Both Apple and Amazon have denounced a report by Bloomberg claiming Chinese intelligence managed to compromise them via a tiny malicious microchip fixed to server motherboards. The report was published today, citing both “government and corporate sources,” followed by statements from both companies. The chips were allegedly implanted on the server hardware at factories in China where the products were manufactured.
Simply put, Bloomberg‘s report claims Chinese spies were able to implant microchips about the size of a grain of rice onto motherboards ultimately used in Elemental servers assembled by Super Micro Computer. The illicit addition was allegedly discovered during a security audit in Canada.
A compromise of this nature, if true, would be severe and unprecedented. Elemental’s servers were in use by both American companies and government agencies, including the Department of Defense and CIA. The discovery of this alleged vulnerability is said to have triggered a top secret investigation in 2015 that remains ongoing to this day.
The report cites a pair of officials claiming the chips were implanted by the People’s Liberation Army as a way to introduce a backdoor into networks utilizing the servers. Yet another official is cited as claiming that nearly 30 companies, among them being Apple and Amazon, were impacted by this alleged security breach.
Both Amazon and Apple have separately published statements today countering Bloomberg‘s report, claiming it is inaccurate and that neither company has found evidence of these alleged hardware breaches.
“There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count,” the Seattle-based company said in its own statement.
Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.
Apple has similarly strong things to say, revealing that it had spoken with Bloomberg editors and reporters multiple times over the past 12 months about this alleged incident. The company explains that it conducted “rigorous internal investigations” each time it was contacted by the publication, and that it never found anything substantiating the claims.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Apple also challenges some of the statements presented in the “latest version of the narrative,” denouncing class that Siri and Topsy shared servers, for example. The company explains that it inspects servers for potential vulnerabilities, as well as updating firmware and software, being putting them into production.
The company speculates as to what may have prompted aspects of the report, saying:
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.