“The approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.” —Joe Fitzpatrick, Hardware Security Resources
I spent a lot of time [with Bloomberg’s Jordan Robertson] going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story…
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked…
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources…
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.
My take: I’ve seen stories that fall apart before. I’ve written stories that fell apart. Unless one of the Big Hack’s 17 anonymous sources steps forward to defend Jordan Robertson and Michael Riley’s account, this one will collapse under its own weight.
UPDATE: From a Bloomberg spokesperson.
As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear.
Our reporters and editors thoroughly vet every story before publication, and this was no exception.