Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."

Easy to prove...

[Ryan Rife]

This is easily proven or disproven, take a server in question, or perhaps a random sampling of the supposedly hacked equipment and see if it has the "chip" they claim is there.

Re: Easy to prove...

[Archtech]

A subset of them were modified, you buffoon. Good luck finding one now.

So what you are saying is that enough were modified to present a real threat - but not enough for any to be found.

Paranoid, much?

Re:

[Archtech]

A subset of them were modified, you buffoon. Good luck finding one now.

And by the way, adding gratuitous personal insults to your comment weakens it. It cries aloud that you have no facts or logical arguments.

Re:

[Spazmania]

Exactly. They should have been able to lay their hands on at least one of the hacked servers.

Personally, I grew suspicious when Bloomberg started talking about "signal conditioning couplers," a part which does not actually exist on server motherboards. Maybe they meant the little capacitors marked 103 which condition the power on the advanced electronics boards so they don't have localized voltage sags and surges as the chips change activity and draw more or less power? I don't know but if their sources don

Re:Easy to prove...

[arglebargle_xiv]

Nonononono, this just proves how clever the Yellow Peril really is! We'll never, ever find any one of these magical unicorn chips, because they're just so clever at hiding them from us. And we know that they've hidden them on our motherboards (even though no-one has ever seen one) because they're so good at this. There, try shooting holes in that irrefutable logic.

Re:

[Archtech]

Exactly. Well spotted.

Re:

[mrclevesque]

"Eventually, that person says, ..."

A person isn't a source, especially when that seems to be the best they can find ...

"all the sub-sub-subcontracting that tends to happen with manufacturing, is it really that improbably that only particular subset of server were effected?"

Even so, there's still no evidence and Amazon and Apple say it didn't happen.

Re:

[stevent1965]

Really, no further comment or analysis needed. This is not a case of "he said, she said". The chips exist, or do not. Given Bloomberg's reputation, it should have been a simple matter for the reporter(s) to track down and prove the existence of them. Any competent editor reviewing the piece should have required the same. I'm not saying the reporting is incorrect, just that it's uncorroborated and God knows we've seen enough of that sort of witch hunt, lately! Prove it by displaying the physical existence of

Re:

[mrclevesque]

"Hello, this is Bloomberg, we need to go through your server farm to systematically search for hidden microchips which could be in any of your server motherboards."

Sounds like your saying Bloomberg wrote the story without finding any evidence that "hidden microchips" existed.

Re:Easy to prove...

[Archtech]

Given Bloomberg's reputation...

Given the New York Times' reputation, the Washington Post's reputation, The Times' reputation, The Guardian's reputation, the BBC's reputation...

We have entered an era in which the reputations of yesteryear mean absolutely nothing. All that matters is who owns the corporation.

Re:

[Archtech]

The one and only way to ensure your countries secrets are secure is to make 100% of your components inside your country borders by companies only ran by your counties citizens and only employs your country citizens and even them is subject to stringent testing and oversight.

Citizens, moreover, who have no secret ideological sympathies and who are absolutely not tempted by the offer of enormous sums of money.

In your own words, good luck with that.

Re:

[mrclevesque]

"A well hidden piece of spy software will not be that easily detected."

He's talking about the hardware which Bloomberg isn't claiming is hidden.

Doesn't pass a sniff test

[Anonymous Coward]

How exactly do you hide the wires? I get that the chip is supposed to be super small, but it it must be wired in somehow. A chip to intercept a gigabit ethernet and you're 8 wires in, 8 wires out, and power and ground, so we're looking at 18 unexplained traces on the circuit board. If its sniff to the processor, we're looking at hundreds, (128 bit data path/64 bit address etc.). Perhaps it's USB chip, but then how does it get network access.

How exactly do you hide the heat? This thing is supposedly running

He's probably a Judge...

[Grog6]

n/t

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Grog6]

Annn Rand was a stupid insipid cunt who had serious problems; if you're basing your ethos on her, you are a truly lost soul.

Maybe Religion will help; call a Priest, as least hell give you a reacharound, unlike Teh Donald.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:SV better pray it's clickbait fearmongering

[Spazmania]

Rand's Atlas Shrugged was first and foremost a work of science fiction. Spoiler alert: the book's mystery-man hero is the inventor of a free energy reactor. To see the book as something else you really have to start with an agenda.

Not only that, it was a work of science fiction with an unusually clever premise: What if the Elon Musks, Larry Pages, Warren Buffets and Jeff Bezos' of the world all got pissed off and decided to go on strike, just like union blue collar workers do?

You don't have to buy in to Rand's political philosophies. I certainly don't. But she wrote an intriguing book.

Spy chips that send data on the internet?

[AHuxley]

The problem with the discovery of the extra chip is the need to use the internet to send back the data.
Advanced AV and firewalls along with really skilled staff selected on merit are going to notice that "extra" data moving out from deep in their secure networks.

Thats why most advanced nations have resort to different methods to collect their data.
1. Short distance data transmission thats not on the internet.
2. Staff/visitors/friends/a person with split loyalty on the inside to collect data later in a way that's never detected as an outgoing internet connection.
3. The use of a PRISM like big brand understanding to move the data out.

What could have happened?

1. NSA and GCHQ found the chips early and often and then created vast amounts of junk information to see how the networks and chips sent the junk data out.
2. The clandestine services found the chip and have been using it for their own missions but did not stop it as it was a free spying tool.
3. Very different and unexpected nations found the chips and have been using it as a free spy tool.
4. Criminals, faith groups, cults, ex and former clandestine services staff and groups doing industrial espionage have found the chip and used it for their own data collection?
5. National police forces found the chips and wanted to try a way to get around crypto.

The real fail with this is having to use the internet and never get detected.
Smart people with real skills will notice extra data on their secure networks.

Re:

[grep -v '.*' *]

Smart people with real skills will notice extra data on their secure networks.

Yeah, but the extra data is just George's on-line porn addiction, no big deal. But MAN does he really like Chinese women!

Easy to exfiltrate data slowly. Nano differences

[raymorris]

It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.

You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.

With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.

You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.

Re:

[lordlod]

Apple did detect it. If you read the article the extra connections are exactly how they discovered that they had an issue.

I'm waiting

[MpVpRb]

.. for an expert to analyze and understand the chip in question
I haven't read a detailed technical analysis yet

Re:

[ShoulderOfOrion]

Same here. The article contained pictures of the supposed chips (that looked like line conditioners ie ferrite beads). Surely it must be possible for some reputable third-party analysis firm here in the U.S. to get its hands on one and do a tear-down?

The Story Is Probably Accurate

[OpenSourceAllTheWay]

China's Communist Party designed education system is so restrictive, tightly scripted and based on rote-learning that even "educated" Chinese simply cannot excel at creative tasks like disruptive innovation, R&D and creating original product ideas or designs. When Chinese students go to universities abroad in the UK, U.S. and other Western countries, they tend to work very hard, but fail woefully at tasks that involve critical thinking, questioning established methods or developing original approaches to tackling problems old and new. China has money to burn, a workforce that works cheap and hard, thousands of factories that can make almost anything, but is not, at present, capable of pulling off American-style innovation and inventing because of its lousy education system. So China has to look abroad for "ideas" - it has to steal them from where they are most plentiful. The concept of Intellectual Property Rights is also woefully underdeveloped in China - culturally, this country has no problem whatsoever copying or stealing the fruits of someone else's labor. This is why nobody even bothers to patent ideas in China - a patent provides no protection whatsoever in China. So yes, the "rogue chips on motherboards" story sounds exactly like something the Chinese government would do. Amazon and Apple are probably terrified of losing tens of billions of Dollars in future product sales in China, so they are flat out denying that any such "rogue chips" were ever found. The rogue chips probably do exist, and are designed to do exactly what Bloomberg claims - steal ideas.

the rogue chip itself innovative

[Anonymous Coward]

or the U.S. has done the same and Chia has copied it?

Re: The Story Is Probably Accurate

[nnull]

I'm inclined to believe the story. I was able to enter factories in China where supposedly companies wanted to protect their "Intellectual Property" (I'm not going to name who, but big known brands), take photos and do whatever I wanted, all because the landlord (who is my friend) also has government connections. No one is going to report it and no one is going to say anything. I was treated like a king visiting his kingdom. This seems to be pretty typical in China. I've also witnessed machines being copied right next to the Germans installing theirs.

So I can see the Chinese government easily pulling this off. Employees are easily bribed, threatened and/or coerced into doing things. Most don't want any problems with the government. Anyone can believe what they want, I've seen it first hand and anyone telling you otherwise is lying through their teeth. They could easily build another production and R&D line to secretly add whatever they want in the same damn factory, the corporate management would never know what it's for nor would they dare ask. The only revealing factor would be Chinese gossip, because they like to talk and show off.

It is enough that the story could be accruate

[aberglas]

Nobody can know what is really inside the chips on a board. That China could do something like this, and get away with it domestically, means we need to be very careful in dealing with them.

The main thing that stops this happening too much in the west is internal leaks. But there will not be any leaks from China.

Smell test

[gtwrek]

I like the analysis going on over here:https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/ [lightbluetouchpaper.org]

As a hardware designer, it's an interesting idea to think of attack vectors through "NO STUFF" parts of the BOM. Most PCBs have "NO STUFF" parts of some sort - either for legacy or prototyping reasons.

The idea of some nefarious third party reverse engineering a "NO STUFF" and forming an attack vector with that is well, news to me. I can easily understand a thing like this slipping through a QC check

It would certainly be a difficult attack to construct. But many of todays "software" attacks are quite complicated. Certainly not outside the scope of a state-entity IMHO.

Interesting times in any event, and something to think about.
 

Re:

[grep -v '.*' *]

Like over a decade ago (I can't find any trace of it now!) I remember the ?NSA? producing a limited quanity of "special" hardware tampered-with chips, and giving them out to computer companies, asking their techs to find as many problems as they could.

There were supposedly password-bypassing tweaks and other inside goodies. Never heard a follow-up of what the results were.

Irony ...

[CaptainDork]

... the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report:

Re:

[wept]

When you don't know bullshit from wild honey, go looking for a cattle rancher or a beekeeper. ~ CaptainDork

definitely don't quote yourself like that ever tho

Re:

[CaptainDork]

I'm a cattle rancher AND a beekeeper.

Jesus H Christ, you fucking illiterate idiots.

[Anonymous Coward]

It's "disputing", or "contradicting", not "refuting".

"To refute" means "to prove something incorrect", not "to claim something is incorrect".

If you say "Apple refuted Bloomberg's claims", that means that Apple presented such clear evidence that you personally are convinced that Bloomberg is wrong.

FUCKING STOP IT.

Re:

[Xenx]

I checked multiple major dictionary sites online, and all of them show one of the definitions of refute to be some equivalent of denying the accuracy of a person/statement. So, while your definition of refute is an accurate definition it is not the sole definition.

Diversion

[spinitch]

Who conceived and exploited? Perhaps it was CIA that knew ZTE would ship these to Iran set it up? Yes ridiculous conjecture. Another conspiracy theory this was a setup to justify yanking supply chain from foes. It is an eye opener for various topics such as reporting and security.

I guess I'm a little confused

[holophrastic]

Having not read the Bloomberg article, because I've been busy this week, is Bloomberg just reporting on what sources have said?

That isn't investigative journalism. That's just reporting gossip.

Can't Bloomberg just grab a device, open it up, and pay someone reputable to actually have a look and then confirm this whole thing? Why am I left needing to trust anonymous-source reporting? Go make it nonymous! Any nonymous will do.

Inherent problem of secret service and backdoors

[ReneR]

The same goes for opposed mandated government backdoors, which nobody would ever be able to trust for exactly the same reasons, ..!