U.S. and British security agencies have backed statements by Apple and Amazon Web Services disputing an explosive news report claiming that Chinese intelligence agents planted malicious computer chips in equipment used by the tech giants.
“[A]t this time we have no reason to doubt the statements from the companies named in the story,” the Department Homeland Security said on Saturday. That echoed a Friday statement from Britain’s National Cyber Security Centre, which said the agency had “no reason to doubt the detailed assessments made by AWS and Apple.”
The blockbuster story from Bloomberg Businessweek claims that Chinese spies placed the tiny chips on server motherboards supplied by Super Micro Computing Inc., setting up a backdoor to some 30 companies, including Apple and AWS. Such a compromise would represent an espionage operation of staggering proportions.
Apple, AWS, and Supermicro all responded with vigorous, detailed denials of key elements of the story.
“At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems,” AWS Chief Information Security Officer Steve Schmidt wrote in a blog post.
Apple said it had “repeatedly explained to Bloomberg reporters and editors over the past 12 months” that “there is no truth” to claims that Apple found malicious chips in servers on its network in 2015. In a letter to Congress, VP of Information Security George Stathakopoulos said Apple had not found any indication of outbound traffic from its networks or other evidence of a supply-chain compromise as alleged in the Bloomberg story.
Bloomberg also reported that Apple and Amazon officials notified U.S. officials of the compromises as part of an ongoing investigation. Both companies said they had never taken part in any such investigation.
“Apple never had any contact with the FBI or any other agency about such an incident,” Apple said. “We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
In its own statement, Supermicro said it has “never found any malicious chips” on its motherboards, “nor been informed by any customer that such chips have been found.”
Bloomberg says it stands by its reporting, which draws on 17 anonymous corporate and government sources.
A ‘plausible’ attack
The Bloomberg story took the cybersecurity community by storm, leading to speculation on how the attack outlined in the story could have played out.
“[T]he attack described in the article is actually plausible,” wrote Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, Calif.
The baseboard management controller (BMC) that was the fulcrum of the reported attack “loads at least some data from such a [malicious] chip,” Weaver wrote in Lawfare. That chip only needs two wires to communicate, he added, “so it would only take two connections for a rogue chip to mask the contents of a SEEPROM or SPI FLASH, replacing the contents and thereby corrupting the BMC by installing the backdoor code.”
The claims made in the Bloomberg story aside, there is no doubt among cybersecurity experts that the supply chain represents a logical vector for nation-state hackers to compromise critical infrastructure. Combing the mountains of computer code used by U.S. defense companies, for example, for vulnerabilities is a daunting task. And U.S. officials have publicly warned of the vulnerability of corporate supply chains to hacking. America’s counterintelligence agency has said 2017 was a “watershed” year in public reporting of big software supply-chain breaches, with seven incidents reported compared to just four between 2014 and 2016.
In responding to the Bloomberg story, DHS and NCSC took the opportunity to publicize their work to secure the supply chain. NCSC urged “anybody with credible intelligence about these reports to contact us,” while DHS touted its recent efforts with critical infrastructure companies to get a clearer picture of supply-chain risk.