Apple CEO Tim Cook is calling on Bloomberg Business to retract a story that said his company was the victim of a hardware-based attack carried out by the Chinese government. It’s the first time Apple has ever publicly demanded a retraction, according to BuzzFeed.
Since Bloomberg published the exclusive article 15 days ago, a gaggle of companies, well-placed government officials, and security researchers have publicly challenged its accuracy.
Apple and Amazon have said they have no knowledge of ever finding or removing servers that contained the kind of spy chips Bloomberg alleged were found in the companies’ networks. Supermicro has also denied knowing anything about malicious chips being secretly implanted into any of its motherboards during the manufacturing process, as Bloomberg reported.
Meanwhile, an official from the US Department of Homeland Security has said he has no reason to doubt the Apple and Amazon denials, and a top official with the National Security Agency has said the vast resources at his disposal have been unable to confirm the report. As Ars reported last week, hardware experts, including two who were contacted by Bloomberg when reporting the story, said the kind of chip-based backdoors alleged by Bloomberg are extremely complex, particularly when introduced in the supply chain. They said state-sponsored attackers likely would prefer to exploit the numerous firmware vulnerabilities that affect motherboards from Supermicro and other makers.
An article BuzzFeed published on Friday said Cook is now calling on Bloomberg to retract the claims, which are solely attributed to unpublished information provided by 17 unnamed people the news service says worked for US governmental agencies and the companies that discovered and removed backdoored servers from their networks. Cook went on to issue a new round of unusually direct denials.
According to BuzzFeed:
“I was involved in our response to this story from the beginning,” said Cook.
“I personally talked to the Bloomberg reporters along with Bruce Sewell, who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions,” said Cook. “Each time they brought this up to us, the story changed, and each time we investigated we found nothing.”
“This did not happen. There’s no truth to this.”
In addition to disputing the report itself, Cook also took issue with the lack of evidence he said Bloomberg supplied to document its claims. Cook said the reporters never provided Apple with any specific details about the malicious chips it is alleged to have found and removed. He added that he thinks the allegations are undergirded by “vague secondhand accounts.”
“We turned the company upside down,” Cook said. “Email searches, data center records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There’s no truth to this.”
In an email, a Bloomberg representative wrote: “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
The representative didn’t answer questions asking about Bloomberg’s policy on anonymous sources or if the service had plans to offer verifiable evidence in light of the unusually vigorous and detailed denials.