Apple and Amazon have strenuously denied\u00a0Bloomberg\u2019s claims of a sophisticated hardware exploit against servers belonging to them and numerous other entities, including U.S. law enforcement \u00a0<\/p>\n
![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/08\/server_virtualization_virtual_data_center_storage_by_henrik5000_gettyimages-175015817_1200x800-100768153-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Jonny Evans| Date: Fri, 05 Oct 2018 04:29:00 -0700<\/strong><\/p>\n Apple and Amazon have strenuously denied\u00a0Bloomberg\u2019s claims of a sophisticated hardware exploit against servers belonging to them and numerous other entities, including U.S. law enforcement \u00a0<\/p>\n Put in very simple terms, the claim is that malicious chips were found inside servers used in data centers belonging to the tech firms.<\/p>\n These chips (it\u2019s claimed) worked to exfiltrate data from those servers, which were themselves sourced from server manufacturer Super Micro. That company\u2019s server products are\/were also used by Amazon, the U.S. government, and 30 other organizations. The chips were allegedly put in place by employees bribed by Chinese government agents.<\/p>\n If that\u2019s true, this constitutes a severe security incident. The reporters claim to have a number of witnesses to these events, though all parties strenuously deny the allegations.<\/p>\n To get up to date, read these reports:<\/p>\n Here are some thoughts on the claims:<\/p>\n Apple, Amazon, and Super Micro have all issued strongly worded statements in which they refute these allegations (above). Not only will those rebuttals have gone through a rigorous legal screening process to ensure veracity, but the fact that government agencies may also have been hit means the legal side of this matter must be a high-stakes game.<\/p>\n Apple\u2019s statement concedes a previously reported 2016 incident when the company found an infected driver on a single Super Micro server in one of its labs, but it said this was found to be \u201caccidental and not a targeted attack against Apple.\u201d<\/p>\n The denials are so strenuous that it seems reasonable to think that if the Bloomberg report does turn out to be true, then all three tech firms must be telling untruths. I don\u2019t feel that\u2019s likely.<\/p>\n The world is full of hackers, cyber criminals, and spies. Governments spy on their own people and on each other. Security is always being tested in many different ways.<\/p>\n This is why strategically important entities like Apple have their own incident response teams tasked with monitoring their systems for any signs of the kind of data exfiltration mentioned in this report.<\/p>\n Apple is well aware of the nature of an advanced persistent threat (APT) in which an intruder has found a way to lurk surreptitiously inside a company\u2019s systems to steal secrets and intellectual property.<\/p>\n The company says it works to \u201cconstantly fortify\u201d itself against increasingly sophisticated attacks. This would also include attempts to insert malware (or fake components) inside new machines it placed inside its networks, such as Bloomberg\u2019s claimed \u201cspy chips.\u201d<\/p>\n It would seems strange that neither Apple nor Amazon would notice the unusual network activity that would be generated by a processor hack like this.<\/p>\n The Register\u2019s Kieren McCarthy has an interesting take<\/a> on the physical capabilities of the kind of chip described by Bloomberg. It\u2019s well worth a read.<\/p>\n His conclusion is that while the exploit may be possible, it is extremely complex and the rogue chip described in the report would be a technically highly complex piece of hardware to create.<\/p>\n I can\u2019t help but think that if government spies went to the trouble and expense of creating a spy chip like the one described in the report, then they\u2019d be likely to also attempt to install it into servers belonging to other major companies, such as Microsoft or Google. It seems more likely they would than that they wouldn\u2019t.<\/p>\n The primary source seems to come from a tech\/government meeting of a few dozen people that took place in 2015. Bloomberg has taken this story and added evidence garnered from other sources to craft its claims, in which it cites anonymous insiders from Apple, Amazon, and U.S. law enforcement.<\/p>\n I can\u2019t help but wonder why it has no input from other major tech companies that would be more likely to be impacted, given their cloud-based enterprise offerings. If the rogue processor exists at all, why wouldn\u2019t similar attempts also be made against Cisco, Google, Microsoft, and Oracle? Were contacts at those companies asked about this story? To what extent have these claims emerged from competitors of the named firms<\/a> who may also have attended that meeting?<\/p>\n The story also hinges on a report that witnesses told Bloomberg\u00a0exists but the reporters do not claim to have seen. \u201cWhere did this alleged report come from? Who commissioned it? Who wrote it? Should we trust who claims to have seen it?\u201d asks McCarthy.<\/p>\n I\u2019ve written about Apple for decades. I\u2019ve seen claims come, and I\u2019ve seen claims go. With that in mind, I find it difficult to understand why the company has chosen to comment on this occasion. It would not be unusual for it to decline comment on grounds of “national security.” That it has commented suggests (as the company states<\/a>) that it is not under any form of gagging order on this matter \u2014 which I\u2019d imagine it would be if this story were true.<\/p>\n True or false, I think the report illustrates several matters that should inform any enterprise security professional\u2019s outlook:<\/p>\n Signing-off, I\u2019m not personally convinced Bloomberg has its story straight on this matter, but the tale helps illustrate the complex security environment of our increasingly connected yet tragically polarized age.<\/p>\n Updated October 7 with Department of Homeland Security rejection of Bloomberg claims.<\/em><\/p>\n Google+?<\/strong>\u00a0If you use social media and happen to be a Google+ user, why not\u00a0join\u00a0AppleHolic’s Kool Aid Corner community<\/a>\u00a0and get involved with the conversation as we pursue the spirit of the New Model Apple?<\/p>\n Got a story? Please\u00a0<\/strong>drop me a line via Twitter<\/a>\u00a0and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.<\/p>\n