On Thursday morning, Bloomberg published a bombshell story claiming that the Chinese government had used tiny microchips to infiltrate the data centers of Apple and Amazon. Apple and Amazon, for their part, responded with unusually specific and categorical denials. It’s clear that someone is making a big mistake, but 24 hours later, it’s still not clear whether it’s Bloomberg or the technology companies.
On Thursday afternoon, Apple laid out its case against the story in a lengthy post on its website. The post specifically disputed a number of Bloomberg’s claims. For example, Bloomberg says that after discovering a mysterious chip in one of its servers, Apple “reported the incident to the FBI,” leading to an investigation. Apple flatly denies that this occurred.
“No one from Apple ever reached out to the FBI about anything like this,” Apple writes. “We have never heard from the FBI about an investigation of this kind.”
Amazon’s response has been equally emphatic and detailed. “There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count,” Amazon wrote on Thursday. “We never found modified hardware or malicious chips in servers in any of our data centers.”
Yet Bloomberg reporter Jordan Robertson, one of the article’s co-authors, has stood by his story. In a Thursday afternoon appearance on Bloomberg TV, Robertson said that he talked to 17 anonymous sources—both in US intelligence agencies and at affected companies—who confirmed the story.
So what’s going on? It’s clear that someone isn’t telling the truth, but it’s hard to tell what the real story is.
Apple ruled out one possible theory in its statement, saying that “we are not under any kind of gag order or other confidentiality obligations.” US law does allow the government to bar companies from disclosing information that would jeopardize national security. But as far as we know, the feds can’t force a company to say something that’s not true. The specificity of Apple’s denials, combined with its clear statement that it’s not subject to any kind of gag order, makes this seem like an unlikely explanation.
A blog post by computer security expert Nicholas Weaver argues that the situation Bloomberg describes is at least plausible. He points out that last year, The Information reported that in 2016 Apple had pulled servers manufactured by Super Micro from its data centers after an unspecified security incident.
Luckily, we’re likely to know the answer one way or the other in the coming days. If the Bloomberg story is true, there are thousands of compromised motherboards out there, and companies will be scouring their data centers for them. People have already identified the specific circuit board featured in the graphic at the top of the Bloomberg article, though it’s not clear if this is a real photograph or a Bloomberg-made mockup. If the story is accurate, sooner or later someone will produce a compromised board and do a public teardown.