[ad_1]
On Thursday, Bloomberg published a bombshell article uncovering an extraordinary hardware hacking effort by state-sponsored Chinese agents. "The Big Hack: How China Used to Tiny Chip to Infiltrate U.S. Companies" details successful efforts by the People's Liberation Army (PLA) to implant tiny chips into the motherboards of servers made by Super Micro, to compromise those systems and give them access. It's an extensive piece of reporting, too complex to fully summarize here. To really understand all the details, you should read the original article.
Citing many sources both inside and outside of the US government, the article explains that the PLA infiltrated its micro-hardware and its suppliers to sneak tiny hardware chips-as small as the tip of a sharpened pencil-into server motherboards. Super Micro is one of the world's largest producers of such hardware, supplying hardware used by the Department of Defense, Homeland Security Department, NASA, Congress, and many of the world's largest companies. Nearly 30 companies, Bloomberg claims.
The Apple connection
The Bloomberg piece alleges that Apple was one of the victims of the hardware hacking scheme.
Apple, for its part, has been used in its data centers sporadically for years, but the relationship intensified after 2013, when Apple acquired a startup called Topsy Labs, which created superfast technology for indexing and searching vast troves of internet content. By 2014, the start-up was in the world. This project, known internally as Ledbelly, was designed for Apple's voice assistant, Siri, faster, according to the senior Apple insiders.
Documents seen by Businessweek show more than 6,000 Super Micro servers for installation in 17 locations, including Amsterdam, Chicago, Los Angeles, Hong Kong, New York, San Jose, Singapore, and Tokyo, plus 4,000 servers for its existing North Carolina and Oregon data centers. These orders were made to double, to 20,000, by 2015. Ledbelly made Apple an important Super Micro customer at the exact same time the PLA was found to be manipulating the vendor's hardware.
Ultimately, Bloomberg says, Apple has deployed about 7,000 Super Micro servers when the company's security team found the tiny hidden added chips. It claims to be discovered in the United States and the issue to the FBI, but "internally." The article quotes an unnamed US official who says that Apple did not allow government investigators to access its facility or the hardware in question.
Apple's response
Bloomberg published responses to their story from Amazon, Apple, Super Micro, and the Chinese Ministry of Foreign Affairs. Apple's response is detailed and forceful in its denial:
Over the course of the past year, Bloomberg has several times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted a rigorous internal investigation based on their inquiries and each time we found absolutely no evidence to support any of them. We have repeatedly and repeatedly offered factual responses, on the record, virtually every aspect of Bloomberg's story relating to Apple.
Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.
As a matter of practice, they are inspected for security vulnerabilities and we update their firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we acquired from Super Micro when we updated the firmware and software according to our standard procedures.
We are deeply disappointed that their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver. That one-time event was determined to be accidental and not targeted against Apple.
While there is no doubt that we have been involved, we take these allegations seriously and we want them to know everything we can. Bloomberg is reporting about Apple is inaccurate.
Apple has always believed in being safe and secure. If there are ever such an event, we would like to have it, we would be coming soon and we would be working with law enforcement. Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless breed and that's why we constantly fortify our systems against sophisticated hackers and cybercriminals who want to steal our data.
This is probably only the beginning
As a part of its identity, Apple has a lot to lose from a big hacking scandal, even if one of its server suppliers most of the blame. It is also the world's largest publicly traded company, and could be serious serious penalties from misrepresenting the facts of serious security issues.
Apple's statement leaves little room for interpretation. The company claiming that it "has never found malicious chips, hardware manipulations, or vulnerabilities." It is totally unambiguous, as is the assertion that the company never had contact with the FBI or any other agency resulting.
Bloomberg, for its part, says that it has been compiled by Apple and the United States.
Given the seriousness of the report, and the potential financial, legal, and diplomatic, it is likely we'll hear a lot more about it in the coming days and weeks.
[ad_2]
Source link