Apple Tells Congress 'Nothing Was Ever Found' to Suggest Alleged Supply Chain-Based Hack

[MacRumors]

Apple's top security chief told the U.S. Congress on Sunday that it had found no indication of suspicious transmissions or other evidence that its China supply chain was ever compromised (via Reuters).

In a letter to the Senate and House commerce committees, Apple Vice President for Information Security George Stathakopoulos wrote that the company had repeatedly investigated and found no evidence to support Bloomberg Businessweek's bombshell report that alleged tiny chips were discovered inside Apple servers which allowed for backdoor transmissions to Chinese spies.

"Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found," he wrote in the letter provided to Reuters.

Stathakopoulos repeated Apple's statements to the press that it had never found any such planted chips or been contacted by the FBI over the alleged matter. The letter follows a statement issued on Saturday by the U.S. Department of Homeland Security saying it had no reason to doubt the companies who denied that they had ever discovered the tiny chips.

Apple, Amazon, and Supermicro all strongly rebutted the report, which alleged that Chinese intelligence planted microchips in Supermicro servers, which Apple and Amazon previously used in their data centers.

Despite the denials, which are also backed by the UK's national cyber security agency, retired Apple general counsel Bruce Sewell, and other unnamed Apple senior executives, Bloomberg said it stood by its report as of Friday, but didn't immeditately respond to requests for comment on Sunday.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: Apple Tells Congress 'Nothing Was Ever Found' to Suggest Alleged Supply Chain-Based Hack

 

[PotatoLeekSoup]

Bloomberg joining #fakenews now? Sad!

 

[Markoth]

There are many ways to mask communications. I'm not surprised they found nothing.

 

[sjinsjca]

Outbound communications would be easy to detect. I'm suspecting the chips, if they exist, are not for surveillance but for a kill-switch purpose.

 

[Markoth]

Outbound communications would be easy to detect. I'm suspecting the chips, if they exist, are not for surveillance but for a kill-switch purpose.

They would be easy to detect only if they're not sophisticated. A couple protocols I'm aware of (and I'm sure many I'm not very familiar with) have either unused sections, or allow for extra data to be included, intended for custom extensions to the protocol, but if properly supported at both ends, can be used for almost anything else. The LZ4 compression's frame format, for example, allows for what are called "skippable frames", which are exactly that: user data which can contain anything, and are not parsed by the algorithm. I know of some other algorithms with similar concepts as well. It would take someone at the other end to receive the transmission, but I have no doubt that Apple communicates with third parties, some of which may be compromised, so the risk exists.

 

[BaltimoreMediaBlog]

This is a Dog & Pony Show. If there's an ongoing investigation, #1, they rarely will even tell you. #2 Apple and others might not even know about it. It's even possible no one will ever know if its a vulnerability that is still existing and could be done again. The government never confirms stuff like this and strongly warns companies to do the same while secretly working behind the scenes. Everyone would be told to DENY ANYTHING. If we do find out anything, it will only be AFTER any possible issue is resolved, not during. Could be years!

 

[DanBig]

There are many ways to mask communications. I'm not surprised they found nothing.

How these servers are setup with load balancer & sprayers let alone the TCP/IP streams ports and ID’s would make that close to impossible without being seen by the security tools Apple and other use. There is no exposed back doors via the management ports and access to the systems firmware must be done directly thru the management port.

Bloomberg’s report is fiction!

 

[Scottsoapbox]

There are many ways to mask communications. I'm not surprised they found nothing.

Name one undetectable by common practices.

Fortune 500 companies employ teams of IT security experts. So please enlighten us armchair hacker.

 

[Markoth]

How these servers are setup with load balancer & sprayers let alone the TCP/IP streams ports and ID’s would make that close to impossible without being seen by the security tools Apple and other use. There is no exposed back doors via the management ports and access to the systems firmware must be done directly not thru the management port.

Bloomberg’s report is fiction!

No serious hacker enters through the front door. Thinking outside the box is all the fun. I mentioned the LZ4 frame format above, but even SSH, generally considered secure, also has the potential for abuse (although admittedly it is more difficult). The initial key exchange initialization (called a kexinit packet) contains some fields that are, in my experience, usually ignored, and also happens to be transmitted in cleartext (has to be). The potential is there for abuse as well. Generally, communication originating internally is a much more difficult thing to contain, but it certainly isn't impossible.

Name one.

Fortune 500 companies employ teams of IT security experts. So please enlighten us armchair hacker.

I'm actually Security+ certified, so maybe I know a little more than you do.

 

[Sasparilla]

This is bizarre, Bloomberg had 13 sources I think. The U.S. intelligence community saying one thing or the other (based on past examples) doesn't fill me with confidence one way or another (since they have lied to the public and politicians to suit their purposes in the recent past).

This is also a story that is violently being put down by the powers that be.

At this point Bloomberg needs to have its sources come forward and examples of the compromise (or documents proving this happened etc.) be shown. Is it possible the intelligence community's (five eyes) and these companies don't want this to have happened? (each for their own reasons)

In the article Apple was a minor part, with Amazon the real player where most of the action supposedly took place.

 

[Scottsoapbox]

No serious hacker enters through the front door. Thinking outside the box is all the fun. I mentioned the LZ4 frame format above, but even SSH, generally considered secure, also has the potential for abuse (although admittedly it is more difficult). The initial key exchange initialization (called a kexinit packet) contains some fields that are, in my experience, usually ignored. The potential is there for abuse as well. Generally, communication originating internally is a much more difficult thing to contain, but it certainly isn't impossible.

I'm actually Security+ certified, so maybe I know a little more than you do.

Wow a certification! How many *weeks* was the class for that? I mean the exam has 90 whole questions.

You know some people get whole degrees from accredited universities in this stuff.

Again you didn't list an undetectable way to communicate massive data with China. You listed areas that "abuse" could occur. Malware doing something is one thing. Malware on thousands of servers transmitting back to the motherland without any notice of the outbound traffic is something completely different.

 

[Markoth]

Wow a certification! How many *weeks* was the class for that? I mean the exam has 90 whole questions.

You know some people get whole degrees from accredited universities in this stuff.

Again you didn't list an undetectable way to communicate massive data with China. You listed areas that "abuse" could occur. Malware doing something is one thing. Malware on thousands of servers transmitting back to the motherland without any notice of the outbound traffic is something completely different.

I have a degree from an accredited university, and I also have multiple certifications. I can send you the certs in an email if you're curious.

Insulting the Security+ makes you look foolish, so please continue.

 

[cmaier]

There are many ways to mask communications. I'm not surprised they found nothing.

Exactly!! In fact, the evidence of nothingness is proof of the opposite!

Oh, wait....

 

[jtara]

They would be easy to detect only if they're not sophisticated. A couple protocols I'm aware of (and I'm sure many I'm not very familiar with) have either unused sections, or allow for extra data to be included, intended for custom extensions to the protocol, but if properly supported at both ends, can be used for almost anything else. The LZ4 compression's frame format, for example, allows for what are called "skippable frames", which are exactly that: user data which can contain anything, and are not parsed by the algorithm. I know of some other algorithms with similar concepts as well. It would take someone at the other end to receive the transmission, but I have no doubt that Apple communicates with third parties, some of which may be compromised, so the risk exists.

Unlikely, in this case.

As I understand it, this modification involves the management processor. The management processor normally does NOT share the Ethernet interface with the CPU. Management processors have their own physically separate Ethernet connection. It would not be practical to use this to piggyback data out on the main Ethernet interface(s) connected to the CPU, where one might find traffic suitable for piggybacking.

I agree with Markoth. "kill switch", if taken in the most literal sense, would be super easy, since the management processor typically has control over the server power.

IMO, it wasn't intended to exfiltrate data - not through "the chip", at least. But that doesn't rule out that some code INJECTED by the device might exfiltrate through the CPU network interface(s).

Getting commands in is a toughie. Unexpected traffic on the management Ethernet port could be easily detected by an upstream switch (if looking for it). And ought to be configured with tight control over sources. For one, would probably be on a management VLAN locally.

There may be no need to command it. Just a timer. At some time when it is likely the server is installed and passed any installation security checks, it injects what it needs to inject, and it's job is done.

 

[Menopause]

Bloomberg just wanna pull a CNN / Washington Post

 

[mmomega]

That diagram and entire article looks like something out of a 1993 Popular Mechanics magazine.

 

[Markoth]

Exactly!! In fact, the evidence of nothingness is proof of the opposite!

Oh, wait....

I never said there was proof of anything, but my point is that proof of nothing, proves nothing...

 

[jtara]

To repeat the speculation I made in the other post about this, based on the size of the chip described, the physical depiction (which I assume is not the ACTUAL chip), and the description of it as disguised as a "signal conditioning" component, it could be disguised as a small choke (inline coil, simple as that) which are commonly found on lines entering/existing circuit boards. It could also be disguised (as I speculated in the other post, actually) as a distributed filter capacitor. With a circuit board mod with clever routing of traces, inductive coupling from a signal line from the management chip might be possible. So, you have a two-terminal device that acts like a three-terminal device, and is perhaps capable of either "listening" or "injecting" signals from/onto the serial management bus.

Arguments agains expecting that this needs to be a large chip or have a large number of pins are off base, IMO. It's not a chip expected to do a lot of crunching or tapping large data flows.

 

[Markoth]

Unlikely, in this case.

As I understand it, this modification involves the management processor. The management processor normally does NOT share the Ethernet interface with the CPU. Management processors have their own physically separate Ethernet connection. It would not be practical to use this to piggyback data out on the main Ethernet interface(s) connected to the CPU, where one might find traffic suitable for piggybacking.

I agree with Markoth. "kill switch", if taken in the most literal sense, would be super easy, since the management processor typically has control over the server power.

IMO, it wasn't intended to exfiltrate data - not through "the chip", at least. But that doesn't rule out that some code INJECTED by the device might exfiltrate through the CPU network interface(s).

Getting commands in is a toughie. Unexpected traffic on the management Ethernet port could be easily detected by an upstream switch (if looking for it). And ought to be configured with tight control over sources. For one, would probably be on a management VLAN locally.

There may be no need to command it. Just a timer. At some time when it is likely the server is installed and passed any installation security checks, it injects what it needs to inject, and it's job is done.

It's the mere possibility that should be concerning to Apple. There are all sorts of even more sophisticated methods that may be used. It's really just a matter of resources and motivation. Apple's a large enough player in the world economy, that the motivation definitely exists to pull off a major breach, and China has definitely proven itself to have the resources. It wouldn't surprise me, that's all.

 

[jtara]

There is no exposed back doors via the management ports and access to the systems firmware must be done directly not thru the management port.

One of the PURPOSES of the management port is for updating system firmware. Nobody takes a cart down the row updating firmware on thousands of servers. It's done remotely. The management port has "out of band" communication. e.g. it has it's own, separate, physical Ethernet port.

 

[AngerDanger]

That diagram and entire article looks like something out of a 1993 Popular Mechanics magazine.

And from a quick glance, it looks like the illustrations depict china hacking our pencils!

 

[jtara]

That diagram and entire article looks like something out of a 1993 Popular Mechanics magazine.

And you have a problem with an illustration that evokes one of the masters of mechanical/scientific illustration?!
[doublepost=1538947906][/doublepost]

And from a quick glance, it looks like the illustrations depict a chip wrapped up inside of a pencil.

Where do you get that?

I see a chip, suspended in mid-air, above a pencil, in order to provide a comparison with the size of a pencil tip. What you see "wrapped up inside of a pencil" is the pencil "lead" (which probably isn't made of lead...). I guess it's true, people don't use pencils any more.

Maybe you haven't seen enough "chips" of different kinds.

It looks like many types of small surface-mount components, such as a capacitor, resistor, choke, diode, transistor, etc. They still use those, you know. Not every "chip" has fifteen-gazillion legs or pads.

 

[Markoth]

One of the PURPOSES of the management port is for updating system firmware. Nobody takes a cart down the row updating firmware on thousands of servers. It's done remotely. The management port has "out of band" communication. e.g. it has it's own, separate, physical Ethernet port.

Would be a great way to infect firmware, though. I've used iDRAC on a few Dell servers in the past, and the power it gives you is somewhat concerning, if it were ever to be compromised.

 

[jtara]

The U.S. intelligence community saying one thing or the other (based on past examples) doesn't fill me with confidence one way or another

The US intelligence community hasn't commented. Homeland Security has. Homeland Security is, for all intents and purposes, an extension of the White House.

 

[djcerla]

The SEC should check very carefully the short selling activity on that supplier’s stock.