Can We Trust Bloomberg’s Report?
Now, here’s the rub. The companies involved in the case have all issued strongly-worded responses to Bloomberg, when asked for comment by the publication. Supermicro, Apple and Amazon all stated that they had no knowledge of the affected devices. Even China’s Ministry of Foreign Affairs responded to the business publication claiming that it is as much a victim of supply chain safety issues as anyone else. You can read all of their statements here.
Apple and Amazon also issued separate press releases following the publication of Bloomberg’s article. Apple’s is titled ‘What Businessweek Got Wrong About Apple’ and states:
“The published Businessweek story also claims that Apple “reported the incident to the FBI but kept details about what it had detected tightly held, even internally.
In November 2017, after we had first been presented with this allegation, we provided the following information to Bloomberg as part of a lengthy and detailed, on-the-record response. It first addresses their reporters’ unsubstantiated claims about a supposed internal investigation:
“Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented. No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it.”
Amazon’s statement is titled “Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article”:
“As we shared with Bloomberg BusinessWeek multiple times over the last couple of months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
If these responses from Apple and Amazon are true, it would throw the entire Bloomberg article into question. For its part, Bloomberg has defended its reporting:
“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks… We stand by our story and are confident in our reporting and sources.”
Clearly, the reliance on anonymous sources is far from ideal, but Bloomberg said in its original article that this was to protect their safety and privacy. But even, if half of the story is true, it’s still a big, big deal.
Update: 5 October 2018
The National Cyber Security Center, a unit of Britain's digital intelligence agency, GCHQ, made a statement supporting Apple and Amazon:
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple… The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”
Update: 8 October 2018 AM
The Department of Homeland Security in the US issued a statement on the Bloomberg report on 6 October, again supporting Apple and Amazon:
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”
Update: 8 October 2018 PM
Apple issued another strongly worded rejection of Bloomberg's claims in a letter to four US Congressmen. You can read the letter here.
“We want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true. You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong… Ever since we were first contacted by Bloomberg's reporters in October 2017, we have workded diligently to get to the bottom of their allegations.
While the story was being reported, we spoke with Bloomberg's reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more specific than vague secondhand accounts.”