One of the sources in the Bloomberg material about Chinese bugs in server boards stated that the publication had distorted his words.

He claims that he was talking about how such an attack could be implemented.

Joe Fitzpatrick (right) at the Defcon hacker conference

Security expert Joe Fitzpatrick said that Bloomberg had taken his words out of context and distorted their meaning. He gave reporters comments only about the hypothetical possibility of an attack “with hardware implants” and was surprised to learn that his theory was given for the truth. Fitzpatrick spoke about the situation during an interview with the Risky Business podcast; his words are quoted in the 9to5Mac edition.

Fitzpatrick was one of the few non-anonymous sources, referred to by Bloomberg in the material on the implementation of spy chips in server motherboards. The publication stressed that the main reason for the publication of the investigation were immediately 17 independent interlocutors.

Journalists claimed that at Chinese factories of one of the largest suppliers of server hardware Super Micro, intelligence agencies had been inserting spy-chips into motherboards for several years. After that, servers with bugs are allegedly sent to large American companies, and Chinese authorities can access and listen to them.

However, Fitzpatrick has a different version. He claims that he spent a lot of time explaining to Bloomberg how to implement the “hardware implant” attack in practice. He also described in detail how the devices that he made for display at the Black Hat hacker conference two years ago work.

He liked to talk to journalists, because they wanted to know how things work. Fitzpatrick expected that the publication is preparing material only about the possible methods of such hacking. However, as the expert noted, as a result, journalists simply reprinted his theory, presenting it as reality.

It struck me that everything even remotely technical details were taken from my comments. I was surprised that I just described these things to them, and they went and confirmed 100% of everything I told them from sources.

Joe Fitzpatrick
information security researcher and expert

According to Fitzpatrick, his claims also relate to the image that Bloomberg issued as a snapshot of a spy chip. The expert said that in September, journalists asked him what a connector or antenna amplifier might look like and he sent them a link to the Mouser online store. In the material he saw images from this site.

Microchip (right), which Bloomberg issued for a spy bug. Image of bloomberg

When Bloomberg reporter Jordan Robertson told Fitzpatrick exactly what history he was doing and revealed some of the defendants in the investigation, the expert said that for him it “does not make sense”.

My job is to teach people how to secure their hardware. Spreading fear about hardware vulnerabilities, uncertainty, and doubts will only increase my financial gain. But in fact, this [the introduction of spy chips] does not make sense – there are many more simple ways to do this.

Joe Fitzpatrick

According to Fitzpatrick, there are many vulnerabilities in hardware, software, and firmware. He doubted that someone really could have implemented the Bloomberg article.

The approach they described cannot be scaled. It is illogical and this is not how I would do it. Or as someone I know, did it.

Joe Fitzpatrick

After that, the researcher asked the journalists if they were sure that the boards had additional hardware. Fitzpatrick noted that to achieve the same result, it would be much easier to modify the firmware of the motherboard control controller, which is in each board.

The expert separately explained that inserting an additional chip could easily lead to its detection. Therefore, it is more logical to use vulnerabilities in already existing components, many of which are responsible for several functions at once.

Fitzpatrick concluded that the technical details in the article are “confused.” He noted that although journalists are not completely mistaken, they refer to theoretical possibilities, and not facts.

Bloomberg published an investigation into the introduction of chips at Super Micro plants on October 4, before the opening of the exchange. A few hours later, the company ‘s shares fell by 60%.

In the material of the publication, “victims” of the attack called several large companies with reference to their employees, including Apple and Amazon. Both corporations almost immediately began to deny the detection of bugs, and Apple released a massive analysis of the situation on the site. In it, the company told how, throughout the year, it communicated with journalists and explained that it did not know anything about Chinese spyware chips.

Back to top button