US Senators demand answers from Supermicro over spy chip allegations
A pair of senators have written to Supermicro requesting more information about events detailed in the recent Bloomberg investigation alleging the company's servers were compromised, in an attempt to find out if it is a risk to the national security of the United States.
The letter from Senator Marco Rubio and Senator Richard Blumenthal expresses concern about the potential tampering of computer hardware produced by Supermicro, reports Business Insider, allegedly as part of a sophisticated espionage scheme by the Chinese government.
The report from Bloomberg, where the allegations stem from, made claims tiny chips were planted on motherboards to provide backdoors to Chinese operatives, granting access to data without needing to perform a more traditional and short-term hack.
"If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks," the letter states. "As Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation's sensitive networks are kept safe."
The letter details a list of eight question areas that the Senators ask to be responded to by October 17.
The list starts by asking when Supermicro became aware of reports regarding malicious hardware and firmware, and if the company ever found tampering of components in its products. It is also asked if an investigation of the supply chain has been conducted to identify any tempering, and if it has severed ties with any firms that performed such actions.
Referring to a report from February 2017 by The Information that Apple had discovered compromised firmware, the letter asks if Supermicro conducted an investigation of its supply chain at that time, and if so, what was discovered. Supermicro's compliance with U.S. Law enforcement over the reports is also questioned, along with whether screening measures and supply chain audits have been put in place.
More directly, it is also asked if the Chinese government has "ever requested access to Supermicro's confidential security information or sought to restrict information regarding the security of Supermicro's products?"
The Bloomberg report's allegations have received considerable scrutiny regarding how genuine the report really is. Shortly after its release, companies such as Apple and Amazon named in the report issued strong denials about its content, including one from Apple characterizing the story as "wrong and misinformed."
Apple has also performed a "massive, granular, and siloed investigation" into claims raised in the report, but did not discover any evidence of hardware tampering, or any unrelated incidents that could have contributed to the report's claims. Apple has already contacted the U.S. Congress, insisting there is a lack of evidence.
Security agencies the UK National Cyber Security Centre and the Department of Homeland Security have both cast doubt on the report. Other U.S. officials are also uncertain of its accuracy, with one official changing their stance following their initial assertion the "thrust of the article" was true.
One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
Bloomberg has since doubled down on its reporting, referencing comments made by a security researcher that similar tampering occurred with Supermicro hardware located at a data center owned by a major U.S. telecommunications company.
The letter from Senator Marco Rubio and Senator Richard Blumenthal expresses concern about the potential tampering of computer hardware produced by Supermicro, reports Business Insider, allegedly as part of a sophisticated espionage scheme by the Chinese government.
The report from Bloomberg, where the allegations stem from, made claims tiny chips were planted on motherboards to provide backdoors to Chinese operatives, granting access to data without needing to perform a more traditional and short-term hack.
"If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks," the letter states. "As Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation's sensitive networks are kept safe."
The letter details a list of eight question areas that the Senators ask to be responded to by October 17.
The list starts by asking when Supermicro became aware of reports regarding malicious hardware and firmware, and if the company ever found tampering of components in its products. It is also asked if an investigation of the supply chain has been conducted to identify any tempering, and if it has severed ties with any firms that performed such actions.
Referring to a report from February 2017 by The Information that Apple had discovered compromised firmware, the letter asks if Supermicro conducted an investigation of its supply chain at that time, and if so, what was discovered. Supermicro's compliance with U.S. Law enforcement over the reports is also questioned, along with whether screening measures and supply chain audits have been put in place.
More directly, it is also asked if the Chinese government has "ever requested access to Supermicro's confidential security information or sought to restrict information regarding the security of Supermicro's products?"
The Bloomberg report's allegations have received considerable scrutiny regarding how genuine the report really is. Shortly after its release, companies such as Apple and Amazon named in the report issued strong denials about its content, including one from Apple characterizing the story as "wrong and misinformed."
Apple has also performed a "massive, granular, and siloed investigation" into claims raised in the report, but did not discover any evidence of hardware tampering, or any unrelated incidents that could have contributed to the report's claims. Apple has already contacted the U.S. Congress, insisting there is a lack of evidence.
Security agencies the UK National Cyber Security Centre and the Department of Homeland Security have both cast doubt on the report. Other U.S. officials are also uncertain of its accuracy, with one official changing their stance following their initial assertion the "thrust of the article" was true.
One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
Bloomberg has since doubled down on its reporting, referencing comments made by a security researcher that similar tampering occurred with Supermicro hardware located at a data center owned by a major U.S. telecommunications company.
Comments
Can't they be compelled to hand over the information in the interest of national security?
SuperMicro will say "nope" either way, so the only really "credible" source is Bloomberg.
I think Congress examining this is a great idea as 'truthiness" is of a little more importance. If a person is found to have lied to them during the course of an investigation, and this qualifies as one, actual jail time is possible.
Why not go straight to the source, Supermicro? If they lie they chance prosecution and the CEO serving jail time since he's the one the questions are being put to. Think they'll risk it?
SuperMicro can just say they don't know anything about it, and they might not. If Bloomberg thinks that this is happening then they can hand over the info and we can start from there. If they have what they say they have then the feds can start asking specific questions, rather than senators. fishing about in vague areas they don't really understand.
Just because they say "no, we don't know anything about it,' that doesn't mean they're lying. That could mean exactly that: they don't know anything about it.
And of course, they could lie, especially if they think they could get away with it.
You may not know this, but there are cases of people saying they're innocent, when it fact, they're guilty. 😱
According to Bloomberg, National Security is on the line here; so let's not waste time dealing with possible untruths. The truth lies with Bloomberg – apparently – so let's start there.
...and on the one hand you say Amazon and Apple should be taken at face value because if they were lying they'd be sued and fined and all kinds of horrid things and therefore would never risk it. Then today you say something like
"And of course, they could lie, especially if they think they could get away with it.
You may not know this, but there are cases of people saying they're innocent, when it fact, they're guilty"
Ummm.... yeah.
Gotcha.
Talking about painting yourself into a corner...
Ignorant assholes like you are the problem, and being one like you are is not limited to a certain race. Heck, I'm hispanic and I find your comment disgusting. Take your racist attitude elsewhere.
The entire article is premised on the "fact" the FBI has been doing an investigation into this for years. Ask the FBI to share what they know. This will instantly show the Bloomberg report as the lie that it is.
Sounds like the only named security source in the story would be happy to chat as well.