Supermicro iCloud spy chip report bolstered by US telecom network hardware hack

Posted:
in General Discussion edited October 2018
Bloomberg is doubling down on its investigative report claiming servers belonging to Apple, Amazon, and other major organizations were tampered by China, by citing documents and analysis from a security expert working for a major telecommunications firm.




The latest allegations stem from Sepio Systems chief Yossi Appleboum, whose firm was hired to scan several large data centers belonging to an unidentified customer. The company in question is not revealed, under claims it would break Appleboum's nondisclosure agreement with the customer.

According to Bloomberg's latest report, "unusual communications from a Supermicro server" prompted a physical inspection, which in turn revealed an implant in the Ethernet connector. Appleboum claims he had seen similar things happen to a variety of computer hardware produced under contract in China, and not just Supermicro products.

"Supermicro is a victim - so is everyone else," Appleboum claims, adding concern that there are many points in the supply chain in China where such alterations to products could be made, and that finding where it took place is practically impossible. "That's the problem with the Chinese supply chain," the executive stressed.

According to Appleboum, the telecom company's server was modified in the factory where it was produced, with Western intelligence contacts advising it was made at a Supermicro subcontractor in Guangzhou, southeastern China. The telecoms facility allegedly housed a large number of Supermicro servers, and technicians could not say what kind of data was moving through the infected server. It is also unknown if the FBI was informed by the client.

AT&T spokesman Fletcher Cook advised to the report "These devices are not part of our network, and we are not affected." A similar "not affected" statement was received from Verizon, while T-Mobile and Sprint did not respond to comment requests.

This report is the first with a named source. The report also does note that this vector of attack differs from Bloomberg's account.

"The security of our customers and the integrity of our products are core to our business and our company values," said Supermicro in a statement to the report. "We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry."

"We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found," the statement continued, before claiming to be "dismayed" by Bloomberg providing "only limited information, no documentation, and half a day to respond" to the new allegations.

Supposedly designed by the Chinese military, the chip is claimed to act as a "stealth doorway onto any network," and offered "long-term stealth access" to attached computer systems. The original Bloomberg report has since been denied by many of the companies identified in the article, including a strong denial from Apple characterizing the report as "wrong and misinformed."

Apple has also reportedly performed a "massive, granular, and siloed investigation" into claims leveled in the report, but failed to find any evidence of hardware tampering or to identify unrelated incidents that could have contributed to the claims. Apple has since written to the U.S. Congress on the matter, insisting there is a lack of evidence.

The Department of Homeland Security has chimed in, alongside the UK's National Cyber Security Centre, both cast doubt on the report. Other U.S. officials are also uncertain of the report's accuracy, with one official changing their stance from their original suggestion the "thrust of the article" was true.

One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
«13

Comments

  • Reply 1 of 51
    dysamoriadysamoria Posts: 3,430member
    “Tampered with by China”, not “tampered by China.”

    Also, where’s the evidence for these claims? Is there any we can examine? So far, this looks like an unsubstantiated myth that’s getting repeated by the media.
    ols
  • Reply 2 of 51
    I guess these folks haven't heard the phrase "When you're in a hole, stop digging."

    (PS: Appleboum? I couldn't stop laughing...)
    edited October 2018 ols
  • Reply 3 of 51
    mac_dogmac_dog Posts: 1,069member
    dysamoria said:
    “Tampered with by China”, not “tampered by China.”

    Also, where’s the evidence for these claims? Is there any we can examine? So far, this looks like an unsubstantiated myth that’s getting repeated by the media.
    More like a smear campaign. 
  • Reply 4 of 51
    Attention: everyone reading this article

    You have a Super Secret Chinese Spy Chip (SSCSC) in the device you are using to view this website.

    Please send $20 to: 1234 Gullible Schmuck Str. and I’ll disable the device remotely.

    Sincerly,

    Dr. Not’a Scammer
    PhD. Trump University 
    chasm
  • Reply 5 of 51
    gatorguygatorguy Posts: 24,176member
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
  • Reply 6 of 51
    maestro64maestro64 Posts: 5,043member
    This is a different claim, this Appleboum guy is claiming the enet connecter was compromised. Now this sounds more plausible than putting a chip on the logic board. The logic board hack would take a lot more work to pull off and risk of failure is very high.

    This guy claiming he can not tell you the company but tell everything else is not a violation of his NDA, he has anything coming, a lawsuit, most NDA do not even allow you to say what you were hired to do.
    edited October 2018 aylk
  • Reply 7 of 51
    gatorguygatorguy Posts: 24,176member
    maestro64 said:
    This guy claiming he can not tell you the company but tell everything else is not a violation of his NDA, he has anything coming, a lawsuit, most NDA do not even allow you to say what you were hired to do.
    Apparently you're saying he's lying then.
     I think.  

    I've not ever read "most NDA's", limited to only three in my entire business life that I can remember,  so I'll take your word for it.
    edited October 2018
  • Reply 8 of 51
    gatorguy said:
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
    The domain is .systems

    I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.

    I expect to see lawsuits any day now.  Don’t be surprised if this company doesn’t exist in 6 months.

    Companies that are worth more than some countries can’t take a joke.  Bloomberg will be fine... except for their reputation.

  • Reply 9 of 51
    StrangeDaysStrangeDays Posts: 12,844member
    Still doesn’t add any new evidence to their previous claim regarding Apple. 
    chasmmacgui
  • Reply 10 of 51
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
    The domain is .systems

    I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.

    I expect to see lawsuits any day now.  Don’t be surprised if this company doesn’t exist in 6 months.

    Companies that are worth more than some countries can’t take a joke.  Bloomberg will be fine... except for their reputation.

    Impressive connections if nothing else, and they have been established a couple of years now. Your dismissal of them because they use" .systems " seems a bit silly considering there's new master domains too numerous to count anymore. Using .systems in their case makes perfect sense. It's part of their name. 

    I'm not saying at all that this changes anything other than Bloomberg perhaps starting to roll out sources that support some of the storyline, at least roughly, so it may not be entirely fabricated. 
    edited October 2018
  • Reply 11 of 51
    The reality is that it is plausible that components from China were compromised and PLA planned it, but they could also have been purged. One the other hand if you have expience within China you also know that the “chaos factor” of central planning and political purges makes a lot of things less effective-vast numbers of non working cameras supposedly watching for example. China is not a monolithic well oiled machine and political rivalries and political purges take their toll!
    dysamoria
  • Reply 12 of 51
    gatorguy said:
    gatorguy said:
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
    The domain is .systems

    I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.

    I expect to see lawsuits any day now.  Don’t be surprised if this company doesn’t exist in 6 months.

    Companies that are worth more than some countries can’t take a joke.  Bloomberg will be fine... except for their reputation.

    Impressive connections if nothing else, and they have been established a couple of years now. Your dismissal of them because they use" .systems " seems a bit silly considering there's new master domains too numerous to count anymore. Using .systems in their case makes perfect sense. It's part of their name. 

    I'm not saying at all that this changes anything other than Bloomberg perhaps starting to roll out sources that support some of the storyline, at least roughly, so it may not be entirely fabricated. 
    That website is very thin.  All they do is splash some intelligence community names.

    Who are their customers? Success stories? Products? Security Scanner software? Jobs opportunities?

    What we have is a tiny number of “consultants” who happen to be their executives... protected by a supposedly legit ‘non disclosure’ agreement.

    I have no doubt Bloomberg papered their ass, but if this is the best they got then they’ve got very little.  

    Just wait.  Everyone involved is going to come out saying “we’ve never heard of Sepio Systems, let alone used their services”.
    StrangeDays
  • Reply 13 of 51
    Has anyone considered that the US government may have asked Apple to conceal the events?
  • Reply 14 of 51
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    gatorguy said:
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
    The domain is .systems

    I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.

    I expect to see lawsuits any day now.  Don’t be surprised if this company doesn’t exist in 6 months.

    Companies that are worth more than some countries can’t take a joke.  Bloomberg will be fine... except for their reputation.

    Impressive connections if nothing else, and they have been established a couple of years now. Your dismissal of them because they use" .systems " seems a bit silly considering there's new master domains too numerous to count anymore. Using .systems in their case makes perfect sense. It's part of their name. 

    I'm not saying at all that this changes anything other than Bloomberg perhaps starting to roll out sources that support some of the storyline, at least roughly, so it may not be entirely fabricated. 
    That website is very thin.  All they do is splash some intelligence community names.

    Who are their customers? Success stories? Products? Security Scanner software? Jobs opportunities?

    What we have is a tiny number of “consultants” who happen to be their executives... protected by a supposedly legit ‘non disclosure’ agreement.

    I have no doubt Bloomberg papered their ass, but if this is the best they got then they’ve got very little.  

    Just wait.  Everyone involved is going to come out saying “we’ve never heard of Sepio Systems, let alone used their services”.
    Ah, so you consider a security-focused company headed by former intelligence folks including former high level Mossad and CIA officials but not having a Walmart style product page, announcement of a job fair, or a list of all their clients posted publicly to be suspicious?
    edited October 2018 GeorgeBMac
  • Reply 15 of 51
    The fact remains there have been real exploits in hardware from hidden cameras in cell phones to other hardware compromises found in a few “Chinese off brand” consumer devices. This “hacks” were more for consumer data purposes, but demonstrate some willingness to push the boundaries of acceptability.

    The Bloomberg article and following demonstrate a recklessness that a central planned economy has, risking a major portion of the country’s revenue. It is more likely than not that at least some of this is true, but we don’t know if the Chinese receiving end agents of the planned hack are still even in power given recent political purges. This could even be used by Xi to purge the PLA further now that he’s head of the military too, claiming he’s cleaning up China for business!
  • Reply 16 of 51
    gatorguy said:
    gatorguy said:
    https://www.sepio.systems/

    They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
    The domain is .systems

    I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.

    I expect to see lawsuits any day now.  Don’t be surprised if this company doesn’t exist in 6 months.

    Companies that are worth more than some countries can’t take a joke.  Bloomberg will be fine... except for their reputation.

    Impressive connections if nothing else, and they have been established a couple of years now. Your dismissal of them because they use" .systems " seems a bit silly considering there's new master domains too numerous to count anymore. Using .systems in their case makes perfect sense. It's part of their name. 

    I'm not saying at all that this changes anything other than Bloomberg perhaps starting to roll out sources that support some of the storyline, at least roughly, so it may not be entirely fabricated. 
    You also notice Bloomberg report is nothing like what this company described?  Something attached to the “network port” is not the spy chip described.  One is a far reaching/sophisticated attack that could only have been perpetrated by the Chinese government.  And the other is what... a network packet sniffer/protocol analyzer? 

    This doesn’t pass the smell test...
    aylktmayStrangeDaysdysamoria
  • Reply 17 of 51
    Rayz2016Rayz2016 Posts: 6,957member
    Still doesn’t add any new evidence to their previous claim regarding Apple. 
    It doesn’t add anything new regarding any of the unnamed companies either. This report differs from Bloomberg’s original claim. It sounds very much like the approach I predicted they would take: sew enough uncertainty to get them off the hook. I suspect they’re scouring their “sources” for any data center security investigation they can find. 


    tmayradarthekatdysamoria
  • Reply 18 of 51
    tzeshantzeshan Posts: 2,351member
    maestro64 said:
    This is a different claim, this Appleboum guy is claiming the enet connecter was compromised. Now this sounds more plausible than putting a chip on the logic board. The logic board hack would take a lot more work to pull off and risk of failure is very high.

    This guy claiming he can not tell you the company but tell everything else is not a violation of his NDA, he has anything coming, a lawsuit, most NDA do not even allow you to say what you were hired to do.
    You are trying to cover his lies? What NDA? If he is telling the truth, won't he get immunity because this is a national security issue. I think you are trying to cover up him so he will not be discovered by his fabrication. 
  • Reply 19 of 51
    eightzeroeightzero Posts: 3,056member
    Has anyone considered that the US government may have asked Apple to conceal the events?
    Ohhhh! I like it. A first class conspiracy theory.

    But then again, two words: Glomar Explorer. 

    dewme
  • Reply 20 of 51
    lkrupplkrupp Posts: 10,557member
    Has anyone considered that the US government may have asked Apple to conceal the events?
    Did George Bush order the demolition of Building 7? Did Americans really land on the Moon in 1969?
    StrangeDaysdysamoriatokyojimu
Sign In or Register to comment.