A potentially damning report published by Bloomberg Thursday morning claims that more than 30 U.S. companies including Amazon and Apple may have had their products compromised by a Chinese chip. The culprit, according to internal corporate and government sources, is Silicon Valley company Super Micro, a major supplier of computer motherboards. Multiple parties including Amazon, Apple, and Super Micro deny the allegations.
According to the report, during the supply chain process, San Jose-based Super Micro secretly embedded a tiny microchip, roughly the size of a grain of rice, on motherboards used in a huge variety of products used by both the U.S. military, American companies, and financial institutions. Amazon initially discovered the chip as it evaluated a startup called Elemental for acquisition. A third-party Canadian company analyzed Elemental’s server products and discovered the tiny microchip.
Amazon then reported the finding to authorities, kicking off a multi-year investigation.
“During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines,” Bloomberg writes. “Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
The goal of this subterfuge, according to a government official, was to gain access to valuable corporate secrets and government networks. These chips could subtly alter how a device functioned and could open backdoors through which other hackers could eventually make attacks. Consumer data was not a primary target, and there’s no evidence that consumer data was breached.
FBI traced the chips’ source to four Super Micro sub-contractors overseas, where middlemen posing as company representatives requested changes to motherboards, unbeknownst to actual Super Micro officials. Super Micro is the leader in the $1 billion motherboard space, with more than 900 customers in 2015.
Apple denies the allegations; it says that the company has “never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
“We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed,” Apple told CNBC. “Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
Amazon also refutes the report. “We’ve found no evidence to support claims of malicious chips or hardware modifications,” Amazon says. In a statement in Amazon’s report, it said, “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
Super Micro denies the report, and the Chinese foreign ministry told CNBC that “China is a resolute defender of cybersecurity.”
However, Bloomberg says six senior national security officials confirm the discovery of these chips and the ensuing probe. Including internal sources at Amazon, Apple, and other companies, the tally of individuals confirming Bloomberg’s findings comes to 17.
Read the full report here.
H/T Brian Krebs