A new report claims tiny chips attached to Chinese-made motherboards have been used to spy on American companies, including the likes of Apple and Amazon. To say both companies strongly disagree would be an understatement.
The report, published by Bloomberg Businessweek, alleges that groups affiliated with the Chinese government infiltrated factories supplying startup Supericro in order to attach the chips to the motherboards. Bloomberg‘s report cites multiple sources from both companies, as well as national security officials who were informed of the chips’ existence.
These chips would allow potential hackers to create “a stealth doorway into any network that included the altered machines.” This level of hardware hacking would be borderline unprecedented in scope, and Bloomberg claims the FBI opened an investigation (after the incident was reported by Apple) that’s still in progress three years later.
Supermicro’s extensive list of clients in 2015 was what made them a juicy target, a former intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.” In addition to Apple and Amazon, the servers “could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”
As you might expect, Apple has denied the incident. In fact, its denial is stringent and slightly offended. Here’s the comment it gave to CNBC:
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
A report by The Information did claim that the reason Apple and Supermicro severed ties was “a potential security vulnerability in at least one data center server,” which may or may not have been the infected driver in question.
Amazon, for its part, was equally firm about the issue. In its response, on the list compiled by Bloomberg, it said:
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
Supermicro and even the Chinese government issued statements responding to the incident, pleading ignorance of an investigation and “gratuitous accusations” respectively.
According to the report, the goal was corporate and literal espionage. No consumer data is known to have been compromised.