sb-au logo
Story image

Is Supermicro innocent? 3rd party test finds no malicious hardware

13 Dec 2018

Earlier this year one of the larger scandals within IT circles took place with Bloomberg firing shots at Supermicro.

The media company claimed Supermicro had sold motherboards containing malicious chips to around 30 US customers – of which included the likes of Apple and Amazon – which would give Chinese spies the ability to create backdoor access to all the private networks the mother systems were involved with.

Supermicro rubbished these claims but it wasn’t enough to help its share price which according to Reuters fell by 50 percent (although it has since risen). The company promised to conduct an internal investigation to prove its innocence, and now in a letter sent to customers worldwide, it has the results.

“Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process,” the letter states, signed by Supermicro president & CEO Charles Liang, SVP & chief compliance officer David Weigand, and SVP and chief product officer Raju Penumatcha.

“Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm.”

According to Supermicro, a representative sample of motherboards was tested, including the specific type of motherboard detailed in the article as well as motherboards that were sold to the referenced companies and more recently manufactured hardware.

“Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,” the letter states.

“These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products.”

After listing all the procedures the company takes to ensure something like this can’t happen, Supermicro fires further shots back at Bloomberg.

“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products,” the letter states.

“Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards.”

Of course, this report from Bloomberg ruffled a lot of feathers. Aside from Supermicro’s reaction, Apple sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos, who effectively rubbished the claims.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

Following this, Apple CEO Tim Cook attended an interview with Buzzfeed News where he demanded the article be retracted – the first time Apple has ever publically requested an article to be withdrawn.

However despite the denials from Supermicro and the pressure from the tech superpowers, Bloomberg remained steadfast.

“Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a Bloomberg spokesperson said.

"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

Bloomberg has yet to comment since the results of Supermicro’s internal investigation emerged.

Story image
Businesses move to cloud-based security solutions in a bid to support remote working
Cloud-based security tools are becoming increasingly popular following the rise in remote working during COVID-19, including a marked increase in businesses using such tools to protect of corporate financial information.More
Link image
Keep $1.6 million in your pocket with stronger network visibility
You actually can run your network at full throttle without running risks. If you don’t believe it, this guide will empower your network IT choices.More
Story image
Banks failing customers when it comes to mobile app security
"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”More
Link image
Employee distraction, remote work & cyber risk - a recipe for disaster?
Moving your workforce out of the corporate office can bring big changes and potential risks in how they save their data. It is important that your IT team plan these changes with your employees.More
Story image
Claroty and Deloitte partner up to deliver cybersecurity for industrial tech
“Industrial organisations are keen to transform themselves into digital utilities, but often security can be an obstacle rather than an enabler of digital transformation.”More
Story image
Research: Rapid growth of embedded security market inevitable
With the rise of IoT, as cybercriminals find new ways to gain access to devices, new secure embedded hardware can block their points of entry.More