Apple, Amazon server spy story is wake-up call to security pros

Credit to Author: Jonny Evans| Date: Fri, 05 Oct 2018 04:29:00 -0700

Apple and Amazon have strenuously deniedBloomberg’s claims of a sophisticated hardware exploit against servers belonging to themselves and numerous other entities, including U.S. law enforcement  

Put in very simple terms, the claim is that malicious chips were found inside servers used in data centers belonging to the tech firms.

These chips (it’s claimed) worked to exfiltrate data from those servers, which were themselves sourced from server manufacturer, Super Micro. That company’s server products are/were also used by Amazon, the U.S. government and 30 other organizations. The chips were (it is alleged) put in place by employees bribed by Chinese government agents.

If that’s true this constitutes a severe security incident. The reporters claim to have a number of witnesses to these events, though all parties strenuously deny the allegations.

To get up to date, read these reports:

Here are some thoughts on the claims:

Apple, Amazon, Super Micro have all issued strongly-worded statements in which they refute these allegations (above). Not only will those rebuttals have gone through a rigorous legal screening process to ensure veracity, but the fact that government agencies may also have been hit means the legal side of this matter must be a high-stakes game.

Apple’s statement concedes a previously-reported 2016 incident when the company found an infected driver on a single Super Micro server in one of its labs, but says this was found to be “accidental and not a targeted attack against Apple”.

The denials are so strenuous that it seems reasonable to think that if the Bloombergreport does turn out to be true, then all three tech firms must be telling untruths. I don’t feel that’s likely.

The world is full of hackers, cybercriminals and spies. Governments spy on their own people and on each other. Security is always being tested in a multitude of different ways.

This is why strategically-important entities like Apple have their own incident response teams tasked with monitoring their systems for any signs of the kind of data exfiltration mentioned in this report.

Apple is well aware of the nature of an Advanced Persistent Threat (APT) in which an intruder has found a way to lurk surreptitiously inside a company’s systems to steal secrets and intellectual property.

The company says it works to “constantly fortify” itself against increasingly sophisticated attacks. This would also include attempts to insert malware (or fake components) inside new machines it placed inside its networks, such as Bloomberg’s claimed “spy chips”.

It would seems strange the neither Apple nor Amazon would notice the unusual network activity that would be generated by a processor hack like this.

The Register’sKieren McCarthy has an interesting takeon the physical capabilities of the kind of chip described by Bloomberg. It’s well worth a read.

His conclusion is that while the exploit may be possible, it is extremely complex and the rogue chip described in the report would be a technically highly complex piece of hardware to create.

I can’t help but think that if government spies went to the trouble and expense of creating a spy-chip like the one described in the report then they’d be likely to also attempt to install it into servers belonging to other major companies, such as Microsoft or Google. It seems more likely they would than that they wouldn’t.

The primary source seems to come from a tech/government meeting of a few dozen people that took place in 2015. Bloomberghas taken this story and added evidence garnered from other sources to craft its claims, in which it cites anonymous insiders from Apple, Amazon, and U.S. law enforcement.

I can’t help but wonder why it has no input from other major tech companies who would be more likely to be impacted, given their cloud-based enterprise offerings – if the rogue processor exists at all, why wouldn’t similar attempts also be made against Cisco, Google, Microsoft, Oracle? Were contacts at those companies asked about this story? To what extent have these claims emerged from competitors of the named firms who may also have attended that meeting?

The story also hinges on a report witnesses told Bloomberg exists but the reporters do not claim to have seen: “Where did this alleged report come from? Who commissioned it? Who wrote it? Should we trust who claims to have seen it?” asks McCarthy.

I’ve written about Apple for decades. I’ve seen claims come and I’ve seen claims go. With that in mind I find it difficult to understand why the company has chosen to comment on this occasion. It would not be unusual for it to decline comment on grounds of ‘national security’. That is has commented suggests (as the company states) that it is not under any form of gagging order on this matter – which I’d imagine it would be if this story were true.

True or false, I think the report illustrates several matters that should inform any enterprise security professional’s outlook:

Signing-off, I’m not personally convinced Bloomberg has its story straight on this matter, but the tale helps illustrate the complex security environment of our increasingly connected yet tragically polarized age.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss