The piece was either a massive scoop about something of vital importance to everyone, or an embarrassing misunderstanding since debunked by the companies involved.
Deciding which applies isn’t entirely straightforward, but there are five reasons I come down on the side of believing Apple …
It’s difficult to assess the veracity of a claim when we don’t know the exact nature of it.
Bloomberg didn’t provide specific details as to precisely what the alleged Chinese spy chip actually did. It outlined the principle of how it says the spy chip worked, but without describing exactly how the feat was achieved.
What is described would be an amazing feat. Indeed, The Verge quoted Berkeley’s International Computer Science Institute professor Nicholas Weaver saying that it would amount to a ‘god mode’ exploit. It would be the holy grail of hacks.
#1: Bloomberg’s claim appears to be a ‘friend of a friend’ story
Given the dramatic nature of the claim, you’d expect Bloomberg to lay out exactly how it was achieved – but it doesn’t. One possibility is that the site wanted to keep the story accessible to a mixed audience by avoiding too deep a dive into the technicalities. But as this was a claim that was going to shake the tech world, it was obvious those who were capable of understanding the detail would want to do so.
That raises a second possibility: that Bloomberg can’t explain how the Chinese spy chip works because it – or its sources – don’t know. That would shift the story from a ‘here is what we know has been happening’ to ‘some people told us that something along these lines was happening.’ That’s a far weaker claim.
The Register’s Kieren McCarthy did an excellent deep dive into how the chip might have worked, if the claim were true.
One infosec expert cited says that this is not only plausible, but the way he would do it.
The BMC is a crucial component on a server motherboard. It allows administrators to remotely monitor and repair machines, typically over a network, without having to find the box in a data center, physically pull it out of the rack, fix it, and re-rack it. The BMC and its firmware can be told to power-cycle the server, reinstall or modify the host operating system, mount additional storage containing malicious code and data, access a virtual keyboard and terminal connected to the computer, and so on. If you can reach the BMC and its software, you have total control over the box.
With the BMC compromised, it is possible the alleged spies modified the controller’s firmware and/or the host operating system and software to allow attackers to connect in or allow data to flow out. We’ve been covering BMC security issues for a while.
But if this is the case, why didn’t Bloomberg tell us? The only plausible answer here is that it wasn’t privy to the details, it only knows what some people said about it, which effectively turns this into a ‘friend of a friend’ story.
#2: The technical case against the claim seems strong
McCarthy lays out some objections to the idea of the specific claims about the Chinese spy chip. Three of them seem particularly persuasive to me.
So the technical case against the claim seems strong. Which, as McCarthy also notes, brings us to Apple’s denial.
[And] The chip allegedly fits on a pencil tip. That it can intercept and rewrite data on the fly from SPI flash or a serial EEPROM is not impossible. However, it has to contain enough data to replace the fetched BMC firmware code, that then alters the running operating system or otherwise implements a viable backdoor. Either the chip pictured in Bloomberg’s article is incorrect and just an illustration, and the actual device is larger, or there is state-of-the-art custom semiconductor fabrication involved here.
The ‘Apple is lying’ theory
I’ve written in the past about an occasion on which Apple issued a suspiciously worded denial: when the PRISM story broke and it was alleged that Apple gave the NSA access to its servers.
My interpretation of this is that all three companies were required to push data to the NSA, and were subjected to a government gag order. The government provided wording which would allow the companies to be seen to be denying it without actually lying.
The fact that the exact same phrase has been used seems unlikely to be a coincidence. One security researcher I spoke to said the wording only eliminated the NSA pulling data from the servers; it did not mean the companies were not pushing the data to the NSA. If the NSA obtained a secret court order requiring the companies to hand over the data, then of course statements that they only provide data when required to do so by law would also be true.
Apple: “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
Facebook: Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.
#3, #4 & #5: The three problems with the ‘Apple is lying’ theory
But there are three problems with the ‘non-denial denial’ theory.
First, Apple’s denial does not appear to use carefully selected wording. It doesn’t skirt around the claims: it tackles them head on.
Apple doesn’t just deny the specific claim, it says that nothing like it has ever happened. The bold here is my emphasis:
Now, one could observe that Apple is still being specific about ‘the FBI’ in this particular section of the statement. Perhaps it went to the NSA instead – using contacts it had from PRISM project. But this leads us to problem two.
Second, then, Apple has specifically stated that it is not under a gag order.
Any company that is subject to a gag order is under strict instructions to say nothing about it. So if there’s no gag order, we are being asked to believe that Apple voluntarily chose to lie about the spy chip, and is now lying about having lied.
No matter how cynical you may be about big corporations, that idea stretches credibility.
So those, then, are the five reasons I believe Apple. It’s a friend-of-a-friend story. The technical arguments suggest it didn’t happen in the way Bloomberg says it did. Apple’s denial appears unequivocal. The company has ruled out the gag order theory. And, if it were true, there would be no reason now not to come clean about it.
That’s my view – what about yours? Please take our poll to let us know who you believe, and share your thoughts in the comments.
Photo: Shutterstock