Following up on its controversial story accusing China of implanting chips into Supermicro server motherboards to spy on companies, Bloomberg now reports that a researcher found a different implant in an unnamed company's Supermicro system.
The details: Yossi Appleboum, co-CEO of Sepio Systems, claims to have found a hardware implant in the "ethernet connector" of a telecom company's Supermicro motherboard in August. He could not reveal to Bloomberg what company he found the implant in due to a non-disclosure agreement.
The backdrop: Bloomberg's first story took flack after Homeland Security, the British cybersecurity agency NCSC, and the companies it named — Supermicro, Apple and Amazon — all denied the story.
What the new story means: The latest story provides a new data point that Supermicro systems were involved in espionage. That provides some general support for the first story.
- It does not show evidence the implant in the first story existed, or that any of the narratives arround Apple and Amazon discovering that first implant in the first story were true.
- The new story is based on the experiences of a single person and the secrecy around the target makes it hard for a third party to verify. "This would makes more sense in firmware than hardware," tweeted former NSA hacker Jake Williams, the founder of Rendition Infosec.
- It matters whether the spying tool is hardware or firmware. Firmware, the code embedded in physical devices, is easier to replace than hardware. And it's more likely that spies could tamper with firmware without the cooperation of a company like Supermicro than that they could slip a chip into the assembly of a motherboard.
