 vision". You don't achieve that by self developing every tech in timely manner without somehow(?) getting them from others.
  • Reply 19 of 41
    dewmedewme Posts: 5,335member
    gatorguy said:
    FWIW The Information last year reported that back in 2015 or 2016 Apple began photographing every server board and having their engineers go thru each image and identify every chip and what's its purpose for being there is. That does juxtapose with the server story even if some of the "facts" Bloomberg reported are screwed up. 

    Add to that news this morning that Facebook admits to finding a malware-version firmware update on some lab servers (?!) in 2015 too. That server was also from Supermicro. 
    "While it learned of the malware on the devices in 2015, it said it is in the process of removing the equipment now. It didn’t explain why that’s still going on three years after it found out about the issues."


    One obvious red herring in Bloomberg's claim is the "grain of rice" thing. Think about how easy it would be to stuff a whole raft of intelligent processing logic inside the form factor of one of the very large components already on a server board, like a bigass electrolytic filter capacitor. Why would anyone go to the trouble of adding a new component that can be detected via visual inspection when an existing component with sufficient volume can be repurposed, even without altering its original purpose? Then there are heatsinks, fans, connectors, transformers, etc. Lots of large components available for spoofing. Have you seen the massive heatsink-fan combinations used on modern CPUs? Why bother with a grain of rice challenge when there are so many other real estate opportunities hidden in plain sight. 
    edited October 2018 beowulfschmidt
  • Reply 20 of 41
    lkrupplkrupp Posts: 10,557member
    lovemn said:
    That or Bloomberg may have needed more money to give to leftist organizations that he shorted aapl. 
    Delusional nonsense.
    GeorgeBMacStrangeDaysdewme13485
Sign In or Register to comment.