Last Thursday Bloomberg reported that authorities were investigating server motherboard manufacturer Supermicro for shipping equipment implanted with chips that China could use to spy on users.
The piece was a bombshell, but a raft of vehement denials from everyone involved — including Apple and Amazon, which Bloomberg claimed discovered the secret chips in their own servers — has made the story increasingly hard to believe.
Why it matters: If the piece is a mistake, it is not a small one. Shares in Supermicro stock dropped more than 50% after the story, wiping away nearly $600 million in market cap. But this isn’t just about one firm’s fortunes. The kind of sabotage described in the story, if real, could compromise major institutions.
- Supermicro products — and the web and cloud services fueled by them — are used by defense, banks, hospitals and other groups.
- A state election official who spoke to Codebook was concerned that state accounts might have been made vulnerable to attack.
It's hard to believe that Amazon, Apple and Supermicro are all fabricating their emphatic denials of the Bloomberg story.
- Lawyers who spoke to Codebook said the detailed denials wouldn’t just be a public relations issue if incorrect.
- “The companies [would] risk enforcement by the FTC for engaging in a deceptive act that is likely to harm consumers,” emailed David Vladeck, Georgetown law professor and former head of the FTC’s Bureau of Consumer Protection, adding, “I am strongly disinclined to think they are lying.”
- Apple would only have compounded its woes Monday by repeating its claims in a letter to two congressional committees.
- Homeland Security and the British cybersecurity office, the National Cyber Security Centre, also denied knowledge of Bloomberg’s claims.
The big question: Flustered cybersecurity pros have been left wondering how much of the story is accurate. The expert consensus is that it's more likely that Bloomberg is wrong than the companies and government agencies are lying.
- One key voice disapproving of the piece is security researcher Joe FitzPatrick, who is quoted in the story. According to the Risky Business podcast, FitzPatrick says he emailed Bloomberg before the article was published that their story "didn't make sense."
Around Washington: Early Friday, one lawmaker’s office hinted to Codebook that Bloomberg's article might be accurate — but backtracked later in the day. Also on Friday, Sen. Gary Peters (D-Mich.) sent a letter to Secretary of Defense Jim Mattis asking about armed forces’ knowledge and exposure.
Bloomberg stands by its story, per this statement: "Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews.
- "Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. ... We stand by our story and are confident in our reporting and sources."
Our thought bubble: It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.
Glass houses disclaimer: Reporters make mistakes. Codebook makes mistakes. Sources are sometimes wrong. And good journalism often necessitates anonymous sources.