from the our-fortune-looks-bleak dept.
Following up on our story from Thursday — Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro — there is a report from Ars Technica Bloomberg stands by Chinese chip story as Apple, Amazon ratchet up denials:
On Thursday morning, Bloomberg published a bombshell story claiming that the Chinese government had used tiny microchips to infiltrate the data centers of Apple and Amazon. Apple and Amazon, for their part, responded with unusually specific and categorical denials. It's clear that someone is making a big mistake, but 24 hours later, it's still not clear whether it's Bloomberg or the technology companies.
On Thursday afternoon, Apple laid out its case against the story in a lengthy post on its website. The post specifically disputed a number of Bloomberg's claims. For example, Bloomberg says that after discovering a mysterious chip in one of its servers, Apple "reported the incident to the FBI," leading to an investigation. Apple flatly denies that this occurred.
"No one from Apple ever reached out to the FBI about anything like this," Apple writes. "We have never heard from the FBI about an investigation of this kind."
Amazon's response has been equally emphatic and detailed. "There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon wrote on Thursday. "We never found modified hardware or malicious chips in servers in any of our data centers."
Yet Bloomberg reporter Jordan Robertson, one of the article's co-authors, has stood by his story. In a Thursday afternoon appearance on Bloomberg TV, Robertson said that he talked to 17 anonymous sources—both in US intelligence agencies and at affected companies—who confirmed the story.
So what's going on? It's clear that someone isn't telling the truth, but it's hard to tell what the real story is.
A comment to that story on Ars noted:
The (alleged) chip is associated with the BMC (baseboard management controller). It has indirect access to everything that the BMC can touch, which is pretty much everything in the system.
See, also, coverage on Hackaday where a comment identifies the particular board in question as being a MicroBlade MBI-6128R-T2. A link to a tweet reveals a picture of the board in question and a followup picture showing where the extra device would be located.
Related Stories
Chinese spy chips are found in hardware used by Apple, Amazon, Bloomberg says; Apple, AWS say no way
The chips, which Bloomberg said have been the subject of a top secret U.S. government investigation starting in 2015, were used for gathering intellectual property and trade secrets from American companies and may have been introduced by a Chinese server company called Super Micro that assembled machines used in the centers.
[...] China has long been suspected — but rarely directly implicated — in en masse spy campaigns based on hardware made there. The majority of electronic components used in U.S. technology are manufactured in China. Companies including component manufacturers Huawei and ZTE, as well as surveillance camera maker Hikvision, have all fallen under intense suspicion and scrutiny from the U.S. government in the past year.
I'd think that the big guys would be designing their own boards. Maybe we should only buy PCBs from South Korea.
Also at Bloomberg and The Guardian.
(Score: 0) by Anonymous Coward on Sunday October 07, @08:48AM (3 children)
So in effect, it may not even be a Chinese factory thing. But simply a weakness in the IPMI of that particular model.
And IPMI is basically a remote console that is supposed to be accessible via a different path than the main network traffic, so that in the event of network issues on the main path (say a badly configured network card or firewall) an admin can make changes without being physically present.
This is the same kind of thing that in recent years have created such hoopla on desktops because the big names have taken to adding similar systems to their CPU packages.
(Score: 2) by Runaway1956 on Sunday October 07, @09:29AM (2 children)
The IPMI idea is a little worrisome. Except - I just unplugged my IPMI, so it has no dedicated network path. If you're not actually using IPMI, just turn it off, unplug it, or whatever. If you USE IPMI, then obviously, you have a potential problem.
Keep all chemicals out of the reach of meth heads.
(Score: 2) by driverless on Sunday October 07, @10:01AM
Does whatever you unplugged have any other network interface? If it does, IPMI will take over that and respond to a secret-knock handshake on it.
No, I'm not making that up. You don't need any sikrit Chineeze backdoors in your servers when you've got IPMI already built in by the vendor.
Which is also what makes the whole Bloomberg story astoundingly unlikely. Why add an easily-detected back door when the vendor has already left the front door wide open.
(Score: 2) by RandomFactor on Sunday October 07, @10:02AM
i can see legions of servers having their IPMI interface unplugged and going back to the days of Insight and DRAC boards being plugged into expansion slots again.
.
Not that this couldn't be done on those as well. And to top things off
(Score: 2) by riT-k0MA on Sunday October 07, @09:35AM (1 child)
The companies doth protest too much, methinks.
(Score: 0) by Anonymous Coward on Sunday October 07, @10:18AM
Yeah, right, there's no winning with your kind: if they don't protest, they accept they are guilty; if they protest, then they doth protest too much, so they are guilty.