布隆伯格的'大黑客'

彭博商业周刊今天发布绝对令人难以置信的故事声称中国情报通过渗透供应链从一家名为Supermicro的公司的主板上插入难以检测的流氓芯片,从而危及数千台数据中心服务器。整个报告作者:Jordan Robertson和Michael Riley,值得一读。

彭博社称苹果和亚马逊都是安装受损硬件的公司之一苹果和亚马逊都强烈否认这份报告有人错了或说谎这不可能都是真的。

来自彭博社的报道,关于亚马逊:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original designAmazon reported the discovery to U.Sauthorities, sending a shudder through the intelligence communityElemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warshipsAnd Elemental was just one of hundreds of Supermicro customers.

关于Apple:

Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centersThree senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboardsApple severed ties with Supermicro the following year, for what it described as unrelated reasons.

关于两家公司的否认:

The companies’ denials are countered by six current and former senior national security officials, who — in conversations that began during the Obama administration and continued under the Trump administration — detailed the discovery of the chips and the government’s investigationOne of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigationIn addition to the three Apple insiders, four of the six U.S官员证实,苹果是受害者。

然而,这些公司的否认似乎是毫不含糊的。Apple向Bloomberg发表声明

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at AppleEach time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of themWe have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any serverApple never had any contact with the FBI or any other agency about such an incidentWe are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

该声明仅归功于“Apple”,因此可能是由Apple PR撰写的亚马逊向彭博社发表了类似的声明,但后来发布了一份完整的回复,由该公司首席信息安全官史蒂夫施密特签署。施密特坚定而明确

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to countWe will name only a few of them hereFirst, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as wellThat report did not identify any issues with modified chips or hardwareAs is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closedThis was the sole external security report commissionedBloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data centerThis claim is similarly untrueThe first and most obvious reason is that we never found modified hardware or malicious chips in Elemental serversAside from that, we never found modified hardware or malicious chips in servers in any of our data centers.

我认为没有办法解决这个问题:Bloomberg的报告显然是错误的,至少与亚马逊和苹果有关,或者苹果和亚马逊发布了明显的虚假拒绝或许,你可以说苹果公司拒绝接受苹果公关公司的评论我不认为这会发生,但假设这个问题可能被认为是如此敏感 - 无论是在公司内部还是作为国家安全问题 - 苹果公司的人都知道这种情况对苹果公关But in my experience, Apple PR does not lieDo they spin the truth in ways that favor the company? Of course那是他们的工作但他们并不撒谎,因为他们明白苹果的关键资产之一就是它的可信度在他们说谎之前他们什么都不说。

施密特在亚马逊的回应中签下他的名字更有说服力据推测,亚马逊没有人比施密特更熟悉这种违规行为的细节。

无论如何,这个故事还有更多,以及Bloomberg或Apple的可信度亚马逊将受到重创目前这两个是最有价值的公开交易世界各地的公司。

其他一些值得注意的花絮来自彭博社的报道:

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networksNo consumer data is known to have been stolen.

然后这来自亚马逊的回应:

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.

我不明白,如果这些服务器没有暴露在公共互联网上,他们可以“回家”到数据中心外的中国服务器。

除了技术细节之外,故事的整个中心论点都是正确的 - 中国不能被视为国家行为者,但整个科技行业依赖于中国供应链完全可信的是,中国工厂的管理人员容易受到贿赂和“检查”的威胁,这将会关闭他们的工厂从彭博报道:

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officialsA belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factoriesThat left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest“You end up with a classic Satan’s bargain”, one former U.S官员说“You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be riskEvery organization has accepted the second proposition.”

最后,无论报告的真实性如何,彭博对这句话都应该感到荣幸:

Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

更新: 苹果已经对彭博的报道发表了更强烈的否认