2018/10/04: The story, which has been a year in the making and covers events it says happened three years ago, had a huge impact on the markets: the company at the center of the story, San Jose-based Super Micro, saw its share price drop by nearly 50 per cent; likewise Apple's share price dropped by just under two per cent, and Amazon's dropped by more than two per cent.
But the article has been strongly denied by the three main companies involved: Apple, Amazon, and Super Micro. Each has issued strong and seemingly unambiguous statements denying the existence and discovery of such chips or any investigation by the US intelligence services into the surveillance implants.
These statements will have gone through layers of lawyers to make sure they do not open these publicly traded corporations to lawsuits and securities fraud claims down the line. Similarly, Bloomberg employs veteran reporters and layers of editors, who check and refine stories, and has a zero tolerance for inaccuracies.
So which is true: did the Chinese government succeed in infiltrating the hardware supply chain and install spy chips in highly sensitive US systems; or did Bloomberg's journalists go too far in their assertions?
2018/10/08: That Businessweek decided to run a story accusing the country of espionage may be a reaction to those accusations, or it may speak to how solid its editors felt about the reporting.
admission of guilt here about failing to either detect the hack or proactively tell the public about it would be pretty damaging to the reputations of all the victims. It has since emerged that Businessweek’s report had some questionable elements, including a chart that took pretty broad artistic license with how the hack would have worked, but Bloomberg stands by its reporting. Who is right?
Maybe the most important thing to remember here is not the strict truth of what happened, but that the story resonates because — not to be a conspiracy theorist — it is eminently plausible.
It already appears from the story that these companies may have done significant work to quietly settle the issue with the government directly.
All that said, it also seems plausible that Businessweek’s sources (the people working for the respective companies and government divisions at the time the story was reported) have no fucking idea what they are talking about (security authorities are divided on whether this hack would work, why anyone would even do it this way, and whether Businessweek is fully, accurately describing it).
it’s not hard to imagine someone “with knowledge of the situation” overhearing a conversation about a malfunctioning chip, which is how both Apple and Amazon explained the story away, and misunderstanding it to mean willful surveillance by whatever political interest might have supplied it.
2018/10/04: Bloomberg accuses the PLA of hardware tampering supply chain attacks. If this is at all true, it is a pretty big deal. If it is completely false, it is still a pretty big deal (but thats between Bloomberg’s lawyers and SuperMicro, the company allegedly shipping the hacked server boards.) Supply chain attacks are a scary vulnerability because the root of trust has to start somewhere, and if it starts in a no-name Chinese subcontractor factory…it’s maybe not the ideal foundation. I’ve attempted to collect as much info actual information as I can based on the Bloomberg statement:
The illicit chips … were connected to the baseboard management controller
Before the wild speculation though, it must be mentioned that the story is short on evidence and high on flat out denials.
Update: more evidence from an earlier Ars Technica article seems to support the Bloomberg report.
Update: Amazon is pretty emphatic that everything Bloomberg said about them and Supermicro is wrong.