Published: Thu, October 11, 2018
Tech | By

Bloomberg claims new evidence of Supermicro server sabotage

Bloomberg claims new evidence of Supermicro server sabotage

One possibility is that someone is lying: either the USA government - after all, the damage to Chinese technology reputation is done, and in that sense, it won't matter if the story is true or not - or the companies.

"It would be incredible for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip", Zhang Baichuan, a Chinese cybersecurity expert, told SCMP, adding, "The fact is, China's chip technology is still at a primary stage".

'Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, ' the paper reports Appleboum as confirming, citing 'documents, analysis and other evidence of the discovery' provided by Appleboum to its reporters in support of the claim.

Speaking on the Risky Business security podcast, Fitzpatrick voiced his skepticism at the fact that a theoretical proof-of-concept hack he demonstrated at the Black Hat 2016 conference would be exactly the approach reported by the Bloomberg story - despite the fact that there are plenty of other, more straightforward ways of carrying out a hack. "Supermicro is a victim - so is everyone else", he said.

Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible.

On Monday, Apple sent a letter to Congress reiterating its denial of Bloomberg's report, saying it "has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server". Neither adage proves nor disproves the claims of a highly sophisticated supply-chain attack infiltrating the world's most powerful organizations. Said factory appears to be one in Guangzhou, China, which Supermicro uses as a subcontractor. "With respect to the recent media reports, we have seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components". "We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations".


CNET reached out to major USA telecommunications companies for comment on the report.

"It would be incredible for China if it could integrate internal storage, a CPU and wireless communications in such a tiny chip", said Zhang Baichuan, founder of cybersecurity website youxia.org.

Tapping into a private server via the hardware would be a complicated process that also requires a degree of luck, said Li Aijun, chipset head at Intellifusion, a Shenzhen-based provider of artificial intelligence technology created to help police catch traffic violators. "The motherboard only works as it was originally designed and implanting a hacking chip would always result in failure as it was not originally [part of the circuit design]", said Li. But they're reminders that we have a long way to go until this troubling reporting should be taken as fact.

Apple has, however, issued a very strong denial, which has been backed up by reports from the Federal Bureau of Investigation, casting doubt on Bloomberg's claims.

Bloomberg News has received information from security research firm, Sepio Systems, that a prominent USA telecom has also fallen to the Chinese supply chain attack, adding another notch to the People Liberation Army's (PLA) belt.

Like this: