A technician plugs in a CPU microprocessor to a motherboard socket.
Getty Images/iStockphoto
By Robert Hackett
October 14, 2018

In last weekend’s column we discussed Bloomberg Businessweek’s recent, explosive report alleging that Chinese spies had planted surveillance chips on the motherboards of computer servers that ended up inside more than two dozen companies, including Amazon and Apple. Just about all of the parties named in the piece issued strong denials. I urged readers to approach the story with skepticism. “It’s likely there is truth in the piece, but in which parts remains an open question,” I wrote.

A week later, I remain deeply troubled by this story—not because of its substance, but because of its lack of substantiation. It seems a little odd that no one has reported identifying a single one of these spy chips in the wild since Bloomberg’s report appeared, no? Wouldn’t it have been easy for any companies using servers containing components from Supermicro, the company whose products were allegedly backdoored, to send an engineer into a data center, pry open a server, pluck out an offending implant, and reveal China’s alleged subterfuge to the world? Instead, we hear cricket chirps.

While this absence of evidence is not enough to debunk the report, it does raise doubts. Besides, wouldn’t it be easier for spies simply to meddle with Supermicro’s notoriously buggy firmware? This approach would achieve the same results and be far less complicated to pull off logistically. Plus, it would leave no trace.

Further developments related to the report’s publication give me pause. Joe Fitzpatrick, a hardware hacking expert and one of the only named sources in the piece, said he finds the story implausible. The authors have published erroneous cybersecurity reports before. (No one is perfect, but these prior offenses do raise an eyebrow.) Even Rob Joyce, a top National Security Agency official, said he has not found “any ties to the claims that are in the article.” He added: “I worry that we’re chasing shadows right now.”

While we await even the faintest whiff of corroboration, one must acknowledge that this story does not as yet pass the sniff test. For now, I recommend filing the piece under cloak, not dagger.

Have a great weekend.

Robert Hackett



Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like