Author: Wei Hang
Bloomberg accused China of implanting spy chips in SuperMicro chips, and it was hit today.
On Monday, one of the few real-name witnesses in Bloomberg's article —— hardware security expert and founder of Hardware Security Resources, Joe Fitzpatrick, accepted an interview with the information security podcast "Risky Business" and disclosed him Specific details of the conversation with Bloomberg reporter Jordan Robertson. According to his testimony, Bloomberg's report seriously misrepresented the information he provided, and the entire manuscript “not at all untenable”.
Fitzpatrick's communication with Bloomberg reporter Robertson began last year. At first, the reporter asked Fitzpatrick about the technical problems of hardware implantation. Fitzpatrick explained the technical principles and possible operation schemes to the reporters by mail, but did not mention any practical application. In fact, these schemes have never been abandoned in the industry.
But what shocked Fitzpatrick was that the way China invaded the AMD chip described in the Bloomberg article was exactly the same as what he told reporters in the mail.
Bloomberg reported that the Chinese side has implanted a spy chip that has only the size of the rice into the motherboard produced by AMD through the supply chain, thereby creating a back door on the server to which the motherboard is applied and stealing information. .
“This operation is not logical at all,” Fitzpatrick said. “There are many easier ways to hack into the server. It can be theoretically feasible through software, through the firmware, but it is impossible to use it in large quantities. I won't do this, no one I know will do this. ”
In fact, Fitzpatrick clearly told Bloomberg reporters that this kind of program is only a theoretical possibility, lacking practical operability. He also specifically reminded reporters that the “extra parts” on the motherboard may be just a normal accessory. The reporter replied that there were multiple sources indicating that this “crazy plan” did exist, but did not give any pictures or physical evidence from beginning to end.
“If one of the techniques I described may have been realized, there are still a dozen people who testify, and I am too far-sighted. & rdquo; Fitzpatrick said.
Another detail that has been widely questioned in the Bloomberg report is what the so-called spy chip looks like. Shortly after the release of the report, some media pointed out that Bloomberg's "chip" on the map is actually just a common signal coupler, which can be bought for a dollar.
Fitzpatrick said directly that the picture of this "chip" was provided to reporters.
In September, reporter Robertson told Fitzpatrick that they had targeted the "signal amplifier or coupler" and asked Fitzpatrick that the components were long, so Fitzpatrick made a copy of Mouser Electronics. The coupler picture is given to him. After the report was released, Fitzpatrick was shocked to find that the picture of the spy chip in the text was the one he sent to the reporter.
“This coupler is typically used on WiFi and LTE and is unlikely to appear on motherboards and servers. & rdquo; Fitzpatrick said.
This means that Bloomberg has never seen the true meaning of the so-called "spy chip".
Before the podcast was aired, host Patrick Gray made a special trip to Bloomberg reporter Jordan Robertson to ask him to respond to Fitzpatrick's accusations. The reporter quickly gave a full response to the publicity: no comment.
Even if the Bloomberg report was controversial after the release, almost all relevant parties resolutely denied it. Amazon, Apple and Supermicro have issued a statement with fierce and clear-cut attitudes. Apple also said that “Bloomberg has contacted us on this matter many times in the past year. We have conducted a rigorous internal investigation every time, but Never found evidence supporting any of these claims. The US Department of Homeland Security (DHS) and the National Cyber Security Centre also voiced on October 5 and 6, respectively, indicating that no evidence of cyberattacks was found.
The US National Security Agency has not spoken publicly about the matter, but after Joe Fitzpatrick’s voice, Rob Joyce, senior adviser to the National Security Agency’s Cyber Security Department, forwarded the podcast on Twitter and said, “Please read DHS and NCSC Announcement”.