“The approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.” —Joe Fitzpatrick, Hardware Security Resources
Fitzpatrick, interviewed by Patrick Gray Monday for his Risky Biz podcast (transcribed by 9to5Mac):
I spent a lot of time [with Bloomberg’s Jordan Robertson] going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story…
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked…
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources…
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.
My take: I’ve seen stories that fall apart before. I’ve written stories that fell apart. Unless one of the Big Hack’s 17 anonymous sources steps forward to defend Jordan Robertson and Michael Riley’s account, this one will collapse under its own weight.
UPDATE: From a Bloomberg spokesperson.
As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear.
Our reporters and editors thoroughly vet every story before publication, and this was no exception.
See also:
“I have a list of 17 secret sources!” Hmmm, seems we’ve heard that approach before…
Click bait journalism. Bloomberg should be forced to forfeit its ad revenue for the month.
You wonder what the “journalist” was thinking? If it’s false, he was setting himself up for failure. Or maybe he was counting on none of the companies to actually defend themselves?
And yet, the damage has been done. What were the BB/BW editors thinking? Did they even vet this article before publishing?
Here’s another good article, questioning the details of the Bloomberg story, right from the get-go:
https://www.servethehome.com/bloomberg-reports-china-infiltrated-the-supermicro-supply-chain-we-investigate/
Responses from the parties involved and people who work in the IT security industry seem to paint the Bloomberg article a complete falsehood.
There should be some consequence to such shoddy “reporting”.
I wouldn’t be surprised if Apple and others brought suit against Bloomberg for this, if only to force them to divulge-to-defend. This article impugns Apple’s security, something the company has invested heavily in and something that directly affects their public image.
Jordan Robertson just doubled down with a new article about chip manipulation at 4p ET. One named source.
Link?
Sorry was reading on my phone earlier:
https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom?srnd=premium
A bit unusual since the story says the chip was in the Ethernet connector?!?
“Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.”
The timing of this story — right when businesses are being told to avoid China and [insert some apolitical comment about trade policy and the importance of hurting China here] — this seems like an odd coincidence.
But like the Killian documents that sank Dan Rather, it could be a case of fake details being used to describe a larger truth. China is no doubt engaged in espionage that seeks to do the sorts of things (and more) that the Bloomberg story claims they did.
If Apple is lying in every denial, then we have truly gone down the rabbit hole where there is no such thing as truth (a very bad place for investors, since investment strives in a garden of predictability). What’s much more likely is that the story is wrong. But even if someone got duped into printing a news story that advanced some group’s agenda, it doesn’t mean that the fears the story evokes are not well founded.
In the end these kinds of stories tend to backfire by making folks skeptical of real risks closely linked to the debunked story. What would be really cool is if that was the goal of the original story’s promoter, but the world probably doesn’t work so neatly.
But why now?
I wonder if somebody(s) at Super Micro purposely fed the reporter a false story. The company isn’t exactly ethical. It hasn’t released financials for over a year because it got caught channel stuffing. Other sources could have appeared to corroborate the story with knowledge of the malware driver that was downloaded in Apple’s Dev lab. So he has all this evidence of an incident at Apple – security related, but the specific details are provided by others who are either mistaken or lying. All the prices seem to line up and fit…. except the most CRUCIAL parts are inaccurate.