It is past time for Bloomberg to retract or unequivocally prove the iCloud spy chip story
Bloomberg had a stunningly important — and apparently stunningly wrong — news story about an alleged iCloud spy chip and it's still hoping we'll forget about it. The company has a responsibility to either prove or retract it, and it's a responsibility the publication is still avoiding, now eight months after publication.
Editor's note, July 23,2019: It has now been eight months since Bloomberg published its iCloud spy chip story. It is important that it not be forgotten, like it appears that the publication wants as there has still yet been no update from the people that Bloomberg allegedly assigned to review details of the story. We have again updated the story with the minor developments since its original publication in the end of November 2018.
Bloomberg continues to ignore emails from AppleInsider regarding the original report, and has yet to say anything about the follow-up actions that the publication is taking in the wake of all the denials from the companies and governmental agencies involved.
Apple, Amazon, the government, national security advisors, and independent technology experts alike have all said Bloomberg Businessweek is wrong about Chinese-made spy chips in iCloud servers. They haven't just said it, they've issued extensively detailed and documented evidence to say this didn't happen and could not happen. Even so, we were willing to give Bloomberg time to prove its story — but that's over.
The reason we would be willing to believe them is that we do remember Watergate, we do know the saying that there's no smoke without fire. Plus we're pragmatic — we know that such a security breach is so incalculably damaging to America that these firms would of course deny it all.
Equally, we also know that Bloomberg has a record for publishing incorrect stories about Apple. Those stories included predictions of poor sales of iPads, iPhones, Apple TV and HomePods based on incomplete reporting or ignoring facts that contradicted the idea.
While most of the inaccurate reporting has been financial, it has also questioned business strategy. So the scope of its questionable reporting about Apple is quite broad, yet this spy chip allegation is on another scale altogether.
It's hard to fully comprehend the implications of this allegation. Thirty companies including Apple and Amazon were alleged to have had their hardware infiltrated. They were servers that reportedly used motherboards built by Supermicro and which, according to Bloomberg, had an extra chip, "not much bigger than a grain of rice, that wasn't part of the boards' original design."
This is supposedly a spy chip which gets access to sensitive code which it then either manipulates or transmits. And, Bloomberg alleges that this chip is embedded secretly in machines in data centers owned by Apple and others. The company has yet to present one, and the picture it uses to illustrate the size of the alleged chip appears to be a mundane directional gate.
To be clear, Apple, Amazon and all other firms even tangentially mentioned in the piece have refuted the allegations and done so vehemently. Unusually vehemently in the case of Apple, which more often refuses to comment on stories.
Bloomberg Businessweek has responded to the tsunami of criticism by saying that it stands by the story. It hasn't published that on its own site, only a spokesperson has said it to Buzzfeed.
Apart from that comment, all Bloomberg has done publicly since then is follow up the October 4 story with one a few days later claiming further evidence. Otherwise, the publication that brought us this gigantic story has irresponsibly gone silent on it.
The story's writers, Jordan Robertson and Michael Riley are conspicuously silent. Neither has written for Bloomberg since October 9, 2018, about a week after the original piece. Robertson does not appear to have presented Bloomberg's Digital Defense video since then either, but although billed as being a live weekly stream, that show has only aired sporadically.
One source claims that Robertson was due to be a speaker at Bloomberg's "CIO Exchange New York" event on October 30, 2018, but he's not on the show's site or event agenda.
He's also not tweeted at all since October 9.
Michael Riley stopped tweeting on October 5 but his last tweets are revealing. "That's the unique thing about this attack," he says in one. "Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging."
@J_J_E_ @karaswisher— Michael Riley (@MichaelRileyDC) October 5, 2018
That's the unique thing about this attack. Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging.
He continues that: "In other words, we're still very early in this process."
However, he also said: "Worth noting that Patrick Gray @riskybusiness now has independent confirmation of the China chips." He links to a tweet that mentioned a new "data point", a new confirming detail, but that tweet was then rapidly removed.
About six hours after Riley retweeted it, Patrick Gray deleted the original tweet and instead posted: "The data point I refer to here was b*******. The source (half) walked it back this morning and I'm f****** furious. I'll be posting a full correction to the site. I was actually actively misled on this one by someone I've known for a long time."
Gray did post a correction to his podcast, then ran a follow-up episode featuring a security expert criticizing Bloomberg. And then a third episode about how "Bloomberg has previously published false, made-up security stories about imaginary things that didn't happen."
Michael Riley did not retweet any of these episodes and Bloomberg has not responded to them. However, Bloomberg's news site did report on December 11, 2018 that Supermicro said an independent test found "absolutely no evidence of malicious hardware on our motherboards".
Writer Nour Al Ali concluded that piece by saying: "Bloomberg Businessweek has previously said that it stands by its story."
Shortly before that piece, though, the Washington Post reported that behind the scenes, Bloomberg journalists were digging into the story further. "In emails to employees at Apple," says the Post, "Bloomberg's Ben Elgin has requested 'discreet' input on the alleged hack."
The Post is owned by Amazon's Jeff Bezos and this reporting is in an Opinion blog by writer Erik Wemple rather than on the news pages. Nonetheless, Wemple claims to have been told that Elgin has said that if hears enough sources refuting Bloomberg's claim, he will "send that message up his chain of command." What that command does, is apparently not up to him.
We can give them one source that's under his nose and that's Bloomberg itself. At the very end of its original October 4 piece, Bloomberg Businessweek wrote that "Bloomberg LP has been a Supermicro customer. According to a Bloomberg LP spokesperson, the company has found no evidence to suggest that it has been affected by the hardware issues raised in the article."
The whole story is based on the word of 17 unnamed people but you'd have thought Bloomberg's own spokesperson could go public. So Bloomberg is being silent while apparently continuing to investigate privately. There's nothing wrong with that — except that this research should've been done before the first story was published. Huge news stories require time to investigate but if Elgin is still working on this one, he's been fact-checking for four months.
All this time on from its original earthshaking claim, Bloomberg is staying quiet and hoping we'll forget about it. That doesn't sound like a news organization with a fantastic story and it doesn't sound like a responsible news organization either. It's making Bloomberg sound much more like a news organization whose desire for attention overrode its journalism.
There is no smoke without fire but right now it doesn't look like there's any smoke. Bloomberg needs to prove it or do what Tim Cook insists and retract it.
Doing neither is damaging. It's obviously damaging for the firms mentioned in the report but it also further dents Bloomberg itself. If it will publish gigantic stories that it can't back up, you cannot trust it on even the smaller stuff.