There’s an old saying, “the truth will out.”
It might take time, but the facts of a situation will eventually be discovered.
I certainly hope that’s true of the extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.
Those compromised servers, according to the report, were manufactured by San Jose-based SuperMicro, and could allow the People’s Liberation Army to remotely take over the computers from the other side of the planet.
The Bloomberg article is lengthy (running to almost 5000 words), and claims to have been confirmed by 17 people with knowledge of the attack – including current and former senior national security officials, and insiders at Apple and Amazon. Certainly it’s true that none of these individuals are named in the report, but Bloomberg is well-respected and it’s hard to believe they would spend months investigating a story like this without vigorous double and triple-checking of its facts.
And yet, the main companies concerned have issued vigorous denials.
Amazon described the Bloomberg BusinessWeek report as “erroneous”:
Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
Apple has also said that there is no truth to the claims in Bloomberg BusinessWeek:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
The Cupertino-based tech giant concluded by ruining many a conspiracy theorist’s day, declaring it has not been forced by the authorities to keep schtum about any security breach:
…we are not under any kind of gag order or other confidentiality obligations.
And spare a thought for SuperMicro, the manufacturer of the motherboards, whose share price reportedly fell 50% after the report was published. In a press release, they refute the article’s claims:
In an article today, it is alleged that SuperMicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. SuperMicro has never found any malicious chips, nor been informed by any customer that such chips have been found.
So, what’s the truth?
Has Bloomberg BusinessWeek got its facts wrong, and allowed an over-enthusiastic imagination to conjour up a hacking plot where none existed? Is it likely that Apple and Amazon would publish such strong denials if they knew they might be caught out? Are the technology companies gagged by agencies who don’t want China to know that their plot has been rumbled?
It’s frankly a mystery. And unless someone can come up with physical evidence of a malicious chip on a motherboard that can be analysed independently by a security expert, it’s difficult to know how the story is going to be confirmed 100%.
What is undoubtedly true, however, is that the supply-chain presents a significant threat to many organisations. When you buy computer hardware, you don’t necessarily know which companies have played a part in the manufacture of all its components, or whether there might be something nasty lurking inside. I have no doubt that the Chinese PLA would have great interest in hacking into companies through compromising the supply-chain, but that’s equally true of many other countries as well.
The major difference is that China is where so much of the world’s technology originates – the temptation to exploit that manufacturing lead most be enormous.
We’ll just have to wait to find out what has happened. Fingers crossed, the truth will (eventually) out.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.