Following an explosive Bloomberg Businessweek report alleging Chinese spies tampered with U.S. technology products made by Amazon, Apple and other prominent firms, the impacted companies have denied any involvement in the debacle.
Another Bloomberg article published Tuesday continues to fan the flames, suggesting that the story is not only real but pervasive. The microchip manufacturer Super Micro is again at the story’s crux. Per last week’s article, the company is alleged to have had its motherboards infiltrated by Chinese malware during the manufacturing process before their export to U.S. markets.
Bloomberg’s source, who is named as opposed to the anonymous sources of the previous report, is security expert Yossi Appleboum who was hired to scan “several large data centers” made by Super Micro and operated by an unnamed telecoms company. Appleboum claims he found additional evidence of the clandestine microchips implanted on the company’s motherboards — surveillance instruments meant to intercept data and spy on America’s biggest tech companies.
The malicious hardware was discovered in August, according to various forms of documentation Appleboum supplied to Bloomberg.
Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.
Appleboum offered a grim assessment of the Chinese supply chain, which dominates the manufacturing sector of the technology industry. “Supermicro is a victim—so is everyone else,” he told Bloomberg. “That’s the problem with the Chinese supply chain.”
Echoing the lines of Apple and Amazon, which each issued stern denials—the former even sent a rebuke of the story to congress—Super Micro expressed misgivings about Bloomberg’s reporting in a statement:
“We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry…We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”
It’s worth noting that while the implications of both reports could be calamitous from a cybersecurity perspective, Appleboum is only one source. Motherboard interviewed several security and international supply chain experts to get a better perspective on the story, and there’s a lot of uncertainty.
Omer Shvartz, a security researcher at Israel’s Ben Gurion University, told Motherboard: “I think a lot of information is missing.”
Similarly, Joe Fitzpatrick, a hardware expert quoted in the original Bloomberg Businessweekstory has cast his own doubts: “I see a lot of details that I gave out of context, so I’m not an expert judge on quality of journalism, but I definitely have my doubts on this one,” he said on the podcast Risky Business.
Originally posted on Popular Mechanics