Server firmware security incident in 2016 forced Apple to sever ties with vendor Super Micro [u]
While there appears to be no breach of Apple's security, the company terminated its relationship with hardware vendor SuperMicro because of concerns about firmware update security, and an update that potentially compromised a Siri server bank, plus the App Store's search server development environment. [Updated]
In a report published by The Information on Thursday, Super Micro Senior Vice President of Technology Tau Leng claims that Apple not only discontinued future business as a result of a compromised internal development environment in the middle of 2016, but also returned equipment it had ordered. According to the anonymous sources cited, app search functionality and some Siri queries were handled by Super Micro-provided hardware that was compromised by a bogus firmware update.
Apple spokesman reached for comment by The Information denies that Apple found infected firmware from the vendor. Apple also denies that any customer information was pilfered as a result from any incident involving data center security.
"Apple is deeply committed to protecting the privacy and security of our customers and the data we store," said an Apple spokesman. "We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware."
Leng claims that after he was informed of the compromised firmware, Super Micro asked for the version number that was installed. According to the executive, Apple provided an invalid number and refused to disclose any additional information to Super Micro.
Leng also claims that the bad firmware was for a networking chip used in the servers, and "thousands of customers" utilize the same equipment.
"Only Apple had this complaint?" asked Leng. "That's the most puzzling portion."
AppleInsider was not able to reach Leng, nor has Apple returned our queries about the reported firmware incident. However, Super Micro reported that it had lost business from two long-term significant data center equipment customers in the tail-end of 2016, causing a drop in sales and profits year-over-year.
Additionally, in August of 2016, apple was reportedly turning to new server providers said at the time to "cut costs" — but given the new information and the timing it may have actually been done to completely cut Super Micro out of its data centers.
Update: An ArsTechnica source claims that that the firmware in question impacted servers in Apple's design lab, and not any active Siri servers. The person added that it was downloaded from Super Micro's support site, where it's allegedly still hosted.