Super Micro will be reviewing its products for any signs of chips or other malicious hardware added during its production, in a bid to clear itself following a report claiming Chinese spies had implanted the components to perform espionage on Apple and other western companies.
"Despite the lack of proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article," Super Micro advised to its customers in a letter. Included as part of a U.S. Securities and Exchange Commission filing, the letter claims "We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong."
"We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip," asserts Super Micro. "As we have said firmly, no one has shown us a mtherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip."
It is claimed to be "virtually impossible" for a third-party to install such a component capable of communicating with a baseboard management controller during the manufacturing process, as they would lack the "pin-to-pin knowledge" of the design. Super Micro also notes the system is designed "so that no single Super Micro employee, single team, or contractor has unrestricted access to the complete motherboard design," including hardware, software, and firmware.
On October 4, a Bloomberg report based on a multi-year investigation claimed that Apple, Amazon, and 30 other companies had been the victim of an espionage campaign in which rice-sized chips had been planted on motherboards made by Super Micro. Once delivered, the motherboards supposedly created a backdoor into infrastructure like Apple's iCloud.
Apple was quick to deny allegations, insisting that it had conducted a "massive, granular, and siloed investigation."
Amazon's denial of the attack was a bit more outspoken.
"There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon said in its statement, refuting several specific claims, and specifically citing that there was no modified hardware found.
Several subsequent accounts have cast further doubt, such as one from the senior advisor for Cybersecurity Strategy to the director of the U.S. National Security Agency. Additionally, The U.S. Department of Homeland Security commented that it had "no reason to doubt" the positions of Apple and Amazon.
On Friday, Tim Cook also spoke candidly about the attack, putting his own name on very specific denials, and also talking about how Bloomberg interacted with Apple during the investigation.
"There is no truth in their story about Apple," Cook said on Friday. "They need to do that right thing and retract it."
"I was involved in our response to this story from the beginning," said Cook. "I personally talked to the Bloomberg reporters along with Bruce Sewell who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions. Each time they brought this up to us, the story changed and each time we investigated we found nothing."
"We turned the company upside down. Email searches, datacenter records, financial records, shipment records," Cook added. "We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."
Bloomberg hasn't backed down from its claims, and U.S. senators have asked Super Micro for answers.
14 Comments
And still Bloomberg stays silent.
With their credibility on the line, surely now is the time to produce the evidence. National security is at stake here. Just holding back the evidence like this is criminal.
So the case wasn't so clearcut after all?
With the stark denials, this should have been up and settled already, yeah?
At one time, Bloomberg was a respected media outlet. Now I’m viewing them as a rag.
SM does nots not have find the part on any boards, all there need to do is go get the CAD and Gerber files for the PCB manufacturer that were used to build their products during the so call time period and do a hash compare on the files in their own archives and if the hash do not match then they know files were modified. There is no way to put a ship on a board without modifying the PCB drawing and file. If they tried adding the part after the fact that means there would be wires and such which any one would have easily know.