Story image

Supermicro to test for spy chips, Apple & AWS call for retraction

23 Oct 2018

Following the bombshell allegations released earlier this month, Supermicro has announced it will be conducting a review to prove its innocence.

The allegations in question came from Bloomberg in a comprehensive report that claimed Chinese spies had been infecting Supermicro motherboards destined for some of the world’s biggest companies with malicious chips that were feeding information back to China.

These firms included the likes of Apple and Amazon, both of which immediately jumped on Supermicro’s side of the fence and rubbished the claims.

Apple in particular has been vehemently opposed to the findings within the Bloomberg report. Last week the tech giant sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos detailing the Bloomberg claims and why they’re nonsense.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

And then in an interview with Buzzfeed News, Tim Cook demanded that the article should be taken down – the first time Apple has ever publically requested a news article to be withdrawn.

“There is no truth in their story about Apple,” Cook says. "They need to do the right thing and retract it."

AWS CEO Andy Jassy later posted a tweet throwing the company’s weight behind Cook and Apple – “Tim Cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”

And now despite dismissing the allegations as false, in a letter to customers from Supermicro CEO Charles Liang the company has pledged to conduct a review to prove that its motherboards aren’t infected.

“We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong,” says Liang.

“Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article.”

One of the key points in Liang’s letter was that Bloomberg reporters have failed to produce any kind of hard evidence like a compromised motherboard or a malicious chip to prove their allegations.

Supermicro carries out manufacturing operations via subcontractors in China – where Bloomberg says the motherboards have been infected – and Liang says the company studiously checks every layer of each motherboard as well as its functionality throughout the whole process.

“Specifically our process requires the inspection of the layout and components of every product at the beginning and end of each stage of manufacturing and assembly. Our employees are on site with our assembly contractors throughout the process. These inspections include several automated optical inspections, visual inspections, and other functional inspections,” says Liang.

“We also periodically employ spot checks and x-ray scans of our motherboards along with regular auditors of our contract manufacturers. Our test processes at every step are not only designed to check functionality, but also to check for the integrity and composition of our designs and to alert us to any discrepancies in the base design.”

Liang also asserted the motherboard designs are very complex, making it “practically impossible for anyone to insert a functional, unauthorised component into a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process.”

However, Bloomberg is still standing steadfastly by its report and refuses to back down.

“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” the company reported in a statement.

“We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

So the question still remains, just who is lying or at the very least misinformed? The standoff continues.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.