You will have no doubt heard of the bombshell Bloomberg report, which rocked the computing and business world. However, the response from the companies at the heart of the allegations, as well as Western intelligence agencies, and third-party cybersecurity experts weighing in, has muddied the waters.
It’s a very juicy story that needs unpacking, and one that threatens to utterly sink a major vendor in the cloud-computing world – Super Micro. For all businesses, if there is substance to the story (which it seems like there is), then a need and ability to audit supplier and vendors seems imperative.
Some of the advice is pretty intuitive. Employ a sufficiently staffed and funded IT and security department that has enough authority to check the integrity of parts and software being used, at all levels of an operation. Keep an ear to the ground, and ensure that you are abreast of the latest developments. Spend enough on network monitoring tools and analytics, such that you could spot sensitive data leaving the building – the list goes on.
But if the allegations are true, this is an attack that could up-end the computing world. However, there are numerous problems with the details provided – although in testament to Bloomberg’s faith in the piece, the outlet is hosting much of its critics’ statements on its own pages. The venerable title believes in what it has published, and it is worth reading if you have not done so already.
Given the emphatic denials that the firms involved have issued, should it be found that they are lying, they have committed exchanges fraud – opening them up to be sued by shareholders. The denials themselves are much more precise than typical responses issued in light of security problems, with Apple departing from the ‘we don’t comment’ line by a country mile.
To this end, Apple, Amazon, and Super Micro, as well as the US Department of Homeland Security and the UK GCHQ, are saying that Bloomberg has majorly screwed up somewhere along the lines. While the corporate denials do leave sufficient pedantic wiggle-room, their tone suggests that the companies are trying to nail down a refutation. If they wanted to give themselves enough leeway to get out of a lawsuit, they would have been much fluffier in their wording.
The US also has a history of such supply-chain attacks, intercepting Cisco routers on their way overseas, while simultaneously warning about the threat of China doing the same. Those allegations appeared in 2014, but date back to 2010, in No Place to Hide, a book by Glenn Greenwald – based on NSA documents leaked by Edward Snowden.
Geopolitically, the allegations come at a time when tensions between the US and China are escalating, with talks of twelve-figure economic sanctions in the trade wars. Huawei and ZTE have felt the sharp end of the USA’s policies here, which have rippled out into other territories.
Similarly, consumer confidence in the press has taken a battering in the past few years, with allegations of state interference and the endemic ‘fake news’ turning the spotlight on the social networks that carry such views to the consumers themselves.
If Bloomberg were tricked by such state-sponsored actors, it could explain much of its insistence in its version of events – although it would appear that such influence would be decidedly in the US’ favor. However, there’s not a clear winner here, as it’s not like there’s a US semiconductor and/or server manufacturer with capacity to rival the China-built supply that could simply take over from the Chinese factories that have built the foundation of our digital age.
Bloomberg has a reputation for vigorous fact-checking and accuracy to defend, with an apparent series of editors and architectures to make sure that mistakes do not slip through. It is not clear if that approach was departed from for this piece, but there’s a strong possibility that the firm has placed too much trust in a few key sources. If you will allow us to adjust our tin-foil hats, it only takes one state-sponsored actor to mislead Bloomberg in such a fashion – spinning a yarn, rather than revealing a scoop.
And a couple of the sources have come out to express discomfort with the final article, including Joe Fitzpatrick – speaking in the Risky Business podcast, where he thinks he might have also been used as an anonymous source at a different point. As highlighted by The Register, some prominent names in the cybersecurity world are quite doubtful, as conveyed in Twitter threads from Dragos’ CEO Robert Lee, as well as one from Fitzpatrick that throws doubt on the validity of the additional Bloomberg piece on Ethernet port attacks – which cites a single source. The Ethernet allegation is entirely removed from the alleged implanted chip.
So far, there has been no proof that an attack using the alleged vector has taken place, but that does not mean that it has not been exploited. As with antivirus software, you need to know what pattern to look for when identifying an attack, so when the likes of Apple say they have not spotted any malicious traffic, that does not categorically mean that the exploit was not used.
Similarly, the role that this supposedly implanted chip was meant to perform isn’t clear. If the photo used in the article is accurate, the chip is smaller than the nib of a pencil, and seems to have six pins – not enough to do much of anything sophisticated.
Third-party speculation seems to have reached consensus in that the chip might have been able to sit on the Serial Peripheral Interface (SPI) or System Management Bus (SMBus) interfaces, and then intercept and rewrite firmware – perhaps allowing an attacker to take control of the server via hijacking the Baseboard Management Controller (BMC).
However, the evidence of such attacks should be easy enough to detect, and given that none of the companies have spotted suspicious network traffic related to this, then the credibility of the attack is again tarnished. In addition, that chip has to contain enough code to rewrite such firmware, injecting the required vulnerabilities and exception, in such a fashion that it couldn’t be detected. This seems like an extremely difficult feat to pull off.
Bloomberg alleges that the chip “was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.” This then begs the question of why the attackers would not simply try to corrupt a more powerful chip that is already in the motherboard’s design, making it that much more difficult to spot physical evidence of tampering.
Amazon and Apple have taken small dents to their share price, of less than 2%. However, Supermicro has been utterly pummeled, down from $21.40 before the story to a low of $9.56. It briefly climbed to $14.75, but has since fallen to $12.50, in the wake of the Ethernet piece. It said it was dismayed that Bloomberg would give it so little time to investigate the new Ethernet allegations.