Supermicro CEO Charles Liang on Tuesday informed customers that a leading third-party investigations company found “absolutely no evidence of malicious hardware” on its motherboards.
The investigation was undertaken in response to Bloomberg’s recent claim that bad actors had inserted spy chips in the firm’s motherboards on behalf of the Chinese People’s Liberation Army, China’s armed forces.
Investigators tested a representative sampling of Supermicro’s motherboards, including the specific type of motherboard referenced in Bloomberg’s article, and motherboards purchased by “companies referenced in the article, as well as more recently manufactured motherboards,” Liang wrote.
Apple and Amazon are the referenced companies.
The findings “were no surprise to us,” Liang noted, because “our process is designed to protect the integrity and reliability of our products.”
The following requirements are established in Supermicro’s process:
- Employees must be on site with assembly contractors;
- Products go through multiple inspections, including automated optical, visual, electrical and functional tests;
- Each board is tested repeatedly against its design throughout its supply chain, to detect any aberration;
- Every layer of every board is tested;
- No single employee, team or contractor has unrestricted access to the complete board design; and
- Supermicro regularly audits contractors for process, quality and controls.
The Plot Thickens
Tainted motherboards were discovered in 2015, when Amazon enlisted a third party to scrutinize security at Elemental Technologies, a maker of software for compressing video files and formatting them for different devices, prior to purchasing the company, Bloomberg reported earlier this month.
Some troubling issues surfaced, which led Amazon to pursue an examination of some of Elemental’s video compression servers. Testers found the servers’ motherboards, which were made by Supermicro, included a microchip that was not part of the original design, according to Bloomberg’s report. The chip, designed by the Chinese military, essentially provided a backdoor allowing access to networks.
Elemental’s servers are deployed in the United States Department of Defense’s data centers, the CIA’s drone operations, and in U.S. naval warships’ onboard networks, Bloomberg said, noting that Amazon reported its findings to U.S. authorities.
Almost 30 companies — including a major bank, government contractors, and Apple — were affected by the tainted motherboards, Bloomberg said, citing unnamed U.S. officials.
Apple found malicious chips on Supermicro motherboards in the summer of 2015, according to the Bloomberg report, which cited three unnamed senior insiders at the company.
Apple, which reportedly had planned to order more than 30,000 Supermicro servers in two years for a new global network of data centers, severed ties with Supermicro in 2016 for unrelated reasons.
Bloomberg claimed to have spoken to 17 unnamed sources for the story, which it developed over a period of years.
“The number of witnesses attesting it is true is impressive, but, with a lack of actual names, the veracity of the witnesses can’t be confirmed by a third party,” remarked Rob Enderle, principal analyst at the Enderle Group.
“This now reads like some kind of orchestrated attack on China and Supermicro, suggesting Bloomberg was duped,” he told TechNewsWorld. “Not a good thing for its reputation.”
Apple, Amazon and Supermicro immediately disputed the Bloomberg report, while the Chinese government stated that supply chain safety in cyberspace was an issue of common concern, and that China was also a victim.
Apple and Amazon stated their internal investigations showed no evidence of the spy chips.
“As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue,” AWS CISO Steve Schmidt maintained in an online post. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”
The investigation commissioned before purchasing Elemental “did not identify any issues with modified chips or hardware,” Schmidt pointed out, adding that “Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).”
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple said in a statement provided to Bloomberg in advance of its publication of the report. “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Over the course of the past year, Bloomberg contacted Apple “multiple times with claims, sometimes vague, and sometimes elaborate, of an alleged security incident at Apple,” the statement notes. Each time, Apple conducted “rigorous internal investigations based on those inquiries and each time we have found absolutely no evidence to support any of them.”
However, six unnamed veteran national security officials, current and former, countered the companies’ denials, Bloomberg reported. One of those officials and two unnamed people from Amazon provided extensive information on how the attack played out at Amazon and Elemental.
Further, the official and one of the Amazon insiders described Amazon’s cooperation with the government investigation, Bloomberg claimed. Four of the six U.S. officials also confirmed that Apple was a victim.
On the other hand, the U.S. Department of Homeland Security and the UK’s National Cyber Security Center both said they had no reason to doubt the veracity of Apple’s and Amazon’s statements.
“The alleged hardware-based attack wouldn’t seem to be prudent, given that servers remain in place for up to 10 years and security software is constantly changing, making it almost certain this [chip], if it existed, would eventually be discovered,” Enderle pointed out.
Apple CEO Tim Cook demanded that Bloomberg retract its story, saying there was no truth to its assertions about Apple.
Amazon later joined Apple’s call, but Bloomberg stood by its story.
If any part of the report should prove true, the consequences could be drastic.
The furious response from Supermicro, Apple and Amazon is understandable, because the story “created the specter of a serious unreported breach which could lead to massive customer exists and government fines, particularly in Amazon’s case,” Enderle observed.
Further, given that Supermicro dominates the server motherboard market, the story — if true — “should have put every single customer on alert that they need to audit their servers or be found negligent, and they’d need to take every compromised server offline to prevent a breach,” Enderle said.
“We should have seen massive slowdowns, a huge financial hit on Supermicro, who would have had to pay to swap the machines out, and the number of people aware of this effort alone would have been impossible to contain. Yet we saw zip. You’d think we’d have one or two security companies, or a different Supermicro customer, screaming bloody murder at this point.”
Supermicro shares fell 50 percent the day Bloomberg’s report was published.
“I’d say the chances this is a well orchestrated attack on Supermicro and/or Amazon and Apple,” said Enderle, “are better than 50 percent.”