"The approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it." —Joe Fitzpatrick, Hardware Security Resources
Fitzpatrick, interviewed by Patrick Gray Monday for his Risky Biz podcast (transcribed by 9to5Mac):
I spent a lot of time [with Bloomberg's Jordan Robertson] going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story…
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked…
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources...
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.
My take: I've seen stories that fall apart before. I've written stories that fell apart. Unless one of the Big Hack's 17 anonymous sources steps forward to defend Jordan Robertson and Michael Riley's account, this one will collapse under its own weight.
UPDATE: From a Bloomberg spokesperson.
As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear.
Our reporters and editors thoroughly vet every story before publication, and this was no exception.
See also:
And yet, the damage has been done. What were the BB/BW editors thinking? Did they even vet this article before publishing?
https://www.servethehome.com/bloomberg-reports-china-infiltrated-the-supermicro-supply-chain-we-investigate/
There should be some consequence to such shoddy “reporting”.
https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom?srnd=premium
A bit unusual since the story says the chip was in the Ethernet connector?!?
“Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.”
But like the Killian documents that sank Dan Rather, it could be a case of fake details being used to describe a larger truth. China is no doubt engaged in espionage that seeks to do the sorts of things (and more) that the Bloomberg story claims they did.
If Apple is lying in every denial, then we have truly gone down the rabbit hole where there is no such thing as truth (a very bad place for investors, since investment strives in a garden of predictability). What’s much more likely is that the story is wrong. But even if someone got duped into printing a news story that advanced some group’s agenda, it doesn’t mean that the fears the story evokes are not well founded.
In the end these kinds of stories tend to backfire by making folks skeptical of real risks closely linked to the debunked story. What would be really cool is if that was the goal of the original story’s promoter, but the world probably doesn’t work so neatly.
But why now?