Server firmware security incident in 2016 forced Apple to sever ties with vendor Super Mic...

Posted:
in General Discussion edited February 2017
While there appears to be no breach of Apple's security, the company terminated its relationship with hardware vendor SuperMicro because of concerns about firmware update security, and an update that potentially compromised a Siri server bank, plus the App Store's search server development environment. [Updated]




In a report published by The Information on Thursday, Super Micro Senior Vice President of Technology Tau Leng claims that Apple not only discontinued future business as a result of a compromised internal development environment in the middle of 2016, but also returned equipment it had ordered. According to the anonymous sources cited, app search functionality and some Siri queries were handled by Super Micro-provided hardware that was compromised by a bogus firmware update.

Apple spokesman reached for comment by The Information denies that Apple found infected firmware from the vendor. Apple also denies that any customer information was pilfered as a result from any incident involving data center security.

"Apple is deeply committed to protecting the privacy and security of our customers and the data we store," said an Apple spokesman. "We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware."

Leng claims that after he was informed of the compromised firmware, Super Micro asked for the version number that was installed. According to the executive, Apple provided an invalid number and refused to disclose any additional information to Super Micro.

Leng also claims that the bad firmware was for a networking chip used in the servers, and "thousands of customers" utilize the same equipment.

"Only Apple had this complaint?" asked Leng. "That's the most puzzling portion."

AppleInsider was not able to reach Leng, nor has Apple returned our queries about the reported firmware incident. However, Super Micro reported that it had lost business from two long-term significant data center equipment customers in the tail-end of 2016, causing a drop in sales and profits year-over-year.

Additionally, in August of 2016, apple was reportedly turning to new server providers said at the time to "cut costs" -- but given the new information and the timing it may have actually been done to completely cut Super Micro out of its data centers.

Update: An ArsTechnica source claims that that the firmware in question impacted servers in Apple's design lab, and not any active Siri servers. The person added that it was downloaded from Super Micro's support site, where it's allegedly still hosted.
«1

Comments

  • Reply 1 of 32
    If Apple are being targeted with compromised firmware - then super micro would have likely been complicit in the development of such firmware on some level.
    cornchip
  • Reply 2 of 32
    rob53rob53 Posts: 2,011member
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    1983cornchip
  • Reply 3 of 32
    environmentalidiotenvironmentalidiot Posts: 2unconfirmed, member
    So Apple has says there is no evidence that it has been compromised by SuperMicro devices, but it is cutting off all use of SuperMicro devices for fear that it could be compromised by SuperMicro devices. With no evidence that Apple has been injured why would they take jobs and salaries away from SuperMicro workers without cause? I find this very discriminatory against SuperMicro on Apple's part and Tim Cook should be let go immediately!
    edited February 2017 1983
  • Reply 4 of 32
    rob53rob53 Posts: 2,011member
    So Apple has says there is no evidence that it has been compromised by SuperMicro devices, but it is cutting off all use of SuperMicro devices for fear that it could be compromised by SuperMicro devices. With no evidence that Apple has been injured why would they take jobs and salaries away from SuperMicro workers without cause? I find this very discriminatory against SuperMicro on Apple's part and Tim Cook should be let go immediately!
    Not sure if this is a vague attempt at a political statement or sarcasm but AppleInsider hasn't been able to make contact with Apple so they are simply using rumored comments from The Information. It would have been better journalism if they had first-person contact with Apple instead of continuing to re-print garbage from othe publications. Will we ever hear the actual truth? Probably not.
    edited February 2017 brian greenadamcmwhite1983
  • Reply 5 of 32
    FatmanFatman Posts: 286member
    I worked for a company that used SuperMicro as a supplier for rack mount devices - it was nearly half the price of other vendors. But in the end you pay - unreliable junk that kept failing, customers flipped out. Typical Chinese business model - sell cheap 'stuff' that looks like the 'real thing'.
    wonkothesanecornchip
  • Reply 6 of 32
    SoliSoli Posts: 8,748member
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment in-house.
    edited February 2017 macseekerbrian greenEsquireCats1983Jdmr1701cornchip
  • Reply 7 of 32
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment by in-house.
    A big YES! I agree. Let's see Apple technology at it's best.
    brian greenEsquireCats1983Jdmr1701
  • Reply 8 of 32
    I'm sure no one will never know what the issues were.  After the Snowden revelations  Apple has to be  very concerned with any vendor's networking equipment that is brought in. Apple has the right to purchase equipment from whomever they choose without having to justify, or explain their choices. Just like you and I do.
    EsquireCats1983
  • Reply 9 of 32
    To me it sounds like internal compliance found a problem with firmware updates.  i.e.: the 'malicious' firmware update was created by Apple, and successfully installed on a Super Micro device - proving therefore that it's possible to install 'untrusted' firmware.  i.e.: the complaint isn't about malicious firmware, it's about super micro devices accepting untrusted firmware.  
    1983stanthemancornchip
  • Reply 10 of 32
    sflocalsflocal Posts: 4,547member
    Fatman said:
    I worked for a company that used SuperMicro as a supplier for rack mount devices - it was nearly half the price of other vendors. But in the end you pay - unreliable junk that kept failing, customers flipped out. Typical Chinese business model - sell cheap 'stuff' that looks like the 'real thing'.
    A shop I work at uses SuperMicro servers.  Junk.  It just boggles the mind why companies would use such cheap crap from SuperMicro when their system infrastructures are so incredibly dependent on servers.  I'd spend more money for quality hardware than go on the cheap and cross my fingers.  Damn cheapskates!
    brian green1983stantheman
  • Reply 11 of 32
    mpantonempantone Posts: 1,375member
    arthurba said:
    To me it sounds like internal compliance found a problem with firmware updates.  i.e.: the 'malicious' firmware update was created by Apple, and successfully installed on a Super Micro device - proving therefore that it's possible to install 'untrusted' firmware.  i.e.: the complaint isn't about malicious firmware, it's about super micro devices accepting untrusted firmware.  
    I don't think anything can be ascertained from this article. SuperMicro and Apple gave contradictory statements. All of the "details" came from the fired vendor, there is no way one could assume that everything they state is truthful.

    Frankly, we will probably never know the exact reasons why Apple sacked SuperMicro. The only thing we reliably know is that SuperMicro is no longer a vendor for Apple Inc. Nothing else should be inferred.

    As a matter of fact, my guess is that Mr. Leng is violating a confidentiality clause by discussing this with the media. If that is the case, it is likely that SuperMicro will never do business with Apple Inc. again as long as Tim Cook is in charge.

    SuperMicro just burnt a bridge.
    edited February 2017 Soliwonkothesane
  • Reply 12 of 32
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment in-house.
    They more or less do by sourcing servers and network switches from the same contract manufacturers that build their own stuff. I doubt they will ever get back into the market of selling 'commodity' servers for zero or negative margin. 

    There is definitely more to this story. 
  • Reply 13 of 32
    SoliSoli Posts: 8,748member
    karmadave said:
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment in-house.
    They more or less do by sourcing servers and network switches from the same contract manufacturers that build their own stuff. I doubt they will ever get back into the market of selling 'commodity' servers for zero or negative margin. 

    There is definitely more to this story. 
    Sure, but I mean build nearly all their own electronics. It's not unthinkable that they could leverage their ARM and other expertise into creating the most efficient, bespoke servers in the world.
    edited February 2017
  • Reply 14 of 32
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment in-house.
    Maybe after they are done being distracted by Apple Park.
  • Reply 15 of 32
    SoliSoli Posts: 8,748member
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment in-house.
    Maybe after they are done being distracted by Apple Park.
    Yeah, because the same people working on designing processors are also the same ones installing the irrigation system at Apple Park¡ :rolleyes:
    edited February 2017 environmentalidiotRayz2016iqatedoStrangeDaystdknoxMacsplosioncornchip
  • Reply 16 of 32
    Good! SuperMicro reportedly had a massive security vulnerability with IPMI as well. I hope IBM is reading this, as they bet the company on BlueMix and BlueMix is based on those SuperMicro servers from the SoftLayer days. That said, SuperMicro hardware is pretty economical and is probably no worse than their #1 competitor (DELL).
  • Reply 17 of 32
    macseeker said:
    Soli said:
    rob53 said:
    True or not it's another justification for Apple to get back into the server market so they can control everything. 
    I neither agree nor disagree that Apple should go back to selling rack servers, but I would like to see Apple develop and use their own servers and networking equipment by in-house.
    A big YES! I agree. Let's see Apple technology at it's best.
    Apple exited the server hardware business because they knew that they could not compete on a global scale, and it's more cost-effective to use established technologies, hence why they work with numerous vendors.
  • Reply 18 of 32
    If Apple are being targeted with compromised firmware - then super micro would have likely been complicit in the development of such firmware on some level.
    What about the possibility that some government agency (not saying what government) intercepted the shipments and installed the bad software somewhere between Supermicro and Apple? I would not put it past one or two governments in the world to do or at least try this sort of thing.
     
  • Reply 19 of 32
    avon b7avon b7 Posts: 3,656member
    If Apple are being targeted with compromised firmware - then super micro would have likely been complicit in the development of such firmware on some level.
    What about the possibility that some government agency (not saying what government) intercepted the shipments and installed the bad software somewhere between Supermicro and Apple? I would not put it past one or two governments in the world to do or at least try this sort of thing.
     
    That happened to Cisco. Can't remember if it was government though.
  • Reply 20 of 32
    I am surprised that a company like Apple with all the money they have, rely on 3rd party hardware to build their server farms. Facebook builds and develops their own hardware solutions. Well, clearly making one's own servers doesn't bring in much money as an iPhone does, doesn't it?
Sign In or Register to comment.