Apple, Amazon server spy story is wake-up call to security pros (u)

I'm not convinced at the 'spy-chip' claims, but the tale helps illustrate the complex security challenges enterprises face.

Apple, Amazon, Bloomberg, Trend Micro, security, cybersecurity, iCloud, iPhone
Henrik5000 / Getty Images

Apple and Amazon have strenuously denied Bloomberg’s claims of a sophisticated hardware exploit against servers belonging to them and numerous other entities, including U.S. law enforcement  

Chinese, Apple and chips

Put in very simple terms, the claim is that malicious chips were found inside servers used in data centers belonging to the tech firms.

These chips (it’s claimed) worked to exfiltrate data from those servers, which were themselves sourced from server manufacturer Super Micro. That company’s server products are/were also used by Amazon, the U.S. government, and 30 other organizations. The chips were allegedly put in place by employees bribed by Chinese government agents.

If that’s true, this constitutes a severe security incident. The reporters claim to have a number of witnesses to these events, though all parties strenuously deny the allegations.

To get up to date, read these reports:

  • Bloomberg’s assertion
  • Apple’s rebuttal.
  • Amazon’s denial.
  • Super Micro’s refutal.
  • U.K. government's National Cyber Security Center backs Apple and Amazon's denials.
  • U.S. government Department of Homeland Security also supports Apple and Amazon's denials of these claims.

Here are some thoughts on the claims:

1. Everyone denies the claims

Apple, Amazon, and Super Micro have all issued strongly worded statements in which they refute these allegations (above). Not only will those rebuttals have gone through a rigorous legal screening process to ensure veracity, but the fact that government agencies may also have been hit means the legal side of this matter must be a high-stakes game.

Apple’s statement concedes a previously reported 2016 incident when the company found an infected driver on a single Super Micro server in one of its labs, but it said this was found to be “accidental and not a targeted attack against Apple.”

The denials are so strenuous that it seems reasonable to think that if the Bloomberg report does turn out to be true, then all three tech firms must be telling untruths. I don’t feel that’s likely.

2. The spying games

The world is full of hackers, cyber criminals, and spies. Governments spy on their own people and on each other. Security is always being tested in many different ways.

This is why strategically important entities like Apple have their own incident response teams tasked with monitoring their systems for any signs of the kind of data exfiltration mentioned in this report.

Apple is well aware of the nature of an advanced persistent threat (APT) in which an intruder has found a way to lurk surreptitiously inside a company’s systems to steal secrets and intellectual property.

The company says it works to “constantly fortify” itself against increasingly sophisticated attacks. This would also include attempts to insert malware (or fake components) inside new machines it placed inside its networks, such as Bloomberg’s claimed “spy chips.”

It would seems strange that neither Apple nor Amazon would notice the unusual network activity that would be generated by a processor hack like this.

3. Inside the FUD processor

The Register’s Kieren McCarthy has an interesting take on the physical capabilities of the kind of chip described by Bloomberg. It’s well worth a read.

His conclusion is that while the exploit may be possible, it is extremely complex and the rogue chip described in the report would be a technically highly complex piece of hardware to create.

I can’t help but think that if government spies went to the trouble and expense of creating a spy chip like the one described in the report, then they’d be likely to also attempt to install it into servers belonging to other major companies, such as Microsoft or Google. It seems more likely they would than that they wouldn’t.

4. Who watches the watchmen?

The primary source seems to come from a tech/government meeting of a few dozen people that took place in 2015. Bloomberg has taken this story and added evidence garnered from other sources to craft its claims, in which it cites anonymous insiders from Apple, Amazon, and U.S. law enforcement.

I can’t help but wonder why it has no input from other major tech companies that would be more likely to be impacted, given their cloud-based enterprise offerings. If the rogue processor exists at all, why wouldn’t similar attempts also be made against Cisco, Google, Microsoft, and Oracle? Were contacts at those companies asked about this story? To what extent have these claims emerged from competitors of the named firms who may also have attended that meeting?

The story also hinges on a report that witnesses told Bloomberg exists but the reporters do not claim to have seen. “Where did this alleged report come from? Who commissioned it? Who wrote it? Should we trust who claims to have seen it?” asks McCarthy.

5. What's in a word?

I’ve written about Apple for decades. I’ve seen claims come, and I’ve seen claims go. With that in mind, I find it difficult to understand why the company has chosen to comment on this occasion. It would not be unusual for it to decline comment on grounds of "national security." That it has commented suggests (as the company states) that it is not under any form of gagging order on this matter — which I’d imagine it would be if this story were true.

Where the puck is going

True or false, I think the report illustrates several matters that should inform any enterprise security professional’s outlook:

  1. It is highly probable that sophisticated attempts to place digital spies inside enterprise systems are already taking place. Perpetrators could be highly organized criminals or state-sponsored entities. Many enterprises may already have been penetrated by some form of APT attack.
  2. It seems likely numerous agencies are attempting to undermine hardware security by placing software-based backdoors or hardware-based vulnerabilities inside shipping systems. Enterprises should watch for and resist all such attempts.
  3. It is definite that traditional security models around maintaining perimeter defense are no longer adequate to protect systems. It’s not enough to place a wall against external attacks; it is now important to monitor internal systems for signs of vulnerability. AI self-defense may help in this.
  4. Network monitoring, analysis of file and folder content in search of unauthorized data archives and investigation of overnight logins by accounts with high access rights may help identify covert invasions. If these rogue chips existed, they would have needed somewhere to store the data they were attempting to exfiltrate, as well as the network bandwidth to transmit it at an indeterminate point. Which servers do your systems talk to? Do you use whitelisting or geofencing to protect against unauthorized incursions?
  5. Modern computer security requires forensic investigation, network analysis, and incident containment skills to supplement good security practices.
  6. If it comes in a box — check it, verify it, and change its default passwords.

Signing-off, I’m not personally convinced Bloomberg has its story straight on this matter, but the tale helps illustrate the complex security environment of our increasingly connected yet tragically polarized age.

Updated October 7 with Department of Homeland Security rejection of Bloomberg claims.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I'd like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

5 power user tips for Microsoft OneNote
  
Shop Tech Products at Amazon