Bloomberg said that its sources were key to its decision to run the Chinese spy chip story, the site writing that ’17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.’

However, one of the named sources – a security researcher who seemingly backed the claims – has said that his comment was taken out of context, and he actually told the site that what it was describing to him “didn’t make sense” …

Hardware security expert Joe Fitzpatrick was quoted in the piece saying “the hardware opens whatever door it wants.” But speaking on the podcast Risky Business, he painted a very different picture.

Fitzpatrick says that he spent a lot of time explaining to Bloomberg how such attacks could, in principle, be carried out. When the piece was published, he was expecting to read about how this specific hack was achieved. Instead, he said, Bloomberg appeared to be parroting the precise theory he had outlined.

He said the same was true of the image Bloomberg provided of the supposed spy chip.

But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically  how hardware implants work and how the devices I was making to show off at black hat two years ago worked […]

It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.

When reporter Jordan Robertson outlined more of the story he planned to run, he told them it didn’t make sense.

Fitzpatrick explained to Robertson several more likely theories for what the site’s sources were claiming to have seen, all of them perfectly normal.

[He wrote to Robertson] Are you sure there is actually an additional hardware component […] It’s trivial to modify the firmware of most BMC and many of them are trivial to exploit remotely because of the poor quality outdated software they run. The attack you describe could easily be implemented in BMC firmware. Would be just as stealthy and far less costly to design and implement. If they were really implants, are you sure they were malicious?

So let’s make that not five or nine reasons to doubt the story, but ten …

Update: A Bloomberg News spokesperson told us “As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear. Our reporters and editors thoroughly vet every story before publication, and this was no exception.”

No response was received when asked for comment on the coincidence of the claimed facts so precisely matching the theoretical risk described by Fitzpatrick and on the use of a catalog photo supplied by him.

Related stories:

  • Comment: Four more reasons it’s now inconceivable Apple lied about Chinese spy chips
  • Department of Homeland Security says ‘no reason to doubt’ Apple’s denial of spy chip story
  • GCHQ, the UK’s equivalent of the NSA, says it believes Apple’s denial of spy chip claim
  • Apple strongly refutes report that it found Chinese ‘spy’ chips in iCloud servers
  • Apple continues denial of Chinese server spy infiltration with new statement
  • Senior Apple execs deny allegations of iCloud server Chinese ‘spy’ chips in new report
  • Opinion: The five reasons I believe Apple, not Bloomberg, about the Chinese spy chip claim
  • Apple strongly refutes report that it found Chinese ‘spy’ chips in iCloud servers

Photo: Shutterstock