A new twist in Bloomberg’s ‘spy chip’ report implicates U.S. telecom

There’s a new wrinkle in the Bloomberg’s ongoing but controversial series on alleged hardware hacks affecting U.S. tech giants — despite heavy skepticism after the named companies rebuffed the allegations and critics poked holes in the reporting.

Bloomberg’s new report out Tuesday said that a U.S. telecom discovered that hardware it used in its datacenters was “manipulated” by an implant designed to conduct covert surveillance and exfiltrate corporate or government secrets.

The implant was found on an Ethernet connector — used to hard-wire device to a network — on a motherboard developed by Supermicro, a major computer manufacturer that was named in the first Bloomberg story.

It was that first report that claimed China had infiltrated a Supermicro factory to install chips on motherboards that went on to go into servers in datacenters operated by Apple and Amazon. Apple, Amazon and Supermicro denied the claims in a series of strong rebuttals. Supermicro’s said on Tuesday that it “still [has] no knowledge of any unauthorized components” and said it hadn’t been informed by any customer of the alleged security breach.

Although the report claims “fresh evidence of tampering” by China, it does not explicitly link the tampering to similar attacks on Apple and Amazon, or others.

What lends more credence to this second Bloomberg story than the first is that a security researcher said he inspected the implant first-hand, rather than the reporters having to rely on descriptions from several sources who allegedly had knowledge of the implants.

Yossi Appleboum, co-founder of Sepio Systems and former Israeli intelligence officer, provided Bloomberg with evidence and documentation — which wasn’t published alongside the story — that the alleged implant was introduced at the factory where the telecom’s equipment was built. He also said there are many ways that China’s supply chain is compromised and implants could be introduced.

Plot twist: Bloomberg didn’t name the telecom because of a non-disclosure agreement between Appleboum and the company.

We asked Appleboum several questions by email — including if the telecom company informed the FBI of the discovery — but he did not immediately respond to a request for comment. If that changes, we’ll update.

This new story certainly adds more to the mix on Bloomberg’s continuing reporting streak on hardware hacks, but doesn’t negate the apparent failings — or the lack of evidence — in its first report.

For its part, Bloomberg said as of Monday that it stood by its reporting.

But it’s difficult not to be skeptical, given the criticism on Bloomberg’s earlier reporting. Apple’s watertight statement to lawmakers explicitly denying the reporters’ claims shifted the onus onto Bloomberg to provide further evidence for its assertions in its original report, which the publication has yet to do.

Until then, it’s fair to take the reports with a healthy dose of salt.