Apple Calls on Bloomberg to Retract Story That Claimed China Snuck Spy Chips on Apple Servers

Glenn Fleishman
Updated

Apple CEO Tim Cook said Bloomberg Businessweek should retract an investigative article it published Oct. 4 that claimed servers bought by Apple, Amazon, and over two dozen other unidentified companies contained spy circuitry installed by China.

In an interview with Buzzfeed News, Cook said: “There is no truth in their story about Apple. They need to do that right thing and retract it.” Cook, who said he was involved in discussions with Bloomberg reporters from the beginning, stated that the news organization never presented Apple with specific details, and believes the story relied on “vague secondhand accounts.” Apple previously denied it had contacted or been contacted by the FBI or other government agencies, also claimed in the story.

Apple didn’t immediately reply to Fortune‘s request for comment.

Buzzfeed noted that Apple has never previously asked publicly for an article’s retraction, even when the company has denied its accuracy. A search of newspaper archives appears to confirm that. The radio program This American Life chose to retract a 2012 episode about Apple’s major Chinese manufacturing partner, Foxconn, after it says it discovered the story’s primary contributor had invented details and changed facts.

Bloomberg’s investigation said that the Chinese government had infiltrated the supply chain for Super Micro, a major manufacturer of motherboards used in servers. Motherboards contain the primary processor, memory, and other circuitry for a computer to operate.

Through secret design changes in the factory, the Chinese military was able to insert a small custom chip it had designed into motherboards for the video-compression server maker Elemental, which relied on Super Micro for manufacturing. These circuits could subvert the operating system and communicate over the Internet to control servers operated by China to siphon information of any kind, including sensitive data—such as private encryption keys—transmitted within a server, and launch attacks from a privileged position inside the corporate and government networks on which Elemental servers were installed.

The blockbuster account has roiled information security experts as well as journalists who have extensively covered the field, as no one has yet been able to confirm the story. The Bloomberg article relied on 17 anonymous sources in the U.S. government and associated with Apple and other companies.

While no party involved has argued that Bloomberg fabricated information, Cook’s call for a retraction comes closest to alleging that the news outlet failed to verify accounts provided by its sources.

One expert quoted in the story by name, Joe Fitzpatrick, spoke to Bloomberg during the reporting process about the general form of an attack as described in the article. Later, in a podcast, he told Bloomberg that the scenario described by Bloomberg “didn’t make sense.” He also said that Bloomberg’s account matched his hypothetical scenario so closely that it “seemed like they had been lifted from the conversations I had about theoretically how hardware implants work.”

Bloomberg continues to stand by its reporting, according to a statement provided to Fortune by a company spokesperson. “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

A number of companies, government agencies, independent security analysts, and government officials have released detailed rebuttals or made explicit statements rejecting most of the article’s account about the discovery of malicious hardware.

Apple released a statement on Oct. 4, “What Businessweek got wrong about Apple,” and sent a letter on Oct. 8 to Congress denying both general and specific claims. Amazon acquired Elemental in 2015. It denied the details of the story as relates to that firm and its use of Elemental servers.

Super Micro told Reuters that it had never sold servers with malicious chips, never found any in hardware it had manufactured, were never told by a customer they had discovered any, and that no government agency had ever contacted the firm.

The Department of Homeland Security also released a statement, saying on Oct. 6 “we have no reason to doubt the statements from the companies named in the story.” The British national cyber security agency also backed Apple and Amazon’s statement.