Super Micro reviewing its hardware in search for alleged Chinese spy chips
Super Micro will be reviewing its products for any signs of chips or other malicious hardware added during its production, in a bid to clear itself following a report claiming Chinese spies had implanted the components to perform espionage on Apple and other western companies.
"Despite the lack of proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article," Super Micro advised to its customers in a letter. Included as part of a U.S. Securities and Exchange Commission filing, the letter claims "We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong."
"We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip," asserts Super Micro. "As we have said firmly, no one has shown us a mtherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip."
It is claimed to be "virtually impossible" for a third-party to install such a component capable of communicating with a baseboard management controller during the manufacturing process, as they would lack the "pin-to-pin knowledge" of the design. Super Micro also notes the system is designed "so that no single Super Micro employee, single team, or contractor has unrestricted access to the complete motherboard design," including hardware, software, and firmware.
On October 4, a Bloomberg report based on a multi-year investigation claimed that Apple, Amazon, and 30 other companies had been the victim of an espionage campaign in which rice-sized chips had been planted on motherboards made by Super Micro. Once delivered, the motherboards supposedly created a backdoor into infrastructure like Apple's iCloud.
Apple was quick to deny allegations, insisting that it had conducted a "massive, granular, and siloed investigation."
Amazon's denial of the attack was a bit more outspoken.
"There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon said in its statement, refuting several specific claims, and specifically citing that there was no modified hardware found.
Several subsequent accounts have cast further doubt, such as one from the senior advisor for Cybersecurity Strategy to the director of the U.S. National Security Agency. Additionally, The U.S. Department of Homeland Security commented that it had "no reason to doubt" the positions of Apple and Amazon.
On Friday, Tim Cook also spoke candidly about the attack, putting his own name on very specific denials, and also talking about how Bloomberg interacted with Apple during the investigation.
"There is no truth in their story about Apple," Cook said on Friday. "They need to do that right thing and retract it."
"I was involved in our response to this story from the beginning," said Cook. "I personally talked to the Bloomberg reporters along with Bruce Sewell who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions. Each time they brought this up to us, the story changed and each time we investigated we found nothing."
"We turned the company upside down. Email searches, datacenter records, financial records, shipment records," Cook added. "We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."
Bloomberg hasn't backed down from its claims, and U.S. senators have asked Super Micro for answers.
"Despite the lack of proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article," Super Micro advised to its customers in a letter. Included as part of a U.S. Securities and Exchange Commission filing, the letter claims "We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong."
"We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip," asserts Super Micro. "As we have said firmly, no one has shown us a mtherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip."
It is claimed to be "virtually impossible" for a third-party to install such a component capable of communicating with a baseboard management controller during the manufacturing process, as they would lack the "pin-to-pin knowledge" of the design. Super Micro also notes the system is designed "so that no single Super Micro employee, single team, or contractor has unrestricted access to the complete motherboard design," including hardware, software, and firmware.
On October 4, a Bloomberg report based on a multi-year investigation claimed that Apple, Amazon, and 30 other companies had been the victim of an espionage campaign in which rice-sized chips had been planted on motherboards made by Super Micro. Once delivered, the motherboards supposedly created a backdoor into infrastructure like Apple's iCloud.
Apple was quick to deny allegations, insisting that it had conducted a "massive, granular, and siloed investigation."
Amazon's denial of the attack was a bit more outspoken.
"There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon said in its statement, refuting several specific claims, and specifically citing that there was no modified hardware found.
Several subsequent accounts have cast further doubt, such as one from the senior advisor for Cybersecurity Strategy to the director of the U.S. National Security Agency. Additionally, The U.S. Department of Homeland Security commented that it had "no reason to doubt" the positions of Apple and Amazon.
On Friday, Tim Cook also spoke candidly about the attack, putting his own name on very specific denials, and also talking about how Bloomberg interacted with Apple during the investigation.
"There is no truth in their story about Apple," Cook said on Friday. "They need to do that right thing and retract it."
"I was involved in our response to this story from the beginning," said Cook. "I personally talked to the Bloomberg reporters along with Bruce Sewell who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions. Each time they brought this up to us, the story changed and each time we investigated we found nothing."
"We turned the company upside down. Email searches, datacenter records, financial records, shipment records," Cook added. "We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."
Bloomberg hasn't backed down from its claims, and U.S. senators have asked Super Micro for answers.
Comments
With their credibility on the line, surely now is the time to produce the evidence. National security is at stake here. Just holding back the evidence like this is criminal.
With the stark denials, this should have been up and settled already, yeah?
This is incredible. After over two thousands years learning how to find truths, the western civilization still is doing it wrong.
Is it any surprise insurance companies ended up rolling in the $$$ while the average Joe got bilked...
For the record, I’m very security conscious and I wouldn’t hesitate to buy a Super Micro motherboard. Bloomberg bought a lie, and needs to own up to their mistake. Bloomberg is better than most, so no boycott from me...
I wonder if the companies and the government can ever recover those costs after they prove Bloomberg wrong.
The media today is too interested in telling a story then reporting the fact. I was in the meeting with my boss and higher level exec and we were dealing with a major issue and my boss said to everyone "they would not care about the facts once they hear the story." This is what the media is doing, they hope we do not care about the facts once we hear their story.
The problem, most of US media just report on each other stories. Instead of reporting on what they know as fact they just repeat what other news outlets have reported. There is very little original reporting going on. They are all assuming what Bloomberg is reporting is factual instead of doing their own work, these people probably think it was okay to copy other people's work in high school and college.
They can wait till SuperMicro conducts their investigation and then claim that SuperMicro removed all traces of the malicious chips!