Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Bloomberg Businessweek published a shocking and controversial report on October 4th. Supermicro is based in San Jose, California. Although their end product servers are designed in the United States, they make their system motherboards in China.
China is indeed the world’s manufacturing powerhouse. Roughly 75% of mobile phones, 90% of PCs, and 100% of my goth platform shoe collection is made there. Chances are that a lot of the things you own right now were made in that country, no matter who you are or where you live.
For years American officials have claimed that internationally shipped mobile devices and networking hardware made by Huawei and ZTE, two companies with verifiable ties to the Chinese government, are being used for Chinese cyber-espionage. China denies it, and back in September 2015, Chinese President Xi Jinping and American President Barack Obama announced at a press conference that China had agreed to not support cyber attacks to acquire American intellectual property for the benefit of Chinese companies.
Bloomberg’s Jordan Robertson and Michael Riley say they have spoken to anonymous sources from both Apple and Amazon who claim that, through Supermicro’s server motherboard manufacturing, China’s People’s Liberation Army have infiltrated the supply chains of those tech giants, and probably others. Apple and Amazon have both officially denied those claims. So, what’s the truth?
Here are the details of the allegations. Very tiny microchips, roughly the size of a sharpened pencil tip or Abraham Lincoln’s nose on the American penny, are a component of the server motherboards which Supermicro makes in China, or are added afterwards, somewhere in the global supply chain. A Chinese military unit made the chips that were sent to Supermicro’s factory, and Supermicro is likely knowledgeable and cooperative with the operation.
Supermicro makes server machines with those apparently tampered motherboards and ships them to dozens of American companies, the most notable being Apple and Amazon. The tiny microchips only have room for a little bit of code, but that tiny bit of firmware is enough to open a hardware backdoor for Chinese cyber-espionage. When the servers are in their datacenters and turned on, the firmware can make changes to the operating system kernel for specific alterations. The backdoors also enable the servers to communicate with a cyber attacker’s command and control servers in order to spy on American networks and receive further potentially malicious code. According to the Bloomberg report:
“This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity.”
Both Apple and Amazon host streaming video services, a function that a lot of the Supermicro servers were designed to fulfill.
Robertson and Riley claim that after detecting firmware problems and anomalous network behavior, Apple’s own investigation lead to the discovery of the backdoor chips around May 2015. Anonymous sources who are described as senior Apple insiders say that the Cupertino-based company reported their discovery to the FBI, but only shared limited information with the agency. Apple apparently denied the FBI access to their hardware.
While the FBI tried to investigate Apple’s discovery with limited intel, Amazon found the same malicious components and activity in their Supermicro servers. Amazon not only shared their findings with the FBI, but also gave them access to their apparently sabotaged servers.
On October 4th, Apple officially denied Robertson and Riley’s claims with a press release from their newsroom:
“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Also on October 4th, Amazon made an official denial with Stephen Schmidt’s post to the AWS Security blog:
“Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware (former middleman between Supermicro and Amazon, which has since been acquired by Amazon) at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).”
Bloomberg Businessweek stands by their report in the wake of Apple and Amazon’s official denials:
“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
If what is written in Bloomberg Businessweek is true, then it’s shocking news and a very serious cyber-espionage conspiracy. Robertson and Riley’s piece has shocked the Silicon Valley and the potential international relations implications are grave.
Tags: cyber attacks
Reading Time: 4 minutes It’s a mad, mad, mad, malware world. The good news is that the number of malware attacks is decreasing. The bad news is that malware forms are proliferating, attackers are getting smarter, and companies are still vulnerable. Just how bad is the problem? The answer is: very. While known threats are largely preventable, more…
Reading Time: 3 minutes A single cyber-attack can cost you your business. Data from the National Cyber Security Alliance shows that 60 percent of small and mid-sized business close after 6 months following an attack. Businesses which fall prey to hackers and cybercriminals lose their customers’ trust and their clients’ repeat business. This is why investing in the services…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP