Story image

Is Supermicro innocent? 3rd party test finds no malicious hardware

13 Dec 18

Earlier this year one of the larger scandals within IT circles took place with Bloomberg firing shots at Supermicro.

The media company claimed Supermicro had sold motherboards containing malicious chips to around 30 US customers – of which included the likes of Apple and Amazon – which would give Chinese spies the ability to create backdoor access to all the private networks the mother systems were involved with.

Supermicro rubbished these claims but it wasn’t enough to help its share price which according to Reuters fell by 50 percent (although it has since risen). The company promised to conduct an internal investigation to prove its innocence, and now in a letter sent to customers worldwide, it has the results.

“Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process,” the letter states, signed by Supermicro president & CEO Charles Liang, SVP & chief compliance officer David Weigand, and SVP and chief product officer Raju Penumatcha.

“Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm.”

According to Supermicro, a representative sample of motherboards was tested, including the specific type of motherboard detailed in the article as well as motherboards that were sold to the referenced companies and more recently manufactured hardware.

“Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,” the letter states.

“These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products.”

After listing all the procedures the company takes to ensure something like this can’t happen, Supermicro fires further shots back at Bloomberg.

“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products,” the letter states.

“Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards.”

Of course, this report from Bloomberg ruffled a lot of feathers. Aside from Supermicro’s reaction, Apple sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos, who effectively rubbished the claims.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

Following this, Apple CEO Tim Cook attended an interview with Buzzfeed News where he demanded the article be retracted – the first time Apple has ever publically requested an article to be withdrawn.

However despite the denials from Supermicro and the pressure from the tech superpowers, Bloomberg remained steadfast.

“Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a Bloomberg spokesperson said.

"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

Bloomberg has yet to comment since the results of Supermicro’s internal investigation emerged.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.