National security experts have “no reason to doubt” Apple over Chinese spy chip claims
Apple, Amazon and 30 other US tech companies may have been compromised by a Chinese-made spy chip inserted into their server hardware. That’s according to a Bloomberg report on the matter that went public last week. Since the report, Apple and Amazon have refuted such claims and now the US Department of Homeland Security and the UK’s National Cyber Security Centre have come out in support for both companies.
As far as both organisations are confirmed, neither Apple nor Amazon knew about or were victim to infiltration by Chinese surveillance chips.
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise,” reads a DHS statement. “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.
“Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely”.
Speaking to Reuters, the UK’s National Cyber Security Centre explained that they have “no reason to doubt the detailed assessments made by AWS and Apple”. This doesn’t mean it’s just sitting on its laurels though. “The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us”.
That does not categorically rule out the chance of Chinese spying chips infiltrating the motherboards of server parts supplier Supermicro. But it would suggest that both Apple and Amazon had not fallen foul of China’s alleged attempts to infiltrate a significant technology supply chain in the US.
The statements from the DHS and NCSC also suggest that there has been no official investigation into China’s alleged hardware surveillance. Though it is worth noting that if an ongoing investigation is in effect it may be kept under wraps by the investigating agencies so as not to tip-off the potential infiltrators, state-sponsored or otherwise.
“Nothing was ever found”
Apple also issued a letter to Congress, reiterating that it had found no evidence of tampering in its servers. Apple’s VP for IT Security, George Stathakopoulos wrote that “Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found”.
Bloomberg has thus far stood by its report, which cites multiple unnamed sources, likely due to their whistleblowing as opposed to questionable legitimacy.
But without any official backing, the publication’s investigation has been called into question, and further evidence will likely be needed if the report is going to prompt any major cyber security investigations by official bodies.
Original Story (from 5/10/2018)
Apple, Amazon and other US tech companies may have had their cloud systems compromised in a hack that could go down as one of the largest in history, despite their staunch denial of being compromised.
Their entire businesses could have been affected due to a tiny microchip covertly installed onto Supermicro server motherboards, without the manufacturer’s knowledge. The news comes from a Bloomberg report that blew the case wide open, alleging that Chinese operatives used the chips to conduct clandestine snooping on major US companies.
Supermicro, once heralded as the fastest-growing IT infrastructure companies in America, supplies the likes of Amazon and Apple with its server motherboard technologies. Apple claims it severed its ties with the component supplier in 2016, but it’s unclear how or why it decided to do so.
According to the in-depth report, three “senior insiders at Apple” said that in summer 2015, the company found the spying chips on the Supermicro motherboards is uses. However, Apple has since denied this in a statement to Bloomberg: “On this, we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
In summer 2015, Apple began removing all Supermirco servers from its data centres. To most observers, this would suggest that there was indeed a malicious chip in them, though Apple also denies this.
Testing revealed the existence of a microchip around the size of a grain of rice
In Amazon’s case, the report claims the spying chips found their way into servers used for Amazon Web Services (AWS) through the acquisition of server assembler Elemental, which used Supermicro motherboards and provided servers to US national security. In a due diligence process ahead of completing the acquisition, testing of Elemental’s servers revealed the existence of a microchip around the size of a grain of rice that was not part of the server’s motherboard design.
Amazon told Bloomberg that, despite the comments of the sources, it had no knowledge of the spying chips on Elemental’s servers. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” said Amazon.
However, Amazon had reportedly alerted US authorities to the presence of the malicious chip, given Elemental’s servers could be found in the Department of Defense data centres and on the networks of US Navy warships.
This then prompted a top-secret probe which noted that the chips allowed a clandestine backdoor to be created into any network that used servers with the tiny spying chip onboard. That investigation revealed that nearly 30 US companies had fallen foul to infected servers.
According to multiple Bloomberg sources, these chips wound up in Supermicro motherboards due to use of Chinese subcontractors.
Two US officials, according to Bloomberg, noted that after a lengthy investigation it was concluded that this infection of a major US computer supply chain was orchestrated by China’s People’s Liberation Army, with the ultimate goal to spy on US government activity.
Somewhat unsurprisingly, China has denied this is the case and noted it too was a victim of such snooping.
Despite retorts to the report, Bloomberg noted that “six current and former senior national security officials” described the discovery of the spying chips through a government investigation. “Two people inside AWS” also provided “extensive information on how the attack played out at Elemental and Amazon”, and, alongside the three Apple insiders, four of the six US officials confirmed Apple was indeed a victim of China’s alleged spying activity.
Clandestine chip claims refuted
Despite presenting, what appears to be, solid and detailed evidence, Apple and Amazon both published lengthy statement denying the presence of the malicious chip stating Blomberg‘s report as incorrect.
“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple,” Apple said in a statement refuting Bloomberg’s claims. “Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.
“Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong”
“We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures,” Cupertino added.
“We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed,” the statement explained. “Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
Amazon also refuted Bloomberg‘s report highlighting what it claims to be major inaccuracies in an “erroneous” article.
“As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue,” said Steve Schmidt, chief information security officer at Amazon, in a statement on the matter. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government”.
Meanwhile, Supermicro denied any knowledge of the issue or investigation: “While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.
“We are not aware of any customer dropping Supermicro as a supplier for this type of issue.”
In previous cases, the responses companies normally tout at the beginning of such security revelations are vague and lack detail, But in this example all three, in particular, Apple, have been detailed and assertive in their responses, which raises questions to the validity of Bloomberg‘s report and if there has been some misinformation that lead it such a conclusion.
Supply chain infiltration
Despite the denials of the major companies, it would appear there is still considerable evidence to suggest that servers belonging to Amazon and Apple were infected with the spying chips. If the report does stand up to scrutiny, the compromising of Supermico would be one of the largest attacks ever against the US server supply chain.
The malicious chips themselves were not found to be extracting any data from infected servers, but appear to be contacting an external source for check-in communications. This indicates that they were either waiting to be used in a backdoor related cyber attack or that the snooping had already begun before the chips were detected.
Infecting a supply chain on a hardware level is an extremely complex process and one that requires a deep knowledge of the target nation’s supply chain, not to mention considerable resources in order to pull such an infiltration off. As such, it would likely take a nation-state sponsored group to carry out such an operation, particularity as Bloomberg‘s report noted that Chinese subcontractors were subject to bribes, pressure and threats from middlemen allegedly working for the People’s Liberation Army.
There’s no straightforward solution to the problem
But detecting the presence of the breaches in supply chains is equally challenging, as Bloomberg reported that experts have said there is no commercially viable way to detect malicious chips.
Companies could use fewer servers and check each one in detail, but that’s time-consuming and could leave them short on resources. Alternatively, they could get in the needed resources but knowingly take on the risks of not carrying out granular investigations into each bit of hardware they acquire. In short, there’s no straightforward solution to the problem – particularly when a lot of technology firms and their enterprise customers rely on parts created in China.
“In this case, the adversary would be tampering with a component that plays a troubleshooter role within systems and data centres,” explained Steve Grobman, chief technology officer at McAfee in a statement to Alphr. “This means that this small component among dozens has high levels of access to any number of other components and processes across dozens of systems.
“If an adversary was to break the design chain of trust here, it enables him to implant logic or instructions that could enable him to spy on us undetected. He could access tremendous amounts of data from those other links and gain tremendous insights about organizations and people reliant upon them.”
Grobman noted there needs to be a degree of caution and to a certain extent paranoia when assessing the potential of breaches in supply chain cyber security.
READ NEXT: How to protect yourself from a data breach
“In cyber security, we already face the challenge of vulnerabilities that were accidentally introduced into products. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where an adversary could introduce defects that practically an entire industry might use for many years,” he said.
“We need greater levels of transparency around technology design. We need greater visibility into what different components do, and how. We need greater visibility into what they should and shouldn’t be doing. There needs to be a greater understanding and effort to secure the most sensitive components of every technology upon which we rely every day.”
How exactly that could be achieved isn’t clear, but in this case, it highlights that cyber security and advanced hacking techniques are very much the future of clandestine activity and, potentially, warfare.