sb-nz logo
Story image

Supermicro, Apple, & Amazon vs crippling scandal – who’s lying?

06 Oct 2018

How much damage a little report can do!

It’s unlikely that there was very much sleep going on at some of the data centre titans last night, as a new report has dug up a potentially gigantic scandal.

Bloomberg released its findings in an article that was published yesterday, claiming that Supermicro had sold motherboards containing malicious chips to almost 30 US customers, including Apple and Amazon. The article says the chips were planted by Chinese spies to enable backdoor access to all private networks the mother systems were involved with.

In the wake of this report Supermicro’s stocks have collapsed more than 40 percent, while Amazon and Apple each saw their stocks decline around two percent – despite all three aforementioned companies purporting the claims to be false.

Now then, to the report. Bloomberg News says the report is rock solid and based on more than a year of investigations and more than 100 interviews. On top of this, it is claimed to have inputs from multiple former and current Apple and Amazon employees, in addition to current and former US national security officials.

According to the report, Amazon first discovered the malicious chips three years ago in 2015 as a result of an overhaul following its acquisition of Elemental. The company then reported this to the relevant authorities which prompted an investigation by US intelligence agencies that is still ongoing today.

Similarly, Apple (already a big Supermicro customer) was on the verge of buying a further 30,000 servers from Supermicro in 2015 when it also discovered the chip.

Of course these are all allegations, but if true, they could blow the industry apart far beyond this trio of companies. For example, other big players like IBM and Intel are both known Supermicro customers.

In terms of how the motherboards became affected, Bloomberg claims Supermicro’s systems and components are manufactured in China with some of that work then subcontracted to other companies. The Chinese military then took advantage of these subcontractors to secretly plant the illicit chips.

Since the article painted headlines around the world, Supermicro has released a statement with input from both Apple and Amazon.

“In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” the statement reads.

Amazon Web Services chief information security officer Steve Schmidt was also steadfast in his commentary.

"As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems,” says Schmidt.

Similarly, a statement from Apple attempted to rubbish Bloomberg’s claims.

"We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

To put it all in perspective, a recent IDC report states Supermicro to have shipped 175,000 servers in the second quarter of this year, making it the fifth largest vendor in terms of units shipped, shared with Huawei.

So the question remains, just who is lying? We will keep you updated as this case evolves.

Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Link image
Webinar: Best practices for managing disparate security solutions
As budgets get more constrained, the emphasis shifts from merely finding threats to increased efficiency in managing security operations. Learn how to juggle a crowded field of solutions.More
Story image
Fortinet’s ‘zero trust’ approach redefining security
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why taking a ‘zero trust network access’ approach to cybersecurity requires fully-integrated and comprehensive security services and policies.More
Story image
Fortinet SOARs to new heights of protection on the wings of AI & automation
Jon McGettigan, Fortinet A/NZ Regional Director, talks about SOAR (security orchestration, automation and response) and explains that effective SOAR starts with your security policy.More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More