Beyond Fabricated Spyware Tales

by Jean-Louis Gassée

Without offering hard evidence, Bloomberg claims Apple, Amazon, and other large US companies have been the victims of hardware spyware installed on some servers. The “victims” and others adamantly disagree. This will not end well for Bloomberg.

Let’s start with a quick and, by necessity, fragmentary summary.

On October 4th, Bloomberg publishes a 5,000-word story ominously titled The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. The article contends that almost 30 US businesses, including Apple and Amazon, have been the victims of a sophisticated Chinese hardware hack. A tiny chip, discreetly inserted on server motherboards manufactured by Taiwanese-American Supermicro, “allowed the attackers to create a stealth doorway into any network that included the altered machines”.

Breathless prose follows.

“…the discovery [sent] a shudder through the intelligence community…”

“…a major bank, government contractors, and the world’s most valuable company, Apple Inc….”

“…Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships…”

“…China’s goal was long-term access to high-value corporate secrets and sensitive government networks…”

“…operatives from a unit of the People’s Liberation Army…”

“…black magic…

Terrifying…if true.

Apple immediately issues a rebuttal:

“The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found ‘malicious chips’ in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.”

Apple’s strongly-worded, detailed statement is worth reading in its entirety for it leaves no loophole, none of the customary non-denial denials. Uncharacteristic for the normally tight-lipped company, Apple goes even further in the communiqué’s final pointed denial:

“…in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.”

In other words, let’s not hear any conspiracy theories about complicity between Apple and US (and foreign, while we are at it) government security agencies. (To no avail, of course: “Apple has a new chief counsel. Hmm the plot thickens”.)

Amazon also rebutted Bloomberg’s story, as did US and UK security agencies. After a second Bloomberg story alleging more spyware had been found on US telecom companies’ servers, so did AT&T and Verizon.

Since the very beginning, I’ve felt queasy about the Bloomberg allegations.

First, there is Bloomberg’s history of publishing click bait Apple stories, energetically recounted by Daniel Eran Dilger. Such rumor-mongering probably dates back to Bloomberg’s hiring of prolific 9to5Mac “scoop machine” Marc Gurman, and we can be sure it paid off in traffic, if not in reputation.

With these past lapses in mind, let’s compare risks.

What does Bloomberg risk if its tale, told and later defended in an authoritative tone, proves to be nothing more than salacious rumors weaved together for their advertising value?

Not much. Readers shrug, the media washer-dryer quickly moves to a new load, the kommentariat tut-tuts, but not too loudly for fear of fingers pointed back.

But if there’s a hint of truth in the story? Apple took a strong stance in its PR communiqué; more recently, Tim Cook himself has asked Bloomberg to retract its spyware story. It’s difficult to believe that Apple and Tim Cook would be reckless enough to risk severe and lasting damage to their generally clean corporate and personal reputations.

That should be the end of Bloomberg’s story…but there’s more, or less: The Missing Chip.

Supermicro sold tens of thousands of server motherboards to the US companies mentioned in the story. Were they all infected with the offending spyware chip? Probably not, but there must have been thousands of motherboards released into the wild with the purported mission of penetrating US infrastructures. Yet, despite “more than a year of reporting” and “more than 100 interviews…including government officials and insiders at the companies” (from Bloomberg’s reply to Tim Cook), Bloomberg and its (anonymous) sources were unable to come up with a single infected motherboard.

A missing weapon doesn’t mean the crime didn’t happen. But not finding any weapons after thousands of crimes should have troubled the authors — or, more important, their hierarchy of editors.

The fracas dredged up old musings on large scale spyware operations. How would one go about compromising a microprocessor?

What if someone managed to hide a “mole” inside an Intel or Apple microprocessor? By mole I mean a logic module hidden in the processor’s immense forest of gates. With billions of transistors, a modern CPU chip layout is beyond the comprehension of any single individual, not unlike the incomprehensible logic maze of an operating system. In theory, a well-resourced pirate could bribe or compromise one of the designers and get a well-crafted bug inserted into the processor’s logic, lying in wait for a signal to wake up.

This is theoretically possible and definitely alarming: Imagine our computers, tablets, and phones ready to be enslaved, spilling our data with a single call from a pirate or even a state. But, as a knowledgeable friend remarked, CPU designers at Intel and Apple (and others of similar size) work in teams, everyone’s work is checked and rechecked by others.

The “compromised individual” tale may be a fable, but what if the “compromise” is intentional? Many believe that large CPU features such as Intel’s Management Engine (a tiny computer and system software inside the CPU) is proof that processor backdoors exist, that the NSA might have had — or still has — its own way inside our machines. What if someone discovers or steals the NSA’s backdoor key and put it to their own use? Food for somber meditations.

Thoughts don’t get more joyous when moving to smaller CPU chips. Modern chip design software allows a very small team, down to one individual perhaps, to design a small ARM CPU for the smaller connected devices we have in our homes and offices, that control street cameras and computer peripherals such as a hard-disk controller destined to live inside a server. The “compromised individual” tale may not be so fantastic after all. With a little bit of luck, we might catch peculiar network traffic…but who among us knows how to monitor and make sense of network packet streams?

Just as we are waking up to a panopticon reality of cameras watching (and recognizing) us with ever greater accuracy, we might want to think about how much trust we’re willing to grant the growing numbers of connected object in our lives. Beyond the device maker’s avowed goals, which are problematic enough, what should we think of the potential for unauthorized use by unknown masters of the moles living inside our devices?

These are interesting topics for genuine investigative reporting with sources, theses, and rebuttals, hard evidence and fact-checking. Real journalism.

— JLG@mondaynote.com