Amazon, Apple, and Supermicro all vigorously deny yesterday’s Bloomberg report about Chinese spies pulling off a complicated hardware hack that resulted in Supermicro motherboards equipped with malicious chips being used by both tech giants, as well as other major companies and the U.S. government.
And by now the story and resulting controversy is as much about media credibility as it is about cyber — and national — security.
Bloomberg is a trusted media outlet with everything to lose by publishing a massively fabricated story. It said the article came about after a year-long investigation, and it cites 17 sources (albeit anonymous) that confirmed the hack. This includes six former and current senior national security officials and Apple and AWS insiders. A story like this undoubtedly went through layers upon layers of editing, fact-checking, and legal review. In other words, Bloomberg reporters don’t just make this stuff up.
It’s not unusual for companies to deny allegations that could hurt their reputation and bottom line. As analyst Jack E. Gold told SDxCentral yesterday “a denial is in their own self-interest.” However, the depth and detail of the companies’ denials is very unusual — and could land them in legal trouble if they prove false.
“At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems,” Steve Schmidt, Amazon Web Services’ chief information security officer, wrote in a blog post. “Nor have we engaged in an investigation with the government.” Schmidt then went on to detail “so many inaccuracies” in the Bloomberg article for almost 400 more words.
Apple’s denial is twice as long. “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations or vulnerabilities purposely planted in any server,” it said. “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
It goes on to say that “in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.”
And finally, Supermicro wrote: “Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found… Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.”
As The Register’s Kieren McCarthy wrote, “It remains very unlikely that public companies would issue outright falsehoods, even in the current political climate, due to the market and regulatory ramifications if they were found to be outright lying to investors.” (Side note: McCarthy’s analysis also delves deep into a very good technical analysis of the Bloomberg story that’s well worth the read.)
So, who to believe? Did Bloomberg get it horribly wrong? Or did China pull off a massive hardware hack? As Zack Whittaker, TechCrunch’s security editor tweeted in his coverage of the controversy, “It’s possible that the story and the affected companies can both be right and wrong at the same time.”
He later added, “The real problem is that some of the smartest, brilliant minded, rational people who are experts in this field have no idea who to believe on this story. I’m an idiot — and I have no clue, either.”