Story image

Supermicro to test for spy chips, Apple & AWS call for retraction

23 Oct 2018

Following the bombshell allegations released earlier this month, Supermicro has announced it will be conducting a review to prove its innocence.

The allegations in question came from Bloomberg in a comprehensive report that claimed Chinese spies had been infecting Supermicro motherboards destined for some of the world’s biggest companies with malicious chips that were feeding information back to China.

These firms included the likes of Apple and Amazon, both of which immediately jumped on Supermicro’s side of the fence and rubbished the claims.

Apple in particular has been vehemently opposed to the findings within the Bloomberg report. Last week the tech giant sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos detailing the Bloomberg claims and why they’re nonsense.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

And then in an interview with Buzzfeed News, Tim Cook demanded that the article should be taken down – the first time Apple has ever publically requested a news article to be withdrawn.

“There is no truth in their story about Apple,” Cook says. "They need to do the right thing and retract it."

AWS CEO Andy Jassy later posted a tweet throwing the company’s weight behind Cook and Apple – “Tim Cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”

And now despite dismissing the allegations as false, in a letter to customers from Supermicro CEO Charles Liang the company has pledged to conduct a review to prove that its motherboards aren’t infected.

“We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong,” says Liang.

“Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article.”

One of the key points in Liang’s letter was that Bloomberg reporters have failed to produce any kind of hard evidence like a compromised motherboard or a malicious chip to prove their allegations.

Supermicro carries out manufacturing operations via subcontractors in China – where Bloomberg says the motherboards have been infected – and Liang says the company studiously checks every layer of each motherboard as well as its functionality throughout the whole process.

“Specifically our process requires the inspection of the layout and components of every product at the beginning and end of each stage of manufacturing and assembly. Our employees are on site with our assembly contractors throughout the process. These inspections include several automated optical inspections, visual inspections, and other functional inspections,” says Liang.

“We also periodically employ spot checks and x-ray scans of our motherboards along with regular auditors of our contract manufacturers. Our test processes at every step are not only designed to check functionality, but also to check for the integrity and composition of our designs and to alert us to any discrepancies in the base design.”

Liang also asserted the motherboard designs are very complex, making it “practically impossible for anyone to insert a functional, unauthorised component into a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process.”

However, Bloomberg is still standing steadfastly by its report and refuses to back down.

“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” the company reported in a statement.

“We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

So the question still remains, just who is lying or at the very least misinformed? The standoff continues.

Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
Nuix eyes legal sector as eDiscovery demand skyrockets
eDiscovery must encompass so much more than email and documents. If you haven’t looked at text messages and online chats, digital images, mobile devices, data in the cloud and social media, you’re not getting the whole story.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."