Apple Denies Bloomberg Chinese Hacking Story to Congress
Last week, Bloomberg published a bombshell story about a supply-side hardware hack that allowed a Chinese manufacturer to insert hardware modifications no larger than a grain of rice on to SuperMicro motherboards, compromising their security and allowing the machines to phone home data even when supposedly secured. This type of supply-side hack has been predicted by security researchers for years. Bloomberg’s extensive report was sourced to 17 different sources, including multiple high-profile government agents and insiders at companies like Apple and Amazon, as well as one source within the Chinese government.
Since the report went live, two things have happened. First, companies like Apple and Amazon have roundly denied and dismissed the reporting, blasting their innocence and declaring that the invents described in the Bloomberg report absolutely did not happen. The company has continued to double down on its attacks on Bloomberg’s story, going so far as to testify in a letter to Congress that the Bloomberg report is a fabrication.
Here’s Apple’s VP of InfoSec’s full letter to the U.S. House and Senate refuting Bloomberg’s “Big Hack” story.
Denials don’t get any stronger than this.
(Still no word on/from the other 28 companies Bloomberg claims were compromised.) pic.twitter.com/XGQAFe6rQJ
— Rene Ritchie (@reneritchie) October 8, 2018
In a letter to Congress, Apple writes that it communicated with Bloomberg beginning in October 2017, but:
While we repeatedly asked them to share specific details about the alleged malicious chips they seemed certain existed, they were unwilling or unable to provide more than vague secondhand accounts… In the end, our internal investigations directly contradicted every single consequential assertion made in the article–some of which, we note, were made by a single anonymous source.
Apple has never found malicious chips, “hardware manipulations,” or vulnerabilities purposefully planted in any server. We never alerted the FBI to any security concerns like those described in the article nor has the FBI ever contacted us about such an investigation.
These denials are becoming increasingly more ironclad, but Bloomberg isn’t backing down. In response to Apple’s letter, Bloomberg reissued its own response, saying:
Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. … We stand by our story and are confident in our reporting and sources.
When Apple and Amazon came out with their initial denials, we were strongly on the side of Bloomberg. It would, after all, be far from the first time that companies had issued denials and carefully worded statements about the nature of a problem only to have those denials exploded by fresh information. But Apple has kept to its guns on this and continued issuing very clear statements decrying any involvement with this issue. At the same time, Bloomberg has stuck to its own guns, despite the Department of Homeland Security issuing remarks that uphold Apple’s versions of events.
If Apple or other companies are lying, they would face potential penalties from shareholders and the SEC. At the same time, it’s incredibly unlikely that Bloomberg would stake its entire journalistic reputation on a deliberate attempt to misrepresent such critical issues. Declaring that a company has been penetrated by the espionage agents of a foreign power is not a trivial accusation. It’s likely why the investigation took over a year in the first place, and any investigation that goes on for an entire year is likely to have multiple layers of oversight and evaluation in play, precisely to avoid this kind of scenario.
Yet here we are, five days later, and the findings Bloomberg alleged have not yet been confirmed by any other outlets. The companies involved continue to strongly protest. Bloomberg continues to just as strongly stand by its story. The potential involvement of national security complicates things because the federal government is perfectly capable of ordering a company to lie about whether it’s received a message — yet companies that are lying tend to err on the side of saying precisely what they can say and precious little else. It’s the surest way to stay out of trouble. Could the story and strongly-worded denials still be part of a national security story meant to sow FUD about what the United States actually knows or doesn’t know about the intelligence capabilities of China? Sure. At this point that makes as much sense as anything. But the fundamentals of this situation don’t make much sense, period.
At this point, arguing that one side or the other is lying feels rather simplistic. We’re at the point where the consequences of lying are starting to build. Bloomberg is doubling down on lies that could incur significant reputational damage, while Apple would be lying to Congress and the public about some incredibly important issues. It’s possible that the people issuing these statements are ignorant of the truth instead of lying, but this only raises more questions about who knows what really happened and who doesn’t.
I may have personally bit a bit too fast to dismiss Apple’s denial. At this point, I’m genuinely unsure. But only one set of stories can be right here. Either these events happened or they didn’t — and so far, there’s no independent confirmation that Bloomberg’s story is true. At the same time, the news of a hardware attack like this — a long-theorized attack vector — that didn’t happen would be astonishingly irresponsible. For all that Apple implies that Bloomberg just got the story wrong, stories that are researched for a year shouldn’t be the kind of stories it’s possible to just “get wrong.” This isn’t a report that one person knocked together in two hours for an online article. And the larger the feature, the more eyes typically on a story before it goes live.
People like to cynically imply that the media does everything it does for clicks, but it makes precious little sense to launch a story of this magnitude on a hoax. The damage to personal and corporate reputation and potential future advertising income outstrips any possible gains from a few days of increased traffic. And given that federal sources were involved in sourcing the story, it’s not clear what national security concerns might also be in play, further clouding the issue.
It’s not clear who’s lying, who’s telling the truth, and who might just be monumentally mistaken. But we’re not to the bottom of this story yet.
Now Read: Amazon, Apple Servers Completely Compromised by Chinese Hardware Backdoors, Is Hyper-Threading a Fundamental Security Risk?, and Apple Rolls Out Password Cracking Defense, With One Major Flaw