Bloomberg said that its sources were key to its decision to run the Chinese spy chip story, the site writing that ’17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.’
However, one of the named sources – a security researcher who seemingly backed the claims – has said that his comment was taken out of context, and he actually told the site that what it was describing to him “didn’t make sense” …
Hardware security expert Joe Fitzpatrick was quoted in the piece saying “the hardware opens whatever door it wants.” But speaking on the podcast Risky Business, he painted a very different picture.
Fitzpatrick says that he spent a lot of time explaining to Bloomberg how such attacks could, in principle, be carried out. When the piece was published, he was expecting to read about how this specific hack was achieved. Instead, he said, Bloomberg appeared to be parroting the precise theory he had outlined.
I spent a lot of time going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story […]
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked […]
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.
He said the same was true of the image Bloomberg provided of the supposed spy chip.
In September when he asked me like, “Okay, hey, we think it looks like a signal amplifier or a coupler. What’s a coupler? What does it look like?” […] I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story.
When reporter Jordan Robertson outlined more of the story he planned to run, he told them it didn’t make sense.
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didn’t make sense to me. And that’s what I said. I said wow I don’t have any more information for you, but this doesn’t make sense. I’m a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesn’t make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It’s not logical. It’s not how I would do it. Or how anyone I know would do it.
[He wrote to Robertson] Are you sure there is actually an additional hardware component […] It’s trivial to modify the firmware of most BMC and many of them are trivial to exploit remotely because of the poor quality outdated software they run. The attack you describe could easily be implemented in BMC firmware. Would be just as stealthy and far less costly to design and implement. If they were really implants, are you sure they were malicious?
Fitzpatrick explained to Robertson several more likely theories for what the site’s sources were claiming to have seen, all of them perfectly normal.
For example putting two pieces of silicone in a single package makes sense when one of them is flash storage and the other is a micro controller. But an experienced observer could easily jump to the conclusion that it’s a hardware implant. Likewise, lots of small components are actually several component manufactured into a single package for an ease of use.
He also explained the context of the one-line quote Bloomberg used.
You put hardware in a device to help you persist the software, the malware. You don’t put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or remote approach to do the rest of the work. And I think that’s the context of that quote.
His overall take on the piece is that the technical details are ‘jumbled’ and ‘they’re not outright wrong, but they are theoretical […] I definitely have my doubts on this one.’