Tech giants may have vehemently denied Bloomberg's claims that Super Micro gave them hardware loaded with spy chips, but that isn't stopping fresh allegations. Bloomberg has obtained documents from security researcher Yossi Appleboum that reportedly show evidence of an unnamed major US telecom finding "manipulated hardware" from Super Micro in its network. According to Appleboum, there were "unusual communications" from a server that led the telecom to find an implant hidden in the server's Ethernet jack. The researcher determined that the server had been modified at a factory in Guangzhou after conducting an inspection.
Other companies have also fallen "victim" to China modifying hardware for surveillance, the security researcher said.
If any company is affected, though, it might not be easy to get an answer. AT&T, Sprint, T-Mobile and Verizon (our parent company) have all denied being affected, with AT&T and Sprint explicitly stating that they don't use Super Micro hardware. Cable provider CenturyLink has denied being the subject of the story, and Engadget has learned that Comcast also isn't involved. We've asked Charter for comment and will let you know if it responds.
There are also questions about the nature of the overall spy chip claims. Motherboard noted that one of the security experts referenced in Bloomberg's original article, Joe Fitzpatrick, told the Risky Business podcast that he'd been referenced out of context and that the technical details of the spy chip story were "theoretical." In both stories, Bloomberg hadn't provided evidence to the companies in question or outside observers.
Bloomberg has continued to stand by its reporting and sources. However, the story might not go much further than this. On top of the adamant corporate denials, both the Department of Homeland Security and the UK's National Security Centre have backed the companies by tentatively supporting their claims. Simply put, there don't appear to be any parties who take the assertions seriously enough to launch an investigation.
Update: A Bloomberg News spokesperson has provided a statement both defending its latest story and suggesting that Fitzpatrick mischaracterized his role. You can read the full statement below.
"As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear. "
"Our reporters and editors thoroughly vet every story before publication, and this was no exception."