Denials, skepticism and calls for a retraction are piling up in response to a Bloomberg article that said Chinese microchips had ended up in the computers of at least 30 major U.S. companies in a major cybersecurity breach. Bloomberg stands by the article.
Amazon is the latest company to deny claims in the Bloomberg Businessweek article on Oct. 4 that said China had hid small chips, the size of a pencil tip, in motherboards that ended up in servers used by 30 companies. The boards were made by the hardware manufacturer Super Micro.
Andy Jassy, chief executive of Amazon Web Services, tweeted Monday in solidarity with Apple CEO Tim Cook, who has also called for a retraction. Amazon and Apple are two of the companies named by Businessweek as having found the chips in their servers.
“@tim_cook is right,” Jassy stated. “Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”
Cook called for a retraction on Friday, telling BuzzFeed that Bloomberg had “no truth in their story about Apple” and urging Bloomberg to “do the right thing and retract it.”
Super Micro publicly refuted the accusations in a letter on Oct. 18.
“We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong,” Charles Liang, chief executive of Super Micro, said in the letter.
The U.S. Department of Homeland Security and Britain’s National Cyber Security Agency have also released statements doubting the validity of Bloomberg’s reporting.
Skepticism of the story among tech journalists and cybersecurity analysts has grown since it was published.
“The Bloomberg story is at the point where everyone we have talked to believes the story has significant holes or was outright fabricated,” tweeted Jason Koebler, editor-in-chief of Motherboard, Vice’s technology publication. “Bloomberg has to say or do something.”
Dan Kaminsky, a security researcher, tweeted, “I am 100% confident the Bloomberg story is specious, and the only question is which of many possible monsters from the Natsec universe got us here.”
Despite rising speculation about the anonymity of the majority of sources in the article and the lack of physical evidence regarding the affected motherboards, Bloomberg has remained publicly confident in its reporting. In a statement, Bloomberg Businessweek said the article was supported by “over 100 interviews” and was corroborated by 17 individual sources, “including government officials and insiders at the companies” who spoke to the publication anonymously.
John Micklethwait, the editor-in-chief of Bloomberg News, told a group of editors last week that the article is “an example of what we can do well when we put our resources on an enterprise project and we will continue to do so,” according to The Washington Post.
Some sources who have spoken on the record with Bloomberg have come forward to question the framing of what they said.
Joe Fitzpatrick, a hardware security expert quoted in Bloomberg’s Oct. 4 article said five days later in a podcast on Risky.Biz, which deals with the information security industry, that his statements had been “taken out of context.”
Yossi Appleboum, chief executive of cybersecurity company Sepio Systems, was quoted in a follow-up article by Bloomberg that claimed a major U.S. telecom company had been affected by a compromised ethernet connector produced by Super Micro.
“I am angry and I am nervous and I hate what happened to the story,” Appleboum stated in an interview, adding that he sees hardware security as a broad problem.