UK's GCHQ, U.S. officials cast doubt on iCloud server spy chip report

GCHQ Cheltenham, via GCHQ

In the report published on Thursday, Bloomberg Businessweek alleged hardware used by a number of organizations, including Apple, Amazon, and the military, had been doctored at the point of manufacture in China. It is claimed the addition of a small chip onto each device destined for use as servers would have provided Chinese hackers unfettered access to corporate networks, allowing them to spy on and acquire sensitive internal data.

While many of the companies involved have spoken out against the report, individuals and government agencies are also commenting on the story, with the general consensus being that it is unlikely to be true.

A rare statement received by Reuters from the National Cyber Security Center, part of the UK's GCHQ (Government Communications Headquarters) security agency, advises "We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple."

The GCHQ arm adds "The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us."

The statement from GCHQ, the UK equivalent of the U.S. National Security Agency, is unusual as the organization typically does not tend to issue statements unless pressed. Comments from the agency do get released, but typically after heavy pressure from the media or the government, and not usually over a single report containing accusations of potential international espionage.

A number of U.S. officials contacted by the Washington Post advised they were uncertain about how accurate the report truly is. One of the officials, speaking under the condition of anonymity, previously suggested the "thrust of the article" was true, but later admitted to being uncertain about that assertion.

The comments join a chorus of statements from other organizations claiming the story is inaccurate. Shortly after its publication, Apple was among the first companies to issue a strong denial of the article.

In a statement provided to AppleInsider on Thursday, Apple insisted it "has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," that it had never contacted the FBI or agency about such an incident, and was not aware of any FBI investigation into the matter.

"We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed," the statement continued. "Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

Internal sources not authorized to speak to on behalf of the company told AppleInsider the allegations were "laughable" and "really, really wrong." Apple later advised it was "not under any kind of gag order or other confidentiality obligations" relating to the supposed investigation.

Amazon's statement noted "there are so many inaccuracies in this article as it relates to Amazon that they're hard to count." After explaining its security assessment of Elemental, a startup Amazon was considering acquiring and whose servers were alleged to be bugged, Amazon called the alleged network-wide audit of motherboards in a Beijing data center as untrue, and the sale of hardware and Chinese datacenter to partner Sinnet as an attempt to get rid of its affected servers as "absurd."