Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Super Micro: Audit Didn't Find Chinese Spying Chip

Firm Says Audit 'Lays to Rest the Unwarranted Accusations'
Super Micro: Audit Didn't Find Chinese Spying Chip
(Source: Super Micro)

Super Micro Computer says a third-party audit of its recent and older motherboards has not turned up evidence of a spying chip as alleged in an explosive report two months ago by Bloomberg BusinessWeek.

See Also: Gartner Guide for Digital Forensics and Incident Response

"After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards," according to a Dec. 11 letter to Super Micro customers signed by company executives, including President and CEO Charles Liang.

San Jose, California-based Super Micro Computer, which markets itself as Supermicro, further says "no government agency has ever informed us that it has found malicious hardware on our products, and we have never seen any evidence of malicious hardware on our products."

Bloomberg's Oct. 4 story, headlined "The Big Hack," struck fear across the technology industry. It claimed that agents with China's People's Liberation Army subverted Super Micro's supply chain in Asia. The result was the implantation of tiny microchips on Super Micro motherboards capable of siphoning data to remote servers.

It also put Super Micro in a tough position: trying to prove a negative as suspicion around Chinese hacking efforts swelled. Additionally, experts have long warned that the long supply chains that make up today's technology industry were vulnerable to hardware or software tampering.

Super Micro and some of its customers, including Apple and Amazon, rebuked the story, saying that its fundamental premise is false. Also, the spying chip has never been produced (see: Where Is the Secret Spying Chip Reported by Bloomberg?).

Technology experts, such as Patrick Kennedy of the server-storage-networking analysis site ServeTheHome, concluded the Bloomberg story's technical details were suspect. Nonetheless, Bloomberg has stood by the story, saying it was the result of a year's research and more than 100 interviews. Apple CEO Tim Cook called for it to be retracted.

Rice-Sized Chip

The motherboards made by Super Micro were later included in video compression servers made by Elemental Technologies. Amazon acquired Elemental in 2015.

Bloomberg alleged that the U.S. government uncovered plans by China to subvert Super Micro around 2014 and informed the White House. That information was gained, in part, through clandestine monitoring of Chinese officials and subcontractors Super Micro used, according to the report.

"Today's announcement lays to rest the unwarranted accusations made about Supermicro's motherboards."
—Super Micro

The story also claimed that Amazon and Apple independently discovered the chip, which was slightly bigger than a grain of rice and resembled a signal conditioning coupler. The chip had memory, a networking capability and enough processing power to mount an attack, Bloomberg reported.

Apple said it has never found malicious chips, and Amazon said it likewise had never found manipulated hardware or malicious chips. Backing the companies, the U.K.'s National Cyber Security Centre and the U.S. Department of Homeland Security said they had no reason to doubt the companies' denials (see: Super Micro Trojan: US and UK Back Apple and Amazon Denials).

Super Micro published a video describing the process it uses to guard against supply-chain tampering, including prohibiting any contractor, team or employee to have unrestricted access to the full design of a motherboard.

"We require that Super Micro employees be onsite with out assembly contractors, where we conduct multiple inspections, including automated, optical, visual, electrical and function test," it says in the letter.

Bloomberg Still Reporting

While Bloomberg has remained steadfast behind the reporting, it is apparently reviewing its conclusions. Washington Post media critic Erik Wemple reported on Nov. 27 that Bloomberg had assigned a reporter who wasn't a part of the original investigation to make further inquiries.

A Supermicro Microblade Dual BMC (Photo: ServeTheHome)

"This particular round of truth-seeking, of course, would have been better timed to precede a decision on publication of 'The Big Hack,' Wemple writes.

The reporting attempts can only be interpreted as an attempt to fill in gaps that Bloomberg hasn't publicly acknowledged. For its part, Super Micro hopes that its audit will quell any doubt.

"Today's announcement lays to rest the unwarranted accusations made about Supermicro's motherboards," the company's letter reads.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.