While there appears to be no breach of Apple's security, the company terminated its relationship with hardware vendor SuperMicro because of concerns about firmware update security, and an update that potentially compromised a Siri server bank, plus the App Store's search server development environment. [Updated]
In a report published by The Information on Thursday, Super Micro Senior Vice President of Technology Tau Leng claims that Apple not only discontinued future business as a result of a compromised internal development environment in the middle of 2016, but also returned equipment it had ordered. According to the anonymous sources cited, app search functionality and some Siri queries were handled by Super Micro-provided hardware that was compromised by a bogus firmware update.
Apple spokesman reached for comment by The Information denies that Apple found infected firmware from the vendor. Apple also denies that any customer information was pilfered as a result from any incident involving data center security.
"Apple is deeply committed to protecting the privacy and security of our customers and the data we store," said an Apple spokesman. "We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware."
Leng claims that after he was informed of the compromised firmware, Super Micro asked for the version number that was installed. According to the executive, Apple provided an invalid number and refused to disclose any additional information to Super Micro.
Leng also claims that the bad firmware was for a networking chip used in the servers, and "thousands of customers" utilize the same equipment.
"Only Apple had this complaint?" asked Leng. "That's the most puzzling portion."
AppleInsider was not able to reach Leng, nor has Apple returned our queries about the reported firmware incident. However, Super Micro reported that it had lost business from two long-term significant data center equipment customers in the tail-end of 2016, causing a drop in sales and profits year-over-year.
Additionally, in August of 2016, apple was reportedly turning to new server providers said at the time to "cut costs" — but given the new information and the timing it may have actually been done to completely cut Super Micro out of its data centers.
Update: An ArsTechnica source claims that that the firmware in question impacted servers in Apple's design lab, and not any active Siri servers. The person added that it was downloaded from Super Micro's support site, where it's allegedly still hosted.
32 Comments
If Apple are being targeted with compromised firmware - then super micro would have likely been complicit in the development of such firmware on some level.
True or not it's another justification for Apple to get back into the server market so they can control everything.
So Apple has says there is no evidence that it has been compromised by SuperMicro devices, but it is cutting off all use of SuperMicro devices for fear that it could be compromised by SuperMicro devices. With no evidence that Apple has been injured why would they take jobs and salaries away from SuperMicro workers without cause? I find this very discriminatory against SuperMicro on Apple's part and Tim Cook should be let go immediately!
I worked for a company that used SuperMicro as a supplier for rack mount devices - it was nearly half the price of other vendors. But in the end you pay - unreliable junk that kept failing, customers flipped out. Typical Chinese business model - sell cheap 'stuff' that looks like the 'real thing'.