Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
Who's your money on? Bloomberg's sources? Apple? Amazon? Super Micro?
Hm, an invite-only cybersecurity powwow?
So let's briefly take a different tack: where did the story come from, who are Bloomberg's sources, and where could it have got things wrong?
Reading into the story, it seems that the most likely start point for the entire investigation stems from a meeting in late 2015 that was organized by the Pentagon. The story describes it as "a small, invite-only meeting in McLean, Virginia" with "several dozen tech executives and investors."
The fact it was a meeting in McLean, near the CIA headquarters, rather than a more formal location, suggests it was an informal confab. And the number of people present makes it easy for someone who was there to pass on the details to reporters without being identified.
The meeting happened shortly after a cybersecurity agreement between President Barack Obama and Chinese President Xi Jinping in which China said it would no longer turn a blind eye to intellectual property theft from American companies. According to Bloomberg's sources, some in the intelligence community were concerned that China had developed more advanced ways to hack servers – and the story notes that a next-generation spy chip may be thin enough that it could be embedded between the layers of fiberglass that the other components are attached.
The core details of the story – that the US intelligence agencies carried out an investigation after it was informed by private sector about a possible spy chip on their server motherboards – can be traced to that meeting.
Bloomberg's version of the meeting says that "attendees weren’t told the name of the hardware maker involved, but it was clear to at least some in the room that it was Super Micro."
Given that tip-off, Bloomberg's reporters have been chasing the story and, as far as we can tell, hit on two other key sources – someone who claims to have seen a confidential internal report from Amazon and its third-party contractor that dug into the issue and a second person who "saw digital photos and X-ray images of the chips."
The crucial report
Bloomberg says that third-party contractor was based in Ontario, Canada. Amazon went out of its way to say that it "commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware." It repeats that point later, saying, "this was the sole external security report commissioned" and notes that Bloomberg has "refused to share any details of any purported other report with us."
Which makes you wonder: where did this alleged report come from? Who commissioned it? Who wrote it? Should we trust who claims to have seen it? The entire story may hinge on that report that Bloomberg claims exists and Amazon denies.
From that point, Bloomberg's story is built on another 14 people – that it has chosen to keep anonymous – confirming various aspects of the story. There are "six current and former senior national security officials" that it says have confirmed the "discovery of the chips and the government’s investigation."
It claims to have two people inside Amazon (AWS) that "provided extensive information on how the attack played out at Elemental" and three people inside Apple, two of whom confirmed to Bloomberg that "the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally."
So we have:
- Two Amazon employees
- Three Apple employees
- Six intelligence agencies officials
- Six other people that Bloomberg says confirmed various different aspects of the story
That is clearly enough to run a story. But is it possible there was all a big misunderstanding somewhere down the line?
The McLean, Virginia briefing could easily be Pentagon officials over-playing their fears about Chinese involvement because it benefits them – the assembled tech leaders would no doubt raise their concerns privately and that would get back to the White House and intelligence services and create a sense that, despite the new agreement with China, it was essential to still keep an eye on them.
If your entire job is tracking China's espionage efforts in the tech industry, and the Obama-Xi agreement could see your budget slashed, then giving an off-the-record briefing that warned about secret chips could well ensure the funds keep flowing.
As to the reports – from both Amazon and Apple – that Bloomberg says its sources have seen. It is worth noting that Bloomberg does not claim to have seen those reports itself. How closely were its sources able to scrutinize those reports? Could they have been mistaken?
From that point, it is very possible that the other sources that Bloomberg felt were confirming its story were confirming something else: that China is trying to get into the hardware supply chain. Which is no doubt true, as US intelligence agencies have repeatedly warned in the past year, particularly with respect to mobile phones.
So it is possible that the reporters did an excellent job but ended up in the wrong place, with half a story but going down the wrong path. It is equally possible that they have got 90 per cent of the way there and Apple and Amazon are carefully using the last 10 per cent to issue careful denials.
It's worth asking one more question: what would everyone gain from misstating the truth?
Well, Bloomberg's reporters clearly have the story of a lifetime, and were driven to publish it, to the extent that it is very possible that they disregarded company denials, convinced that they were closing ranks on them over a very sensitive story.
Bloomberg reporters receive bonuses based indirectly on how much they shift markets with their reporting. This story undoubtedly did that. The publisher employs roughly 2,000 journalists, who are encouraged to work together and share information through their Bloomberg Terminals, with many layers of editing and fact checking, and it has a zero tolerance on errors: it is inconceivable that it would publish a story this huge that wasn't watertight.
Apple and Amazon may be driven to deny the story even if it is true. The yarn threatens to cause billions of dollars of potential damage to their business. It would push countless companies to look at their own hardware solutions rather than rely on them as third parties. You can see the impact of that in their two per cent share falls today. Apple and Amazon are also extremely tricky with the press, carefully spinning their way out of sticky situations with caveats in a way that makes us naturally distrust their statements.
Plus, of course, both companies would want to keep any highly confidential information and contacts with intelligence services as quiet as possible. Even if the story is true, they may be ordered to deny it as vigorously as possible by the Feds on national security grounds. But it is striking quite how vigorous those denials have been on this story. Again, whatever happened to the tried and tested PR response, "We do not comment on rumor or speculation, especially with regards to national security"?
Already out there
Plus of course the impact has already been felt.
Infosec companies are already advising companies what to do, talking about the situation as if it is already a done deal. "First of all, you are unlikely going to spot the additional component on your own. Amazon apparently was able to do so after comparing drawings of a motherboard to what was actually built," notes one post matter-of-factly, adding: "Should you stop buying Supermicro motherboards? The real question is: What are the alternatives?"
You dirty DRAC: IT bods uncover Dell server firmware security slipREAD MORE
Williams argued for "heightened vigilance" for anyone with Super Micro boards in their systems. Even if the story is true, that doesn't mean that every board will have the spy chip, he notes; it was likely a very small number of motherboards were compromised. But you could be one of them.
The only way to detect if your company's systems have been infiltrated is network monitoring. "There is zero chance this will be picked up by antivirus software," he warned.
Alan Paller, director of the SANS Institute, told The Register:
Two reasons why I'm confident that Bloomberg’s report is accurate. First, I have known both Jordan and Michael [Jordan Robertson and Michael Riley, the Bloomberg story's authors] for more than decade and their due diligence is world class. Second, the objective that this “grain of rice” chip accomplishes is the single highest priority cybersecurity objective for intelligence agencies of all major countries participating the this arena.
At the Cloudflare Internet Summit, in response to a question from The Register about Bloomberg’s report, Jeff Immelt, chairman of Athenahealth and former chairman and CEO of General Electric, said he hadn’t yet seen the claims but observed that supply chain concerns represent a huge threat to enterprises.
Immelt said he believes the government should be working with industry to present a united front in terms of cyber security. “We need I think a collective transparent review as it applies to security capabilities. And that just hasn’t happened yet,” he said.
Of course the bigger question is not really about tiny secret spy chips but overall security. There is no reason why a similar ability to hack into motherboards couldn't be included in chips expected to be on the circuit boards – and so be physically undetectable. And, of course, the majority of the world's chips are manufactured, you guessed it, in China and Taiwan. You know: the country that makes everyone's iPhones. ®
Additional reporting by Thomas Claburn and Chris Williams.
Sponsored: Becoming a Pragmatic Security Leader