Super Micro Computer says it is conducting an investigation into the claims made in a Bloomberg Businessweek story about its motherboards being compromised while also maintaining its claim that the story is false.
In a letter sent to customers last week, executives said the company, also known as Supermicro, is undergoing a “complicated and time-consuming review” to address the claims made in the article. In a cover story published earlier this month, Bloomberg asserts that motherboards made by Supermicro contain malicious microchips that have been inserted during production by agents of the Chinese government.
“We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip,” the letter, which was part of a Securities and Exchange Commission filing, reads. “I want to assure you that Supermicro’s design, manufacturing and quality processes are designed to ensure we provide high-performing, safe, reliable, and secure hardware to all our customers.”
The Bloomberg story claimed that the malicious chip allegedly implanted in Supermicro hardware was in use at 30 companies, including Amazon Web Services and Apple. Executives for both companies have not only issued denials, but have called for Bloomberg to retract its story.
“I feel they should retract their story,” Apple CEO Tim Cook told BuzzFeed News. There is no truth in their story about Apple. They need to do the right thing.”
Amazon Web Services CEO Andy Jassy echoed Cook’s call for retraction.
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract. https://t.co/RZzuUt9fBM
— Andy Jassy (@ajassy) October 22, 2018
The Bloomberg story claims that the malicious chip manipulates the baseboard management controller, a processor that connects and passes communications between the software and hardware sides of a server. In the letter, Supermicro says that particular manipulation is impossible because full motherboard designs are kept from individual employees.
“Our motherboard technology involves multiple layers of circuitry,” the letter reads. “It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as “pin-to-pin knowledge”) of the design. These designs are trade secrets protected by Supermicro.”
The company also says that its supply chain is so compartmentalized that any additions would show up in further parts of the assembly process.
“If any single contractor attempts to modify the designs, the manufacturing process is structured so that those alterations would not match the other design elements in the manufacturing process,” the letter reads.
In addition to company denials, government officials from the United States and United Kingdom have cast doubt on the Bloomberg story.
Director of National Intelligence Dan Coats told CyberScoop that he’s seen no evidence of Chinese actors tampering with Supermicro motherboards.
“We’ve seen no evidence of that, but we’re not taking anything for granted,” Coats told CyberScoop on Oct. 18. “We haven’t seen anything, but we’re always watching.”
Earlier this month, NSA Senior Adviser Rob Joyce expressed concern that the story was a “distraction” and that the hunt for evidence to support it could be a waste of resources. The U.S. Department of Homeland Security and the United Kingdom’s National Cyber Security Centre also said it had no evidence to dispute Apple’s and Amazon Web Service’s denials.
You can read the full Supermicro letter here.