Apple and Amazon denies their servers were compromised by a tiny chip
After last weeks shocking reveal about a chip no larger than a grain of rice on Supermicro motherboards compromising the security of servers in almost every organization, the involved companies have stepped forward to deny all of Bloomberg’s claims.
A very extensive report published on Bloomberg Businessweek set off waves of fear and panic about the state of security and privacy in today’s connected world. Especially in a world where Supermicro’s motherboards are featured heavily in plenty of datacenters, including Amazon’s and Apple’s.
Amazon and Apple both denied any knowledge of any hardware vulnerability on the Supermicro servers they own. Here’s what they have to say about the article:
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).
The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.
You can read the full statement from Amazon here.
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us. We also want them to know that what Bloomberg is reporting about Apple is inaccurate.
While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.
Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture. As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.
Apple and Supermicro’s emailed statement to Bloomberg Businessweek can be read in full here.
As you can see from the tone of all the statements, Supermicro was definitely blowing things out of proportion, and probably reporting unethically too. All these raises the question whether it was a targeted attack at Supermicro, considering that the company’s stock prices has dropped drastically since the report was published.
We won’t deny that it’s very possible that these chips exist, but whether it’s true is now up for further scrutiny. We will update this article further if we get any more information regarding this matter.
Pokdepinion: The one on the losing end seems to be Supermicro. Such a allegation has definitely tarnished their reputation.