Source for Bloomberg’s China Stealth Hacking Report Casts Doubt on Story’s Validity
A security researcher cited in a recent Bloomberg report on the alleged compromise of Supermicro hardware for the purposes of cyberespionage has cast doubt on the validity of the story.
Last Thursday Bloomberg reported that authorities were investigating Supermicro, which manufactures server motherboards, for shipping equipment implanted with chips that China could use to spy on users. The piece was incredibly controversial, and a raft of vehement denials from everyone involved — including Apple and Amazon, which Bloomberg claimed discovered the secret chips in their own servers — have since made the story increasingly hard to believe.
Joe Fitzpatrick, a hardware security expert — and one of the only named sources in Bloomberg’s explosive story — said Monday the report “doesn’t make any sense.” On a recent episode of the Risky Business podcast, Fitzpatrick said he told the Bloomberg reporters prior to publication of his doubts, and said he felt uncomfortable when he read the final article last week.
I spent a lot of time [with Bloomberg’s Jordan Robertson] going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story…
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked…
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources…
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.
All this being said, Fitzpatrick isn’t completely refuting the report. While he notes that the report contains “jumbled” technical aspects, the Bloomberg report is largely theoretical in nature and that his doubts are his own.
Ever since the story was published, Amazon has claimed that it’s full of inaccuracies, while Apple has also denied it being true, even writing a letter to Congress to say as much. Both have been backed up by British and U.S. intelligence, who say they have no reason to doubt the denials being made.