Today marks the one-year anniversary of Bloomberg’s publication of a story about Chinese intelligence intercepting the supply chain of Supermicro, a company which has built and sold servers to Amazon, Apple, the U.S. Department of Defense, and dozens of other companies. Apparently, they developed a chip that looked identical to a rice-sized standard component placed along the main power lines of a server; the implanted chip ostensibly contained a processor and networking capabilities and could, theoretically, act as a backdoor for Supermicro servers.
It sounded like the information security scoop of the decade — except there’s virtually no proof that any of it is true.
At the time of the story’s publication, representatives from the named companies denied Bloomberg’s reporting in statements that left virtually no wiggle room. Tim Cook called for the story’s retraction — a call that was soon echoed by Amazon and Supermicro. Michael Riley — who reported the story alongside Jordan Robertson — took to Twitter on October 5 to point out that the physical evidence would make it “hard to keep more [details] from emerging”.
So far, that has not happened.
On October 9, the duo published a followup story claiming that backdoor hardware was found on a Supermicro server belonging to a telecom firm. Their report relied on documents provided by Yossi Appleboum who subsequently argued in an interview with ServeTheHome that Bloomberg’s characterization was incorrect. Appleboum claimed that the problem is broader than Supermicro and the entire supply chain in China was compromised; however, no evidence was provided publicly to support his assertions.
And that was pretty much the last update we heard from Bloomberg’s reporters regarding this important information security scoop. Michael Riley published just one story between October 9, 2018 and August 31, 2019; Jordan Robertson reported nothing for Bloomberg until September 2, 2019. Given an entire year to dig around on this huge story, no other publication has been able to independently verify their claims.
Here’s every significant development I can find from the past year:
At the end of October last year, Erik Wemple of the Washington Post reported that the then-Director of National Intelligence — the turnover in this administration is wild — and an NSA official had no evidence to support Riley and Robertson’s story.
In November, Wemple wrote about Bloomberg’s continued reporting efforts. An investigative reporter who wasn’t part of the team behind the original “Big Hack” pieces emailed Apple employees to try to figure out what was right and what was wrong. In conversations with Wemple, Apple employees disputed everything about the story and subsequent rumours about internal Apple investigations.
In December, Supermicro announced that a third-party investigator had found “no evidence of any malicious hardware”.
In April, Wemple reported that Bloomberg submitted the story for a National Magazine Award. It was not a finalist.
In August, the story received Pwnie awards for the Most Over-Hyped Bug and the Most Epic Fail at Black Hat.
Last month, a vulnerability was discovered in Supermicro servers that would allow remote USB access. It was patched the following day.
Also last month, Michael Riley got promoted. Congratulations.
Unfortunately, a year later, we’re still no closer to understanding what happened with this story. Bloomberg still stands by it, but hasn’t published a follow-up story from its additional reporting. No other news organization has corroborated the original story in any capacity. After being annihilated after the story’s publication, Supermicro’s stock has bounced back.
Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware. We don’t know what role, if any, Bloomberg’s financial services business played in the sourcing and publication of this story, since they were also users of Supermicro servers. We don’t know the truth of what is either the greatest information security scoop of the decade or the biggest reporting fuck-up of its type.
What does that say about Bloomberg’s integrity?