As the cybersecurity world is grappling to digest the facts surrounding Bloomberg’s Chinese microchip story last week, the news giant on Tuesday released new evidence to back the troubling claim. The fresh evidence reports that a major US telecommunications company in August found data-sniffing chips inside its network, comprised of hardware supplied by Super Micro Computer Inc.
The previous Bloomberg’s report, which is yet to be verified, alleged that China is sabotaging critical technology components bound for America and had secretly implanted malicious chips into the motherboards of servers used by dozens of US telecom companies, including Apple and Amazon. The report didn’t name any company but cited a classified agreement between the anonymous company and the security firm it hired to perform the scan of its data centers.
T-Mobile, Sprint and AT&T have all denied they were not the company Bloomberg is referring to, according to Ars, while Motherboard has also reported that Verizon, Comcast, Cox Communications and CenturyLink have all confirmed the microchip story is not talking about them.
Security expert Yossi Appleboum, the cofounder of security firm Sepio Systems, Maryland, provided the documents, analysis and other evidence backing Bloomberg’s Tuesday claims. According to the report, through physical inspections, Sepio Systems found an implant built into an Ethernet connector of a server designed by Supermicro after detecting unusual communications from the server while performing a scan. Bloomberg in last week’s report alleged that the motherboards designed by Supermicro were particularly those modified to include a microchip by operatives of People’s Liberation Army China to enable attackers to control the attached servers.
The spy-bearing Ethernet connector has metal sides and not the usual plastic ones; this helps the hidden chip acting as a mini computer to dissipate heat. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” Bloomberg quotes Appleboum.
Critics say the reports lack enough information
Amazon and Apple have made firm denials to Bloomberg’s reporting claims. In a letter to Congress, Apple clearly stated that none of its officials were aware of ever having a malicious hardware in the company’s networks. Aside from the denials, many have criticized the claims based on the fact that the released information does not support any direct investigation since all sources have remained anonymous.
Critics are also saying that the report doesn’t include technical details aside from not being able to buttress why the Chinese spies would prefer to use the ambiguous route of manipulating hardware bound for America when there are easier ways of achieving the same capabilities.
The bottom line
It would not be surprising that all telecom companies have denied ever finding a mole in their network if Bloomberg reporting is accurate. The only company mentioned on the negative side of the story is suffering a free fall of its shares. Supermicro stock had fallen by over 50% since last week and more pain could be underway as the investigation drags down the road. While extraordinary claims may require extraordinary proof, Bloomberg is only providing the amount of information it has, whereas the critics lack firm basis to dismiss the huge claim.
Bloomberg would not slide what could arguably represent the biggest hack of all time under the carpet if the published claims are true, until its end. For some years now, Cybersecurity experts have been raising alarms about the possibility of supply chain attacks, and China supplies most of all electronics used in the United States.