A tech consultant and journalist specializing in server hardware says that some of the Bloomberg spy chip claims are completely implausible, while others are simply impossible.
We’ve commented before on the complete lack of technical detail in the Bloomberg report about how the supposed hack actually worked. Writing on STH, Patrick Kennedy opens his piece by referencing what he calls the ‘astounding plausibility and feasibility gaps in Bloomberg’s description of how the hack worked.’
But Kennedy says that even the principle of the Bloomberg spy chip claims is nonsensical. The magazine claimed that the Baseboard Management Controller (BMC) was key to the hack. This so-called ‘superchip’ is operational even when a server has crashed or turned off, and the story claims that the BMC was able to download code via the Internet. This would be extremely unlikely even in a small company, writes Kennedy, but impossible at one the size of Apple or Amazon.
If you have an unsophisticated network or a lack of understanding about the topic, you may think that this is how BMC’s are networked [diagram showing a BMC with direct access to the Internet bar a firewall]. Standard industry practice guards against this attack vector.
Even smaller organizations with a handful of servers generally have segregated BMC networks. That basic starting point, from where large companies take further steps, looks something like this:
So the BMC in a server used by even a small company wouldn’t have unrestricted access to the Internet – and sophisticated tech companies like Apple and Amazon layer on additional protections.
Bloomberg’s report describes an attack that is not possible at the companies listed in the article.
Further, he says, the Bloomberg spy chip piece says that the BMC has access to code running on the servers even when they are turned off. This, writes Kennedy, is ‘patently false.’
That is not how this technology works […] When the BMC is powered on, hard drives, solid state drives, the server’s CPU (for decrypting data) and memory are not turned on […] When a server is powered off it is not possible to access a server’s “most sensitive code.” OS boot devices are powered off. Local storage is powered off for the main server. Further encrypted sensitive code pushed from network storage is not accessible, and a BMC would not authenticate.
Even if that were somehow possible, the idea of a BMC injecting code into the CPU is contradicted by simple physics.
The hardware implanted does not have the pin count nor the processing power to perform this interception […] Note that RAM to CPU communication happens over thousands of pins. Each CPU has 2011 pins for communicating with the rest of the server. RAM pins take up several thousand of these channels […]
This communication also happens at relatively high clock speeds, so keeping up with the bandwidth is a challenge for even CPU designers. There is no way for a small chip to attack the “temporary memory” (RAM) to CPU communication.
The piece goes on to list the ten separate tasks the chip would need to carry out were the Bloomberg spy chip claim correct. Even were we to allow for this being technically possible, Kennedy says that it would require such cutting-edge small-process fabrication that there are only a handful of foundries in the world that could have created such a chip. Only four of them seem realistic candidates:
- Global Foundaries
The idea that one of these tech giants would risk their reputations and business by creating a spy chip for China stretches credibility way beyond breaking point. If it were revealed that one had done so, they would quite simply go out of business as no-one would trust their chips ever again.
There’s more – including why it would make way more sense to mount this type of attack through firmware rather than a hardware chip; examining the sources claimed in the Bloomberg spy chip story; and looking at the track-record of the team behind the piece.
I do not know the editorial team at Bloomberg, but here is a New York Times assessment of this team’s track record in the space:
“Something is wrong. Blanket denials from companies, NCSC and DHS are v. unusual. The only precedent for this is a 2014 Bloomberg article, by the same author, which claimed NSA exploited Heartbleed, and was vigorously knocked down with zero follow up by Bloomberg or correction.”
Kennedy closes by adding his voice to those calling for a retraction.
There is now enough evidence pointing to systematic discrepancies that the stories cannot stand. If Bloomberg cannot present credible information to show how the hack presented is possible, plausible, and did happen, Bloomberg needs to retract the story and investigate how this passed editorial muster and was published.
Among which is now numbered Amazon. Andy Jassy, CEO of Amazon Web Services, tweeted:
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract. https://t.co/RZzuUt9fBM
— Andy Jassy (@ajassy) October 22, 2018
It follows Super Micro joining Apple in calling for a retraction.
Follow all our coverage of the Bloomberg spy chip claims.