207 11.10.2018

The past few days have been quite intense in the world of IT for all the wrong reasons. Bloomberg BusinessWeek posted a lengthy article in which it claims 30 US companies, including Amazon and Apple were compromised by malicious chips installed in Super Micro Computer servers. The reason? Cyber espionage by Chinese agents. It doesn’t get much more James Bond-ish than that.

The article doesn’t have on the record confirmations of these allegations. Instead it bases the data on series of conversations and questions with government officials, company officials, various experts and unpublished documents. It claims this has been going on since at least 2015 and that both Amazon Web Services and Apple have found and removed such malicious chips from their servers. Something both companies strongly denied afterwards.

So, what happened?

Bloomberg BusinessWeek calls the whole ordeal “The Big Hack”. It appears that “Chinese spies” ran the attack by placing chips in some servers made by Super Micro Computer (more known as Supermicro) which is one of the biggest suppliers of server motherboards. “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design”, wrote Bloomberg.

It claims that “The chips had been inserted during the manufacturing process by operatives from a unit of the People’s Liberation Army”. It’s noted that the chips were inserted in the motherboards during manufacturing before they’re supplied to Supermicro.

Those chips allegedly give the spies a “God mode” level of access to the server. “When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code”, Bloomberg writes.

The reactions

As noted, all mentioned parties strongly disputed the entire article. Apple published an open letter in which it said it has been in constant contact with Bloomberg reporters and editors over the past 12 months and has always said there are no such malicious chips in their servers.

“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.”

Apple further adds: “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”

Earlier this week the company also sent a letter to the US Congress in which once again reiterated everything. The company wanted to be clear that there had never been such incidents. It also denied it had a gag order not to talk about the topic.

Amazon also had a similar response: “As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.”

Amazon also adds: “Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.”

Supermicro also denied the story. The company said it “strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems… Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.”

“Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.”

Later government agencies also said they have no knowledge of such incidents. They also said there are no such ongoing investigations.

New developments

This wasn’t the end, though. On Tuesday, Bloomberg issued another report. In it it claimed that “a major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August”. This time it added that the “security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery”.

Appleboum says his company was hired by the telecom to investigate an issue with one of its servers. “Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.” He has a non-disclosure agreement with the telecom so, there are no more details. All six major US telecoms, though, have denied they have had such issues.

How is all of this happening

According to Appleboum, there are many options to add these modules during the supply chain process. It’s not necessary for Supermicro to be part of the process. He adds he’s seen such “manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. He also adds that it could be “impossible” to deduct all points of possible introduction in the supply chains.

Appleboum also describes the “implants”: “One key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

China’s Ministry of Foreign Affairs also disputed the claims. It says that the security of the supply chain is “an issue of common concern, and China is also a victim.”

As we can see, this is far from over. It will be very difficult to ever find out what exactly has or hasn’t happened. One thing is for sure, companies shouldn’t leave anything to chance. They should get used to the thought that they have to thoroughly examine their equipment for everything, including “bad” chips.

images.27001 images.9001 20000