A couple of months ago Bloomberg made big waves with an article that claimed China had inserted hardware bugs into the server architecture of many major American companies, including Amazon and Apple. Doubts were immediately raised by a few people because the Bloomberg reporters weren’t reporting on a bugged board that they had seen, they merely cited claims made by anonymous sources (always a red flag in a news article). But the hack described, although complicated in nature, wasn’t outside of the realm of possibility. Moreover, Bloomberg isn’t a tabloid, the organization has some journalistic readability, so the threat was treated seriously.
Since the threat was being taken seriously, actual investigations were being performed by the companies named in the article. This is where the credibility of the article started to falter. Apple and Amazon both announced that after investigating the matter they no evidence that their systems were compromised. Finally the company specifically named as the manufacturer of the compromised servers announced that an independent audit found no evidence to support Bloomberg’s claims:
SAN FRANCISCO (Reuters) – Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards.
In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.
Could Apple, Amazon, and Super Micro all be lying about the findings of their investigations as some have insinuated? They certainly could be. But I subscribe to the idea that great claims require great evidence. Bloomberg has failed to produce any evidence to back its claims. If the hack described in its article was as pervasive as the article claimed, it should have been easy for the journalists to acquire or at least see one of these compromised boards. There is also the question of motivation.
Most reports indicated that China has had great success hacking systems the old fashioned way. One of the advantages to remote software hacks is that they leave behind little in the way of hard evidence. The evidence that is left behind can usually be plausibly denied by the Chinese government (it can claim that Chinese hackers unaffiliated with the government performed a hack for example). Why would China risk leaving behind physical evidence that is much harder to deny when it is having success with methods that are much easier to deny?
Unless Bloomberg can provide some evidence to support its claims, I think it’s fair to call bullshit on the article at this point.