Story image

Is Supermicro innocent? 3rd party test finds no malicious hardware

13 Dec 2018

Earlier this year one of the larger scandals within IT circles took place with Bloomberg firing shots at Supermicro.

The media company claimed Supermicro had sold motherboards containing malicious chips to around 30 US customers – of which included the likes of Apple and Amazon – which would give Chinese spies the ability to create backdoor access to all the private networks the mother systems were involved with.

Supermicro rubbished these claims but it wasn’t enough to help its share price which according to Reuters fell by 50 percent (although it has since risen). The company promised to conduct an internal investigation to prove its innocence, and now in a letter sent to customers worldwide, it has the results.

“Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process,” the letter states, signed by Supermicro president & CEO Charles Liang, SVP & chief compliance officer David Weigand, and SVP and chief product officer Raju Penumatcha.

“Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm.”

According to Supermicro, a representative sample of motherboards was tested, including the specific type of motherboard detailed in the article as well as motherboards that were sold to the referenced companies and more recently manufactured hardware.

“Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,” the letter states.

“These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products.”

After listing all the procedures the company takes to ensure something like this can’t happen, Supermicro fires further shots back at Bloomberg.

“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products,” the letter states.

“Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards.”

Of course, this report from Bloomberg ruffled a lot of feathers. Aside from Supermicro’s reaction, Apple sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos, who effectively rubbished the claims.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

Following this, Apple CEO Tim Cook attended an interview with Buzzfeed News where he demanded the article be retracted – the first time Apple has ever publically requested an article to be withdrawn.

However despite the denials from Supermicro and the pressure from the tech superpowers, Bloomberg remained steadfast.

“Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a Bloomberg spokesperson said.

"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

Bloomberg has yet to comment since the results of Supermicro’s internal investigation emerged.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Security top priority for Filipinos when choosing a bank - Unisys
Filipinos have greatest appetite in Asia Pacific to use biometrics to access banking services
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.