Endpoint Security , Forensics , Governance & Risk Management

Bloomberg's Supermicro Follow-Up: Still No Chip

New Story Is Scant on Proof That China Implanted Chips on Motherboards
Bloomberg's Supermicro Follow-Up: Still No Chip
Supermicro's headquarters in San Jose, California

It was portrayed as a sensational supply chain hack: China subverted motherboards made by San Jose, California-based Supermicro, installing spying chips the size of rice grains and opening a door to remote espionage.

See Also: How to Take the Complexity Out of Cybersecurity

But Bloomberg Businessweek's story, which ran on Oct. 4, 2018, generated immediate skepticism. Technical experts said the story didn't ring true. Apple and Amazon issued unusually stern rebuttals after Bloomberg said the companies independently found the spying chips. And the U.S. National Security Agency, in a truly uncharacteristic response, said it was "befuddled" by the Bloomberg Businessweek report (see: Report: Chinese Spy Chip Backdoored US Defense, Tech Firms).

In a follow-up report published Friday, Bloomberg stands by its original report and attempts to bolster its foundation. The follow-up report repeats Bloomberg's unconvincing assertion, adds mushy new sourcing and recounts peripheral incidents in an attempt to shift the focus from its unproven contention.

Bloomberg acknowledges the fierce pushback against the first story. Amazon, Apple and Supermicro called for a retraction.

Then, the follow-up report very passively hints at fault in the first report, saying that "with additional reporting, it's now clear that the [Bloomberg] Businessweek report only captured part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China's repeated manipulation of Supermicro's products." Bloomberg made an error of omission, then, rather than an error.

Reputational Disaster

In its latest report, Bloomberg shifts the focus away from the chip and attempts to demonstrate through other events that U.S. officials have long been worried and have been investigating possible tampering at Supermicro.

That may indeed be true. But the follow-up is an inadequate and insincere way to deal with what has been a reputational disaster for Bloomberg. It might have made things worse.

Bloomberg uses various peripheral incidents to round out its new theme. It reports that in 2014, Intel pinned a minor security incident - which was related to a firmware update that came from Supermicro's website - on China.

Another part of the story addresses a 2010 situation in which the Pentagon allegedly noticed Supermicro servers mapping network information about unclassified networks and sending it to China.

An illustration that accompanied Bloomberg Businessweek's original report featured this illustration of a small chip - but it wasn't the actual spying chip. (Source: Bloomberg Businessweek)

Bloomberg reports that U.S. officials let those servers continue to run while developing countermeasures. The rogue code was contained in the machine's BIOS code. The government, however, continued to procure Supermicro equipment, but apparently for only unclassified networks, the news service reports.

The BIOS finding allegedly inspired investigators to try to find other examples of possible manipulation of Supermicro's products. The FBI gained FISA warrants in 2012 to monitor people connected to Supermicro, which led to the alleged discovery of the much-contested malicious chips, Bloomberg reports.

The new Bloomberg report provides a load of unnamed sources and three named sources who say they were briefed on this development between 2014 and 2017. Crucially, however, Bloomberg writes that "no customer has acknowledged finding malicious chips on Supermicro motherboards," with executives apparently complaining that they were not provided with enough details on how to find the chips.

So what's going on here? Bloomberg has rightly triangulated on something related to Supermicro's supply chain integrity. But none of the new reporting adds strength to the chip allegation - nor is it particularly relevant.

Squishy Sourcing

The three named sources who specifically address the rogue chips are Mukul Kumar, formerly CSO for chip designer Altera; Mike Janke, a former Navy SEAL who co-founded a venture capital firm called DataTribe; and Mike Quinn, formerly of Cisco and Microsoft.

Kumar says he was briefed about the chips. Janke says he knows of two companies who were briefed and were later involved in an FBI investigation. And Quinn says officials with the U.S. Air Force briefed him when he worked for a supplier.

There's no reason to believe these people would stick their necks out if they believed what they are saying isn't true. But their information could be inaccurate, based on speculation or a ham-fisted interpretation of unclear intercepts obtained through those old FISA warrants. We just don't know.

These sources are not insiders but passive recipients of the same information, or possibly misinformation, that may have been floating around at the time.

But it's too big of a story for questionable sourcing, tweets Matt Tait, a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin.

In a spirited rebuttal, Supermicro says the latest story "is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don’t withstand scrutiny.

"We have never found any malicious chips, even after engaging a third-party security firm to conduct an independent investigation on our products. Nor have we been informed by any customer or government agency that such chips have ever been found."

Risky to Double Down

More than two years on, it's dangerous for Bloomberg to stick with its story without having the actual chip.

Also, if Supermicro's products posed such a persistent threat from an information theft perspective, why hasn't the U.S. government banned the company in a manner similar to how it dealt with Kaspersky and Huawei?

And if this was an uber-secret hack, it surely would have become a talking point in President Donald Trump's contentious trade talks with China over the past four years.

Bloomberg reporter Michael Riley is a co-author of the first report and the follow-up. He tweeted this on Oct. 6, 2018, two days after the first report appeared.

Perhaps tellingly, Riley hasn't tweeted since then. After more than two years, Bloomberg apparently hasn't been able to find the physical evidence.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.