The latest instalment of the Bloomberg spy chip story was based on a misunderstanding, according to a former cybersecurity specialist at GCHQ – the UK equivalent of the NSA …
Quick recap
But a follow-up piece was published last week, in which it said that these spy chips had been found in U.S. Department of Defense servers. The details were slightly modified: instead of standalone spy chips, this time the paper said that spy code had been embedded into the design of BIOS chips.
Denials of the story were rapid and overwhelming. Apple said it had fully investigated the claims, and later provided off-the-record details of that investigation. I explained at the time the five reasons I believed Apple, with four more reasons emerging to make it abundantly clear that the Cupertino company was telling the truth.
It wasn’t just Apple denying the claim. The Department of Homeland Security did the same. One of Bloomberg’s sources told them the story made no sense. The NSA added its denial. A deep-dive analysis found the claims to be impossible. A Super Micro audit found no spy chips.
Bloomberg spy chip story based on misunderstanding
One of the suggestions at the time was that Bloomberg had misunderstood what its own sources had told it. In particular, one source said that he outlined a theoretical possibility which the paper then reported as fact. They even use an innocuous component photo he had supplied to them. He offered it purely as an example of the type of chip that might be used, but its use in the piece gave the impression that physical evidence existed.
Matt Tait, a former cybersecurity specialist at GCHQ (Government Communications HeadQuarters), has said the same is true of the revised report. Tait is now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law, and his CV also includes a stint in Google’s cybersecurity team, Project Zero.
He opened a Tweetstorm with a summary of his view.
He then goes on to talk through ‘why it’s BS.’
Oh man, guess we have to do supermicro chip saga again. tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press, and Bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
He says that although there are some impressive-sounding sources in the piece, absolutely none of them has any first-hand knowledge – and many of them aren’t likely to be qualified to validate the claims they have heard.
Tait acknowledges that some of the claims have a reasonable basis for reporting. Even without evidence, the fact that credible people are saying they were briefed on something is worth noting. But he goes on to outline the huge difference between what was said to have been said (sometimes said to have been said to have been said to have been said!), and any credible evidence of the claims.
He ends by challenging Bloomberg to provide actual evidence.
Photo by Vishnu Mohanan on Unsplash