Super Micro to Customers: Chinese Spy Chips Story Is Wrong
24.10.2018 securityweek BigBrothers
A Bloomberg article claiming that tiny chips were inserted in Super Micro Computer Inc. equipment “is wrong,” the California-based server manufacturer says.
The article, which Bloomberg ran in early October, claimed that Chinese spies, likely state-sponsored, were able to infiltrate production processes and include chips the size of a grain of rice on equipment used by tech giants such as Amazon and Apple.
The chips, the story claimed, would create a stealthy, hardware-based doorway into computer equipment. Attackers could then reportedly leverage these chips to compromise systems in an effort to spy on more than 30 organizations in the United States.
Super Micro has refuted the claims right from the start, saying that it never found any such malicious chips in its equipment, nor has it been informed by a customer on the discovery of such chips.
The U.S. Department of Homeland Security (DHS) and the U.K. National Cyber Security Centre (NCSC) have denied any investigations supposedly launched as a result of the discovery of spy chips.
Amazon said it never found evidence of malicious hardware in Super Micro equipment, while Apple told the U.S. Congress the Bloomberg story was “simply wrong.”
In a letter sent to its customers and also forwarded to the U.S. Securities and Exchange Commission, Super Micro too calls the Bloomberg story wrong. The company also notes that it doesn’t know of or has seen any malicious hardware chips implanted during the manufacturing of their motherboards.
“We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip. As we have said firmly, no one has shown us a motherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip,” the letter reads.
The company also reveals that, despite the lack of proof, it has decided to undertake “a complicated and time-consuming review to further address the article.” Furthermore, Super Micro notes, it is testing every board, both visually and functionally, throughout the entire manufacturing process.
The letter is meant to reassure customers of the complex testing process it employs for its products, which includes “several automated optical inspections, visual inspections, and other functional inspections.” These tests, the company says, are meant to also check the integrity and composition of designs, so as to discover any discrepancies.
“Our motherboard designs are extremely complex. This complexity makes it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process. The complex design of the underlying layers of the board also makes it highly unlikely that an unauthorized hardware component, or an altered board, would function properly,” the company points out.
“Our motherboard technology involves multiple layers of circuitry. It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as “pin-to-pin knowledge”) of the design,” Super Micro also notes.
Others too have investigated Bloomberg’s claims and note that the manner in which the article says the spy chips would be activated is technically implausible.
In an interview with BuzzFeed News, Apple CEO Tim Cook denied the allegations, and even said that Bloomberg should retract their story. Andy Jassy of Amazon Web Services (AWS) too says Bloomberg should retract.
Immediately after the original article was published, the stocks of Chinese companies Lenovo Group and ZTE Corporation took a hit. Super Micro’s stock dropped more than 40% and only recovered slightly.