The story feels like something out of a novel or a movie. In October, Bloomberg Businessweek published a lengthy piece detailing how Chinese spies had, during the manufacturing process, installed chips in servers purchased by major tech companies—creating “a stealth doorway” into their respective networks. The report alleged that two of the companies were Amazon and Apple, the latter of which cut ties with the manufacturer upon discovery in May 2015.
The issue with the whole narrative is that both companies say it never happened, and Apple CEO Tim Cook is taking the unprecedented step of demanding Bloomberg retract the report.
The Bloomberg Story
According to Bloomberg, the subterfuge was uncovered by a third-party security company, hired in 2015 by Amazon Web Services (AWS) in advance of a potential acquisition of compression software company Elemental Technologies. The security company found the offending device in Elemental servers assembled by Super Micro Computer Inc. (Supermicro), then notified the appropriate US authorities.
The discovery was especially disconcerting for its sophistication. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” experienced hardware hacker and Grand Idea Studio Inc. founder Joe Grand told Bloomberg, before describing hardware as “just so far off the radar, it’s almost treated like black magic.”
Because China makes approximately 75% of the world’s mobile phones and about 90% of its PCs, the country has virtually unlimited access to hardware. Supermicro was the “perfect conduit” for an attack of that nature and magnitude – one that Bloomberg alleges “affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc.”
Bloomberg reported that three senior insiders at Apple confirmed the company found “malicious chips on Supermicro motherboards” in 2015, before ending its relationship with the manufacturer in 2016 for “unrelated reasons.”
Denials and Confusion
Amazon also disputed the story, disavowing any knowledge of a compromised supply chain in a lengthy emailed statement. Apple, too, called the “sometimes vague and sometimes elaborate” claims untrue, claiming that “rigorous internal investigations” did not turn up any evidence to validate the Bloomberg report.
Both companies expressed displeasure that Bloomberg would not acknowledge potential misinformation from their sources, positing that its reporters might be “confusing their story with a previously-reported 2016 incident in which [Apple] discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
The vigorous denials continued in a letter to Congress signed by George Stathakopoulos, Apple’s Vice President of Information Security. BuzzFeed News reported additional confusion from high-ranking Apple officials, calling the refutations “essentially unprecedented in [their] detail.”
Apple and Amazon then took things a step further: Apple CEO Tim Cook told BuzzFeed News in a phone interview that “there is no truth in [Bloomberg’s] story about Apple,” calling for them to “do the right thing” and retract the story. BuzzFeed characterized the statement as “extraordinary,” acknowledging the company had never publicly called for a story’s retraction despite numerous instances where “the stories have had major errors or were demonstratively false.” AWS CEO, Andy Jassy, did the same in a tweet, stating that “[Bloomberg] offered no proof,” a changing story, and “showed no interest in our answers unless we could validate their theories.”
Cook characterized the story as ever-changing following each conversation with Bloomberg, asserting a dearth of evidence to support their claims as additional reasons for confusion. He called the likelihood that an incident could have taken place without him being aware of it as “virtually zero.”
What Happens Now?
Despite the backlash, Bloomberg has refused to back down on its claims. A spokesperson called the investigation “the result of more than a year of reporting…[and] more than 100 interviews,” in a statement to BuzzFeed News, confirming that “seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” before citing “three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs” in an assertion of confidence. The company, however, “did not answer [specific] questions about evidence supporting its allegations or the public remarks of its named sources.”
The impasse is fascinating – and confusing – to commentators, journalists, government officials, and other parties who have been following along. Bloomberg’s reputation as a highly-respected news outlet with the sources to match has given them a longer leash in the face of vehement denials from allegedly affected companies, but no other reporters have been able to confirm their claims.
An (unnamed) national security officer of note confirmed the story’s verisimilitude to BuzzFeed News but denied personal knowledge of a breach or investigation (though he admitted to a “highly classified effort in the US government to detect how adversaries implant devices like the one described in the Bloomberg story.”) Additional high-profile officials in the law enforcement and intelligence communities are on record stating that they have not seen evidence to discount the various denials from the companies involved.
No parties have indicated they want to pursue legal action, despite the back-and-forth exchanges and lack of a resolution. Each is standing their ground, and for now, the report and subsequent accusations exist in limbo – a story that hints at truth but remains unprovable.