FBI and DHS testify on Apple spy chip story (transcript)

From C-Span’s transcript of today’s Homeland Security & Governmental Affairs Committee hearings:

Sen. Ron Johnson (R-Wisc.): Bloomberg I think has done an excellent job on an investigative report on the Supermicro the implantation of small little microchips into these boards. I know Apple is denying it. Follow-up report seems like it is pretty sound reporting. Without getting into the specifics of that, unless you want to speak to if it is true or not, what went through my mind immediately is that how come I’m finding out through Bloomberg in terms of contact from the federal government? …

FBI Director Christopher Wray: Well I would say to the newspaper article, or I mean the magazine article, I would say be careful what you read. Especially in this context…

Johnson: So by the way if this is not accurate [lifts up Bloomberg story] I would like to have the FBI or somebody come out and say it’s not. Because we also don’t want false information out there as well. Does that make sense? What prevents us from doing that?

Wray: Well I can’t speak for other agencies. On our end, we have to be very careful. We have a very specific policy that applies to us as law enforcement agencies to neither confirm nor deny the existence of an investigation. I do want to be careful that my comment not be construed as inferring or implying, I should say, that there is an investigation. We take very seriously our obligation to notify victims when they’ve been targeted.

DHS Secretary Kirstjen Nielson: Yes, sir, and we have adopted a shine the light approach… With respect to the article, we at DHS do not have any evidence that supports the article. We have no reason to doubt what the companies have said. We continue to look into it. What I can tell you though is it is a very real and emerging threat that we are very concerned about. So we are working very closely with the private sector, within our federal family, and certainly to put our own house in order to make sure that we are locking down every step of that supply chain.

My take: It would have been in Nielson and Wray’s interest to take a real cyber threat seriously. But when questioned about the Apple spy chip story, the FBI director did not endorse the Senator’s assessment that Bloomberg did an excellent job.

See also:

10 Comments

  1. David Emery said:

    Well, here’s one possible explanation:
    1. There was a problem with some boards. Apple itself reported finding a board with this on it a couple years ago.
    2. Bloomberg’s “sources” took the information from some IA experts and some weak anecdotal evidence and blew it out of proportion.
    3. Apple (and others) deny this is a chronic/widespread problem because whatever the problem that Apple found was not replicated. And one would think that Apple instituted significant detection routines after finding that problem.
    4. A similar device got into the unnamed Telecom.
    5. But the government IA people have not detected a widespread problem.

    One thing this highlights is the need for stronger reporting of any kind of vulnerabilities to the government. That doesn’t necessarily mean -public disclosure-, there might be good reasons to keep details under wrap. Still, any occurrence of this kind of problem needs to be reported and logged in CERT databases. See https://www.us-cert.gov/ncas/current-activity

    1
    October 10, 2018
  2. Fred Stein said:

    Hmm. “politics-free zone” ?

    No verified facts relevant to Apple were offered.

    0
    October 10, 2018
  3. George Row said:

    With infowars having been taken off (most of) the airways are Bloomberg pitching for the gap they left in the media market?
    Meanwhile sitting in that gap we have Sen Johnson berating the guys in the suits:
    “I think this nonsense from Bloomberg is ‘pretty sound reporting’. How come you guys on the fat salaries aren’t bringing us nonsense of this here caliber?”

    Sigh …

    3
    October 10, 2018
  4. Gregg Thurman said:

    Back in the day, my firm developed 4 layer motherboards to interface between a third party computer and digital telephone systems. In order to create the interface, we had to read what was going on with the telephone system’s OS and data stream. The model we specialized in had 150 voice channels (which is fewer than the number of channels the alleged Chinese chip would have to monitor).

    That was nearly 20 years ago and the technology wasn’t anything like it is today.

    That said I contacted a couple of the engineers that worked on the boards’ design and posed this issue to them.

    I am told that on the surface what is being stated by Bloomberg isn’t possible because of the complexity of monitoring the number of channels today’s multi-core processors utilize. Basically, you couldn’t read all of those channels from a single point. It would require multiple surreptitiously placed chips, and those chips would have a high probability of interfering with the board layout no matter how small they were.

    Essentially monitoring the data stream isn’t the issue, its what the insertion of the monitoring chips would do to the board design and the unforeseen problems of operation those chips may cause, especially given the high probability of future firmware/software updates by the OEM.

    1
    October 10, 2018
  5. Ken Cheng said:

    What’s strange is the newest BB/BW article, https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom?srnd=technology-vp , about hacked Supermicro servers, uses a different vector for attack, this time it’s the ethernet port. I wonder if it’s tiny as a pencil tip? The author Jordan Robertson, seems to use this piece as confirmation of his first piece, even though the story is quite a bit different, with only one source.

    “The discovery shows that China continues to sabotage critical technology components bound for America. – subheader”

    “The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. ”

    One wonders if he or anyone reported these “manipulations”?

    These articles do a lot of name-dropping, which seems to give an air of seriousness and credibility, but only makes me feel more skeptical. More actual evidence and less name-dropping would work better. This story pretty much relies upon one source. I’ll be sure to watch out for metal-sided ethernet connectors from now on, as a giveaway that it’s spying on my internet traffic.

    0
    October 11, 2018

Leave a Reply