11 Oct A Big Hack or Big Hack Job?
Explosive news accounts based on anonymous sources are easy targets in this era of “fake news.” Usually reserved for partisan political debate, it’s unusual for such a charge to be leveled at a legitimate news organization for coverage of the technology industry. But Bloomberg Businessweek finds itself in the crosshairs and in this case, the critics may be right.
On October 4th, Bloomberg published “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” claiming Chinese spies had successfully placed a tiny microchip on manufactured motherboards that had been shipped to 30 of the largest companies in America (Amazon and Apple included). According to anonymous government and corporate sources, the article claimed hackers could use the 5mm device to gain network access through the servers on which the motherboards were installed. The investigation into how the microchips got there centered on Super Micro Computer, a California-based manufacturer with ties to China. Needless to say, the article set off a tech firestorm and by the end of the day Super Micro’s stock had plummeted by 41%.
Bloomberg steadfastly stood by its anonymous sources for days. It was, as its headline proclaimed, a compromise to America’s technology supply chain and “the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.”
Then the story fell apart.
Both Apple and Amazon released statements denying their servers had been affected. The Department of Homeland Security agreed. And then the tech community got involved, and to date, no affected motherboards, no servers, and no networks have been found to have been compromised. It appears there’s “no there, there,” so we asked VertitechIT Vice President of Engineering Gerry Gosselin to weigh in.
Stories like this have the potential to set off worldwide panic within the tech world, but even more so among less technically-savvy consumers. What was your reaction when you first read the Bloomberg story?
Gosselin: My first reaction was to assume it was true and it seemed like a stunning revelation. We didn’t say anything to our clients since there was very little initial validation. I assumed the security industry would start verifying or refuting the results within a few days. And we were right. However, I can see how less tech-savvy consumers would simply consume the headline and not probe further or wait for confirmation. This is especially problematic with stories like this that seem to fit a cultural narrative in the US of state-sponsored actors trying to infiltrate sensitive US systems.
It would seem that an imbedded chip would be easy to prove simply by taking apart an affected PC. Wouldn’t this have been the easiest way to either prove or disprove the story?
Gosselin: It certainly would make sense. I believe the story began falling apart when the days ticked on and the community wasn’t vocal about finding any equipment with the modifications in question.
What is the likelihood that something like this could actually happen? Are there enough supply chain safeguards in place? Are we too reliant on China for this type of technology?
Gosselin: The supply chain is a huge risk right now. Modifying hardware is harder, costlier, and more obvious than modifying software. I believe the likelihood of something like this happening in hardware is relatively low but in software it’s very high and in fact there are many recent examples of it. Manufacturers may put in safeguards but one has to question whether the manufacturer itself was compromised or forced to incorporate these technologies. A manufacturing safeguard may not be enough. I don’t believe the country of origin even matters. China is particularly suspect now because it’s believed that the laws allow the state to perform this type of manipulation whereas in western countries this would be less likely to occur. Still, we shouldn’t believe that the US shouldn’t or wouldn’t covertly modify a product for surveillance purposes if it needed to.
From your research, does this sound like misinformation at best or just shoddy journalism at its worst?
Gosselin: The original article quotes 17 anonymous sources so it’s very hard to truly know if the journalists were fed misinformation. However, an interview with the one named source would give you the impression that the piece used his theoretical examples as proof, which to me looks like shoddy journalism.
This isn’t the first time Bloomberg has mis-reported tech stories resulting in viral headlines. A 2014 article charged that a Turkish oil pipeline explosion was the result of Russian hackers. Another story claimed the National Security Agency used the Heartbleed Bug to gather intelligence about consumers.
So who do you believe and how do you get to the truth of an explosive headline? “I believe Bloomberg and other news outlets do provide valuable tech stories however the aftermath of an article is useful in determining its validity,” says Gosselin. “Twitter and LinkedIn can provide valuable crowd-sourced validation of stories. Here at VertitechIT, we recommend independent tech news podcasts like Risky Business and Packet Pushers Network Break.”
We may never know where Bloomberg received its information but in this case, The Big Hack appears to a bunch of big hooey.