Supermicro iCloud spy chip report bolstered by US telecom network hardware hack
Bloomberg is doubling down on its investigative report claiming servers belonging to Apple, Amazon, and other major organizations were tampered by China, by citing documents and analysis from a security expert working for a major telecommunications firm.
The latest allegations stem from Sepio Systems chief Yossi Appleboum, whose firm was hired to scan several large data centers belonging to an unidentified customer. The company in question is not revealed, under claims it would break Appleboum's nondisclosure agreement with the customer.
According to Bloomberg's latest report, "unusual communications from a Supermicro server" prompted a physical inspection, which in turn revealed an implant in the Ethernet connector. Appleboum claims he had seen similar things happen to a variety of computer hardware produced under contract in China, and not just Supermicro products.
"Supermicro is a victim - so is everyone else," Appleboum claims, adding concern that there are many points in the supply chain in China where such alterations to products could be made, and that finding where it took place is practically impossible. "That's the problem with the Chinese supply chain," the executive stressed.
According to Appleboum, the telecom company's server was modified in the factory where it was produced, with Western intelligence contacts advising it was made at a Supermicro subcontractor in Guangzhou, southeastern China. The telecoms facility allegedly housed a large number of Supermicro servers, and technicians could not say what kind of data was moving through the infected server. It is also unknown if the FBI was informed by the client.
AT&T spokesman Fletcher Cook advised to the report "These devices are not part of our network, and we are not affected." A similar "not affected" statement was received from Verizon, while T-Mobile and Sprint did not respond to comment requests.
This report is the first with a named source. The report also does note that this vector of attack differs from Bloomberg's account.
"The security of our customers and the integrity of our products are core to our business and our company values," said Supermicro in a statement to the report. "We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry."
"We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found," the statement continued, before claiming to be "dismayed" by Bloomberg providing "only limited information, no documentation, and half a day to respond" to the new allegations.
Supposedly designed by the Chinese military, the chip is claimed to act as a "stealth doorway onto any network," and offered "long-term stealth access" to attached computer systems. The original Bloomberg report has since been denied by many of the companies identified in the article, including a strong denial from Apple characterizing the report as "wrong and misinformed."
Apple has also reportedly performed a "massive, granular, and siloed investigation" into claims leveled in the report, but failed to find any evidence of hardware tampering or to identify unrelated incidents that could have contributed to the claims. Apple has since written to the U.S. Congress on the matter, insisting there is a lack of evidence.
The Department of Homeland Security has chimed in, alongside the UK's National Cyber Security Centre, both cast doubt on the report. Other U.S. officials are also uncertain of the report's accuracy, with one official changing their stance from their original suggestion the "thrust of the article" was true.
One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
The latest allegations stem from Sepio Systems chief Yossi Appleboum, whose firm was hired to scan several large data centers belonging to an unidentified customer. The company in question is not revealed, under claims it would break Appleboum's nondisclosure agreement with the customer.
According to Bloomberg's latest report, "unusual communications from a Supermicro server" prompted a physical inspection, which in turn revealed an implant in the Ethernet connector. Appleboum claims he had seen similar things happen to a variety of computer hardware produced under contract in China, and not just Supermicro products.
"Supermicro is a victim - so is everyone else," Appleboum claims, adding concern that there are many points in the supply chain in China where such alterations to products could be made, and that finding where it took place is practically impossible. "That's the problem with the Chinese supply chain," the executive stressed.
According to Appleboum, the telecom company's server was modified in the factory where it was produced, with Western intelligence contacts advising it was made at a Supermicro subcontractor in Guangzhou, southeastern China. The telecoms facility allegedly housed a large number of Supermicro servers, and technicians could not say what kind of data was moving through the infected server. It is also unknown if the FBI was informed by the client.
AT&T spokesman Fletcher Cook advised to the report "These devices are not part of our network, and we are not affected." A similar "not affected" statement was received from Verizon, while T-Mobile and Sprint did not respond to comment requests.
This report is the first with a named source. The report also does note that this vector of attack differs from Bloomberg's account.
"The security of our customers and the integrity of our products are core to our business and our company values," said Supermicro in a statement to the report. "We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry."
"We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found," the statement continued, before claiming to be "dismayed" by Bloomberg providing "only limited information, no documentation, and half a day to respond" to the new allegations.
Supposedly designed by the Chinese military, the chip is claimed to act as a "stealth doorway onto any network," and offered "long-term stealth access" to attached computer systems. The original Bloomberg report has since been denied by many of the companies identified in the article, including a strong denial from Apple characterizing the report as "wrong and misinformed."
Apple has also reportedly performed a "massive, granular, and siloed investigation" into claims leveled in the report, but failed to find any evidence of hardware tampering or to identify unrelated incidents that could have contributed to the claims. Apple has since written to the U.S. Congress on the matter, insisting there is a lack of evidence.
The Department of Homeland Security has chimed in, alongside the UK's National Cyber Security Centre, both cast doubt on the report. Other U.S. officials are also uncertain of the report's accuracy, with one official changing their stance from their original suggestion the "thrust of the article" was true.
One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
Comments
Also, where’s the evidence for these claims? Is there any we can examine? So far, this looks like an unsubstantiated myth that’s getting repeated by the media.
(PS: Appleboum? I couldn't stop laughing...)
You have a Super Secret Chinese Spy Chip (SSCSC) in the device you are using to view this website.
Please send $20 to: 1234 Gullible Schmuck Str. and I’ll disable the device remotely.
Sincerly,
Dr. Not’a Scammer
PhD. Trump University
They do appear to be both qualified and reputable. Of course they might have a business reason for pushing a story of tampered hardware so not 100%.
This guy claiming he can not tell you the company but tell everything else is not a violation of his NDA, he has anything coming, a lawsuit, most NDA do not even allow you to say what you were hired to do.
I think.
I've not ever read "most NDA's", limited to only three in my entire business life that I can remember, so I'll take your word for it.
I’ve heard of it, but that’s the first time I’ve seen a “reputable” company use it.
I expect to see lawsuits any day now. Don’t be surprised if this company doesn’t exist in 6 months.
Companies that are worth more than some countries can’t take a joke. Bloomberg will be fine... except for their reputation.
I'm not saying at all that this changes anything other than Bloomberg perhaps starting to roll out sources that support some of the storyline, at least roughly, so it may not be entirely fabricated.
Who are their customers? Success stories? Products? Security Scanner software? Jobs opportunities?
What we have is a tiny number of “consultants” who happen to be their executives... protected by a supposedly legit ‘non disclosure’ agreement.
I have no doubt Bloomberg papered their ass, but if this is the best they got then they’ve got very little.
Just wait. Everyone involved is going to come out saying “we’ve never heard of Sepio Systems, let alone used their services”.
The Bloomberg article and following demonstrate a recklessness that a central planned economy has, risking a major portion of the country’s revenue. It is more likely than not that at least some of this is true, but we don’t know if the Chinese receiving end agents of the planned hack are still even in power given recent political purges. This could even be used by Xi to purge the PLA further now that he’s head of the military too, claiming he’s cleaning up China for business!
This doesn’t pass the smell test...
But then again, two words: Glomar Explorer.