Ap­ple strongly de­nies Bloomberg’s Chi­nese hack­ing re­port

Bloomberg says Ap­ple was one of many com­pa­nies sub­ject to an un­prece­dented state-spon­sored hack, but Ap­ple says its re­port­ing is in­ac­cu­rate.


In early Oc­to­ber, Bloomberg pub­lished a bomb­shell ar­ti­cle un­cov­er­ing an ex­tra­or­di­nary hard­ware hack­ing ef­fort by state-spon­sored Chi­nese agents. “The Big Hack: How China Used a Tiny Chip to In­fil­trate U.S. Com­pa­nies” de­tails suc­cess­ful ef­forts by the Peo­ple’s Lib­er­a­tion Army (PLA) to im­plant tiny chips into the moth­er­boards of servers made by Su­per Mi­cro, to com­pro­mise those sys­tems and give them ac­cess. It’s an ex­ten­sive piece of re­port­ing, too com­plex

to fully sum­ma­rize here. To re­ally un­der­stand all the de­tails, you should read the orig­i­nal ar­ti­cle ( go.mac­world.com/tnch).

Cit­ing many sources both in­side af­fected com­pa­nies and the U.S. govern­ment, the ar­ti­cle ex­plains that the PLA in­fil­trated Su­per Mi­cro or its sup­pli­ers to sneak tiny hard­ware chips—as small as the tip of a sharp­ened pen­cil—into server moth­er­boards. Su­per Mi­cro is one of the world’s largest pro­duc­ers of such hard­ware, sup­ply­ing hard­ware used by the De­part­ment of De­fense, De­part­ment of Home­land Se­cu­rity, NASA, Congress, and of many of the world’s largest com­pa­nies. The at­tack ul­ti­mately reached al­most 30 com­pa­nies, Bloomberg claims.


In a Buz­zfeed ar­ti­cle ( go.mac­world.com/blrt) posted on Oc­to­ber 19, Ap­ple CEO Tim Cook told Buz­zfeed that, “There is no truth in [Bloomberg’s] story about Ap­ple,” and called for Bloomberg to re­tract its story. Cook made the call for ac­tion af­ter the com­pany per­formed its own in­ves­ti­ga­tion. Cook told Buz­zfeed:

“We turned the com­pany up­side down,” Cook said. “Email searches, data cen­ter records, fi­nan­cial records, ship­ment records. We re­ally foren­si­cally whipped through the com­pany to dig very deep and each time we came back to the same con­clu­sion: This did not hap­pen. There’s no truth to this.”


The Bloomberg piece al­leges that Ap­ple was one of the vic­tims of the hard­ware hack­ing scheme.

Ap­ple, for its part, has used Su­per­mi­cro hard­ware in its data cen­ters spo­rad­i­cally for years, but the re­la­tion­ship in­ten­si­fied af­ter 2013, when Ap­ple ac­quired a startup called Topsy Labs, which cre­ated su­per­fast tech­nol­ogy for in­dex­ing and search­ing vast troves of in­ter­net con­tent. By 2014, the startup was put to work build­ing small data cen­ters in or near ma­jor global cities. This project, known in­ter­nally as Led­belly, was de­signed to make the search func­tion for Ap­ple’s voice as­sis­tant, Siri, faster, ac­cord­ing to the three se­nior Ap­ple in­sid­ers.

Doc­u­ments seen by Busi­ness­week show that in 2014, Ap­ple planned to or­der more than 6,000 Su­per­mi­cro servers for in­stal­la­tion in 17 lo­ca­tions, in­clud­ing Am­s­ter­dam, Chicago, Hong Kong, Los An­ge­les, New York, San Jose, Sin­ga­pore, and Tokyo, plus 4,000 servers for its ex­ist­ing North Carolina and Ore­gon data cen­ters. Those or­ders were sup­posed to dou­ble, to 20,000, by

2015. Led­belly made Ap­ple an im­por­tant Su­per­mi­cro cus­tomer at the ex­act same time the PLA was found to be ma­nip­u­lat­ing the ven­dor’s hard­ware.

Ul­ti­mately, Bloomberg says, Ap­ple had de­ployed about 7,000 Su­per Mi­cro servers when the com­pany’s se­cu­rity team found the tiny hid­den added chips. It claims Ap­ple dis­cov­ered the com­pro­mised servers in 2015 and re­ported the is­sue to the FBI, but “kept de­tails about what it had de­tected tightly held, even in­ter­nally.” The ar­ti­cle cites an un­named U.S. of­fi­cial who says that Ap­ple didn’t al­low govern­ment in­ves­ti­ga­tors to ac­cess its fa­cil­ity or the hard­ware in ques­tion.


Bloomberg pub­lished re­sponses ( go. mac­world.com/bghk) to its story from Ap­ple, Ama­zon, Su­per Mi­cro, and the Chi­nese Min­istry of For­eign Af­fairs. Ap­ple’s re­sponse is de­tailed and force­ful in its de­nial:

Over the course of the past year, Bloomberg has con­tacted us mul­ti­ple times with claims, some­times vague and some­times elab­o­rate, of an al­leged se­cu­rity in­ci­dent at Ap­ple. Each time, we have con­ducted rig­or­ous in­ter­nal in­ves­ti­ga­tions based on their in­quiries and each time we have found ab­so­lutely no ev­i­dence to sup­port any of them. We have re­peat­edly and con­sis­tently of­fered fac­tual re­sponses, on the record, re­fut­ing vir­tu­ally ev­ery as­pect of Bloomberg’s story re­lat­ing to Ap­ple.

On this we can be very clear: Ap­ple has never found ma­li­cious chips, “hard­ware ma­nip­u­la­tions” or vul­ner­a­bil­i­ties pur­posely planted in any server. Ap­ple never had any con­tact with the FBI or any other agency about such an in­ci­dent. We are not aware of any in­ves­ti­ga­tion by the FBI, nor are our con­tacts in law en­force­ment.

In re­sponse to Bloomberg’s lat­est ver­sion of the nar­ra­tive, we present the fol­low­ing facts: Siri and Topsy never shared servers; Siri has never been de­ployed on servers sold to us by Su­per Mi­cro; and Topsy data was lim­ited to ap­prox­i­mately 2,000 Su­per Mi­cro servers, not 7,000. None of those servers has ever been found to hold ma­li­cious chips.

As a mat­ter of prac­tice, be­fore servers are put into pro­duc­tion at Ap­ple they are in­spected for se­cu­rity vul­ner­a­bil­i­ties and we up­date all firmware and soft­ware with the lat­est pro­tec­tions. We did not un­cover any un­usual vul­ner­a­bil­i­ties in the servers we pur­chased from Su­per Mi­cro when we up­dated the firmware and soft­ware ac­cord­ing to our stan­dard pro­ce­dures.

We are deeply dis­ap­pointed that in their deal­ings with us, Bloomberg’s re­porters have not been open to the pos­si­bil­ity that they or their sources might be wrong or mis­in­formed. Our best guess is that they are con­fus­ing their story with a pre­vi­ously-re­ported 2016 in­ci­dent in which we dis­cov­ered an in­fected driver on a sin­gle Su­per Mi­cro server in one of our labs. That one-time event was de­ter­mined to be ac­ci­den­tal and not a tar­geted at­tack against Ap­ple.

While there has been no claim that cus­tomer data was in­volved, we take these al­le­ga­tions se­ri­ously and we want users to know that we do ev­ery­thing pos­si­ble to safe­guard the per­sonal in­for­ma­tion they en­trust to us. We also want them to know that what Bloomberg is re­port­ing about Ap­ple is in­ac­cu­rate.

Ap­ple has al­ways be­lieved in be­ing trans­par­ent about the ways we han­dle and pro­tect data. If there were ever such an event as Bloomberg News has claimed, we would be forth­com­ing about it and we would work closely with law en­force­ment. Ap­ple engi­neers con­duct reg­u­lar and rig­or­ous se­cu­rity screen­ings to en­sure that our sys­tems are safe. We know that se­cu­rity is an end­less race and that’s why we con­stantly for­tify our sys­tems against in­creas­ingly so­phis­ti­cated hack­ers and cy­ber­crim­i­nals who want to steal our data.


As a com­pany that has made pri­vacy and se­cu­rity a core part of its iden­tity, Ap­ple has a lot to lose from a big hack­ing scan­dal, even if one of its server sup­pli­ers de­serves most of the blame. It’s also the world’s most valu­able pub­licly traded com­pany, and could suf­fer se­ri­ous penal­ties from mis­rep­re­sent­ing the facts of se­ri­ous se­cu­rity is­sues like this.

Ap­ple’s state­ment leaves lit­tle room for in­ter­pre­ta­tion. The com­pany claim­ing that it “has never found ma­li­cious chips, hard­ware ma­nip­u­la­tions, or vul­ner­a­bil­i­ties pur­posely planted in any server” is to­tally un­am­bigu­ous, as is the as­ser­tion that the com­pany never had con­tact with the FBI or any other agency about it.

Bloomberg, for its part, says that it has de­tailed ac­counts from three Ap­ple in­sid­ers and four of six U.S. of­fi­cials that con­firm Ap­ple was a vic­tim.

Given the se­ri­ous­ness of the re­port, and the po­ten­tial fi­nan­cial, le­gal, and diplo­matic fall­out from it, it is likely we’ll hear a lot more about it in the com­ing weeks. ■

Ap­ple has pub­lished a strongly-worded re­sponse to Bloomberg’s ar­ti­cle.

Ap­ple de­nies that its servers have been com­pro­mised.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.