The latest instalment of the Bloomberg spy chip story was based on a misunderstanding, according to a former cybersecurity specialist at GCHQ – the UK equivalent of the NSA …
Bloomberg originally published a sensational story back in 2018 which claimed that Chinese spy chips had been found by Apple in its iCloud servers, and in Amazon servers too. Apple and Amazon both said that the story was untrue, and – as we noted yesterday – they were not alone.
Denials of the story were rapid and overwhelming. Apple said it had fully investigated the claims, and later provided off-the-record details of that investigation. I explained at the time the five reasons I believed Apple, with four more reasons emerging to make it abundantly clear that the Cupertino company was telling the truth.
It wasn’t just Apple denying the claim. The Department of Homeland Security did the same. One of Bloomberg’s sources told them the story made no sense. The NSA added its denial. A deep-dive analysis found the claims to be impossible. A Super Micro audit found no spy chips.
But a follow-up piece was published last week, in which it said that these spy chips had been found in U.S. Department of Defence servers. The details were slightly modified: instead of standalone spy chips, this time the paper said that spy code had been embedded into the design of BIOS chips.
Bloomberg spy chip story based on misunderstanding
One of the suggestions at the time was that Bloomberg had misunderstood what its own sources had told it. In particular, one source said that he outlined a theoretical possibility which the paper then reported as fact. They even use an innocuous component photo he had supplied to them. He offered it purely as an example of the type of chip that might be used, but its use in the piece gave the impression that physical evidence existed.
Matt Tait, a former cybersecurity specialist at GCHQ (Government Communications HeadQuarters), has said the same is true of the revised report. Tait is now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law, and his CV also includes a stint in Google’s cybersecurity team, Project Zero.
He opened a Tweetstorm with a summary of his view.
Oh man, guess we have to do supermicro chip saga again. tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press, and Bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
He then goes on to talk through ‘why it’s BS.’
He says that although there are some impressive-sounding sources in the piece, absolutely none of them has any first-hand knowledge – and many of them aren’t likely to be qualified to validate the claims they have heard.
Tait acknowledges that some of the claims have a reasonable basis for reporting. Even without evidence, the fact that credible people are saying they were briefed on something is worth noting. But he goes on to outline the huge difference between what was said to have been said (sometimes said to have been said to have been said to have been said!), and any credible evidence of the claims.
He ends by challenging Bloomberg to provide actual evidence.
This story is too big, and the refutations too blunt and too numerous to support on this level of third- and fourth-hand sourcing. If they have documents: go for it. Make fools of Apple, Amazon, FBI, NSA, DHS and ODNI by publishing them. Otherwise, this story should not have run.
Photo by Vishnu Mohanan on Unsplash