Story image

Supermicro, Apple, & Amazon vs crippling scandal – who’s lying?

06 Oct 2018

How much damage a little report can do!

It’s unlikely that there was very much sleep going on at some of the data centre titans last night, as a new report has dug up a potentially gigantic scandal.

Bloomberg released its findings in an article that was published yesterday, claiming that Supermicro had sold motherboards containing malicious chips to almost 30 US customers, including Apple and Amazon. The article says the chips were planted by Chinese spies to enable backdoor access to all private networks the mother systems were involved with.

In the wake of this report Supermicro’s stocks have collapsed more than 40 percent, while Amazon and Apple each saw their stocks decline around two percent – despite all three aforementioned companies purporting the claims to be false.

Now then, to the report. Bloomberg News says the report is rock solid and based on more than a year of investigations and more than 100 interviews. On top of this, it is claimed to have inputs from multiple former and current Apple and Amazon employees, in addition to current and former US national security officials.

According to the report, Amazon first discovered the malicious chips three years ago in 2015 as a result of an overhaul following its acquisition of Elemental. The company then reported this to the relevant authorities which prompted an investigation by US intelligence agencies that is still ongoing today.

Similarly, Apple (already a big Supermicro customer) was on the verge of buying a further 30,000 servers from Supermicro in 2015 when it also discovered the chip.

Of course these are all allegations, but if true, they could blow the industry apart far beyond this trio of companies. For example, other big players like IBM and Intel are both known Supermicro customers.

In terms of how the motherboards became affected, Bloomberg claims Supermicro’s systems and components are manufactured in China with some of that work then subcontracted to other companies. The Chinese military then took advantage of these subcontractors to secretly plant the illicit chips.

Since the article painted headlines around the world, Supermicro has released a statement with input from both Apple and Amazon.

“In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” the statement reads.

Amazon Web Services chief information security officer Steve Schmidt was also steadfast in his commentary.

"As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems,” says Schmidt.

Similarly, a statement from Apple attempted to rubbish Bloomberg’s claims.

"We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

To put it all in perspective, a recent IDC report states Supermicro to have shipped 175,000 servers in the second quarter of this year, making it the fifth largest vendor in terms of units shipped, shared with Huawei.

So the question remains, just who is lying? We will keep you updated as this case evolves.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.