The story is a horrific scenario for U.S. companies and government interests.
Bloomberg’s Businessweek reported that Chinese hackers have infiltrated the manufacturing process of servers used by the U.S. government and major companies including Amazon and Apple, inserting microchips the size of a pencil nub, and stealing data.
There are two ways for spies to alter the guts of computer equipment. One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. The other method involves seeding changes from the very beginning.
One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”
But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
The report cites 17 unnamed sources from the U.S. government and the U.S. companies that have corroborated its story. However, Apple and Amazon dispute the entire narrative.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.
As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures
Bloomberg published Apple’s and Amazon’s rebuttals. Amazon just pushed back on the assertions in the story.
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware. As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.
Apple criticized the news outlet and its reporting.
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us. We also want them to know that what Bloomberg is reporting about Apple is inaccurate.
The companies have much to lose if readers believe the Bloomberg article. Shares of Super Micro, the motherboard manufacturing company implicated in the story, dropped 40 percent, and Apple and Amazon both saw a dip in stock value.
The rebuttals from tech companies have some questioning the report:
I have to say, this is all really bizarre. The Bloomberg story is very detailed, citing documents and inside sources. But the company denials are also detailed and emphatic. You don’t often see the latter when a company is trying to hide something or be coy. https://t.co/qjA1TFKzZ3
— Kim Zetter (@KimZetter) October 4, 2018
The Amazon AWS denial is also very strong.
I am filing this story as unconfirmed until we have an authoritative third party confirming the big picture outline as well as some of the details. pic.twitter.com/sHw4g190Iy
— Thomas Rid (@RidT) October 4, 2018
High variance prediction: especially given the rather categorical denials from Apple and Amazon, there is either much more to this story or much less.
— matt blaze (@mattblaze) October 4, 2018
Not all the Bloomberg assertions are new revelations.
Parts of Bloomberg‘s story have been previously reported. Apple did sever its relationship with Supermicro in 2016, but the iPhone-maker claimed this was due to an unrelated and minor security incident. Amazon reportedly distanced itself from Supermicro’s compromised servers by selling its Chinese infrastructure to a rival, for unknown reasons at the time. In a statement to Bloomberg, Amazon admitted finding “vulnerabilities” in Supermicro’s products, but said they were software, not hardware, related. Facebook, another potential customer, also found problems with Supermicro’s products, identifying malware in the company’s software and removing the servers from its datacenters.
It seems likely that more information will come to light—either supporting or countering this report. Meanwhile, consumers are left wondering who is telling the truth.
What do you think of the companies’ response, PR Daily readers?