Wild story from Bloomberg Businessweek’s Jordan Robertson and Michael Riley about backdoor chips surreptitiously installed in server motherboards during assembly, probably by the Chinese government:
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
A few things about this story. First, it’s all too plausible. The manufacturing supply chain for most consumer technology has been strongly enmeshed in China for a couple decades now, which does potentially give the country unprecedented access to those components before they are shipped across the world. Secondly, nobody should doubt the skills of China’s information and cyber warfare teams—I certainly have no doubt that they are capable of carrying out such an exploit.
Meanwhile, Apple, which Bloomberg says was a major victim of the attack, has pushed back with an unusually detailed and stridently worded statement, utterly denying much of the information in Bloomberg’s report. Here’s just a small part of their rebuttal:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Apple does acknowledge it located a vulnerability in a software driver on a single Supermicro server back in 2016, but denies that it was a targeted attack against the company. Moreover, the company stresses that even Bloomberg’s report does not allege any compromise of customer data.
Amazon, also implicated in the Bloomberg story, has issued a similar statement (also at the link above) saying that a security audit of servers had located issues with a web application, but not with hardware itself. Supermicro, unsurprisingly, denies knowledge of any investigation, but its reply seems more carefully worded.
The Bloomberg story does seem remarkably detailed, but it does have a distinct lack of named sources from any of the companies allegedly affected or from any of the U.S. government law enforcement or intelligence agencies reportedly investigating the hack. That makes it hard to judge their motives or biases, even though the sheer number of unnamed sources quoted by Bloomberg would seem to lend the story some credence.
Obviously, this issue—if true and as widespread as suggested—could have major security implications across the industry. Large companies have vested interests in retaining public trust over data security, and the intelligence community would surely like to keep such an investigation under wraps as well. We’ll have to see how it develops in light of the story’s publication.