One of the only named sources in Bloomberg’s explosive story exposing a Beijing hacking campaign that infiltrated Apple and Amazon, as well as the U.S. government, said Monday the report “doesn’t make any sense.”
Speaking on the Risky Business podcast, Joe Fitzpatrick, a hardware security expert, said he told the reporters prior to publication of his doubts, and said he felt uncomfortable when he read the final article last week.
Entitled “The Big Hack,” the bombshell report claimed that Chinese spies had infiltrated global supply chains to install tiny chips the size of a grain of rice onto motherboards manufactured by U.S. company Supermicro.
Fitzpatrick said a theoretical scenario he described to Jordan Robertson, one of the reporters, more than a year ago turned out to be exactly what Bloomberg’s anonymous sources said had happened.
“It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources,” Fitzpatrick told podcast host Patrick Gray.
He went on to say that while the hack laid out in Bloomberg's reporting was theoretically possible, it was simply not practical.
“Spreading hardware fear, uncertainty and doubt is entirely in my financial [interest], but it doesn't make sense because there are so many easier ways to do this,” Fitzpatrick said. “There are so many easier hardware ways, there are software, there are firmware approaches. The approach you are describing is not scalable. It's not logical. It's not how I would do it. Or how anyone I know would do it.”
Fitzpatrick also revealed that no fact-checkers from Bloomberg contacted him during the editorial process.
According to the report, the secret chips acted as a “stealth doorway onto any network” and offered “long-term stealth access” to compromised systems.
The report claimed the campaign allowed the spies to infiltrate up to 30 companies — including Apple and Amazon — as well as multiple areas of the U.S. government, including the Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.
The report was based on 17 anonymous sources, including multiple high-profile government officials, insiders at Apple and Amazon, as well as one source within the Chinese government.
However, security experts and officials almost immediately questioned the report’s veracity.
This was partly based on the strength of the denials from the companies involved, including Apple, Amazon and Supermicro. Apple took the unprecedented step Monday of writing to Congress to hammer home its denial.
“Apple has never found malicious chips, ‘hardware manipulations,’ or vulnerabilities purposefully planted in any server,” Apple’s vice president of information security, George Stathakopoulos, said in the letter. “We never alerted the FBI to any security concerns like those described in the article nor has the FBI ever contacted us about such an investigation.”
Apple’s version of events was backed up by the Department of Homeland Security and the U.K.’s National Cyber Security Centre, both of whom said they had no reason to doubt the company’s claims.
Bloomberg said Monday it was standing by its story and it remains “confident in our reporting and sources.”
Cover image: Circuitry and chips are seen inside an Apple Inc. MacBook Pro laptop computer in an arranged photograph in Bangkok, Thailand on Friday, July. 28, 2017. (Brent Lewin/Bloomberg via Getty Images)