The Department of Homeland Security released a statement this weekend supporting Apple and Amazon’s denial of an explosive Bloomberg Businessweek report claiming that a Chinese military unit inserted microchips into Super Micro Computer Inc (Supermicro) server motherboards in widespread use at U.S. companies, saying “at this time we have no reason to doubt the statements from the companies named in the story.”
The Bloomberg report claimed that the chips, which were the size of a pencil tip and allegedly ended up in server boards used by almost 30 companies as well as government agencies, compromised entire data centres operated by Amazon and Apple. It said that U.S. investigators had found that Chinese agents operating on behalf of the People’s Liberation Army had used a combination of subterfuge, bribery, and threats to insert the compromising chips during various stages of Supermicro’s supply chain, after which point they would have been nearly impossible to detect and given backdoor access to the systems they were implanted in.
— Bloomberg (@business) October 5, 2018
“I think based on the methodology in which these parts are designed and manufactured, whether it’s a nation-state actor or even just someone else, I don’t actually think it’s hard to inject stuff that the brand or design team didn’t intentionally ask for,” high-tech manufacturing expert Anna-Katrina Shedletsky told Business Insider. “I don’t know what to believe, but at the same time it doesn’t really matter, because it’s possible, and we have to act like it is true to solve the problem.”
Bloomberg’s story further alleged that Amazon sold off its entire data infrastructure in Beijing to Chinese partners, which a source familiar with the move described as akin to “[hacking] off the diseased limb,” and that Apple replaced all 7,000 or so Supermicro servers in its data centres. The ramifications of the story if confirmed would be huge—it would give Chinese intelligence services access to sensitive computer systems across both the private and defence sectors—but the tech giants both denied it, per the Verge:
Both Amazon and Apple strongly refute the story. Amazon says it is “untrue” that it knew of “servers containing malicious chips or modifications in data centres based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.” Apple is equally definitive, telling Bloomberg: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
Apple staff separately told BuzzFeed News the company had conducted a detailed investigation into the Bloomberg report and found absolutely no corroborating evidence:
“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”
A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”
DHS is backing them up. In their statement, the agency wrote, “The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.” Of course, that leaves open the possibility that there is some weasel wording going on, and the statement continues to state that DHS recently launched “several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains.”
According to Reuters, Apple’s recently retired chief counsel Bruce Sewell said that after he had learned of Bloomberg’s investigation last year, he had been reassured by the FBI’s then-general counsel James Baker there was no substance to the report.
“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell told Reuters. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”
The strong denials from companies involved, as well as government agencies, has led to speculation whether the original Bloomberg report was planted or otherwise inaccurate, or if it was quietly covered up in some manner on national security grounds. As the Register wrote, Apple and Amazon’s denials were unusually firm, and it’s possible that government sources overplayed the threat—though the site also found it “inconceivable that [Bloomberg] would publish a story this huge that wasn’t watertight.” A DHS denial certainly adds another twist to this story, though it remains to be seen whether under all the smoke, there was an actual fire.