Security researcher source in Supermicro chip hack report casts doubt on story

Updated: The explosive report "doesn't make sense," according to the expert which described hardware implant uses in theoretical attacks.
Written by Charlie Osborne, Contributing Writer

A security researcher cited in a recent Bloomberg report on the alleged compromise of Supermicro hardware for the purposes of cyberespionage has cast doubt on the validity of the story.

Last Thursday, Bloomberg reported that Supermicro server hardware, used in supply chains worldwide, had been compromised through hardware implants designed to create backdoors into enterprise systems.

The publication said that 30 companies in total may have been affected, including Amazon, Apple, and a major bank.

The news sent Supermicro shares plummeting and was quickly followed with denials from the named companies.

AWS completely refuted the report and Steve Schmidt, Chief Information Security Officer, added that "there are so many inaccuracies in ‎this article as it relates to Amazon that they're hard to count."

Apple said the company has "never found malicious chips, hardware manipulations or vulnerabilities purposely planted in any server."

Supermicro also denied the claims of the investigation, saying, "we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard."

See also: Apple, Amazon deny claims Chinese spies implanted backdoor chips in company hardware: report

The enterprise players were then followed by the US Department of Homeland Security (DHS) and the UK National Cyber Security Centre (NCSC) from the Government Communications Headquarters (GCHQ) in denying the results of the investigation.

Now, a named source has also cast doubt on the validity of the report, which also contains 17 anonymous sources.

Joe FitzPatrick, the founder of Hardware Security Resources LLC, is one of the few named sources in the story and was asked to contribute due to his expertise in hardware.

However, in a podcast with Risky Business, the hardware security expert said the hardware backdoor described in the article described "didn't make sense."

When asked about how such hardware implants work, FitzPatrick is quoted as saying, "the hardware opens whatever door it wants."

In terms of his own attributed quote, the researcher said it was "factually accurate in some contexts," adding:

"Hardware is a stepping stone. You put hardware in a device to help you persist the software, the malware.
You don't put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or network/remote approach to do the rest of the work."

Speaking to the publication, FitzPatrick said he has been in contact with Bloomberg since last year but he was not given any concrete details on the story until last month.

CNET: Google can't be sued over mass iPhone data collection, court rules

"What really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked," the researcher said.

FitzPatrick said he felt "uneasy" reading the report, commenting:

"I am just Joe. I do this stuff solo, I am building hardware implants for fun to show off at conferences, I'm not a professional at building hardware implants. [...]
I feel like I have a good grasp of what is possible, what's available, and how to do it, just from my practice -- but it was surprising to me that in a scenario in which I would describe these things, and then he [Bloomberg] would go and confirm these things, 100 percent of what I described was confirmed by his sources.
Either I have excellent foresight or something else is going on."

TechRepublic: 5 tips to secure your supply chain from cyberattacks

There are easier ways to conduct such attacks on a supply chain, including various hardware, software, and firmware approaches.

As an example, as described by FitzPatrick in an email exchange with a Bloomberg journalist, targeting baseboard management controllers (BMCs) with outdated firmware could be "just as stealthy and could be far less costly to design and implement."

The theoretical approach discussed with Bloomberg is not "scalable or logical," according to the hardware expert. When FitzPatrick queried the possibility and accuracy of an attack of such scale, in an emailed response, the journalist confirmed that it sounded "crazy," but pointed out that "lots of sources" had corroborated the findings.

"I couldn't rationalize in my head that this is the approach that anyone could take," the researcher added.

FitzPatrick remains skeptical. Overall, FitzPatrick says that the publication's technical details are "jumbled" -- "not outright wrong, but they are theoretical."

"I have my doubts on this one," the researcher added.

At the time of writing, the Supermicro share price appears to be stabilizing and has climbed 19 percent to $14.75 since yesterday's market close.

Update 19.49 BST: A Bloomberg News spokesperson told ZDNet:

"As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack.
The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear.
Our reporters and editors thoroughly vet every story before publication, and this was no exception."

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards