Bloomberg Businessweek published a shocking and controversial report on October 4th. Supermicro is based in San Jose, California. Although their end product servers are designed in the United States, they make their system motherboards in China.
China is indeed the world’s manufacturing powerhouse. Roughly 75% of mobile phones, 90% of PCs, and 100% of my goth platform shoe collection is made there. Chances are that a lot of the things you own right now were made in that country, no matter who you are or where you live.
For years American officials have claimed that internationally shipped mobile devices and networking hardware made by Huawei and ZTE, two companies with verifiable ties to the Chinese government, are being used for Chinese cyber-espionage. China denies it, and back in September 2015, Chinese President Xi Jinping and American President Barack Obama announced at a press conference that China had agreed to not support cyber attacks to acquire American intellectual property for the benefit of Chinese companies.
Bloomberg’s Jordan Robertson and Michael Riley say they have spoken to anonymous sources from both Apple and Amazon who claim that, through Supermicro’s server motherboard manufacturing, China’s People’s Liberation Army have infiltrated the supply chains of those tech giants, and probably others. Apple and Amazon have both officially denied those claims. So, what’s the truth?
Here are the details of the allegations. Very tiny microchips, roughly the size of a sharpened pencil tip or Abraham Lincoln’s nose on the American penny, are a component of the server motherboards which Supermicro makes in China, or are added afterwards, somewhere in the global supply chain. A Chinese military unit made the chips that were sent to Supermicro’s factory, and Supermicro is likely knowledgeable and cooperative with the operation.
Supermicro makes server machines with those apparently tampered motherboards and ships them to dozens of American companies, the most notable being Apple and Amazon. The tiny microchips only have room for a little bit of code, but that tiny bit of firmware is enough to open a hardware backdoor for Chinese cyber-espionage. When the servers are in their datacenters and turned on, the firmware can make changes to the operating system kernel for specific alterations. The backdoors also enable the servers to communicate with a cyber attacker’s command and control servers in order to spy on American networks and receive further potentially malicious code. According to the Bloomberg report:
“This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity.”
Both Apple and Amazon host streaming video services, a function that a lot of the Supermicro servers were designed to fulfill.
Robertson and Riley claim that after detecting firmware problems and anomalous network behavior, Apple’s own investigation lead to the discovery of the backdoor chips around May 2015. Anonymous sources who are described as senior Apple insiders say that the Cupertino-based company reported their discovery to the FBI, but only shared limited information with the agency. Apple apparently denied the FBI access to their hardware.
While the FBI tried to investigate Apple’s discovery with limited intel, Amazon found the same malicious components and activity in their Supermicro servers. Amazon not only shared their findings with the FBI, but also gave them access to their apparently sabotaged servers.
On October 4th, Apple officially denied Robertson and Riley’s claims with a press release from their newsroom:
“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Also on October 4th, Amazon made an official denial with Stephen Schmidt’s post to the AWS Security blog:
“Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware (former middleman between Supermicro and Amazon, which has since been acquired by Amazon) at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).”
Bloomberg Businessweek stands by their report in the wake of Apple and Amazon’s official denials:
“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
If what is written in Bloomberg Businessweek is true, then it’s shocking news and a very serious cyber-espionage conspiracy. Robertson and Riley’s piece has shocked the Silicon Valley and the potential international relations implications are grave.