Super Micro hack audit finds no Chinese spy chips

Super Micro has released an independent testing report finding no signs of malicious hardware in its computer parts, after a widely-circulated report claimed servers using the hardware had been compromised by Chinese spies. The claims have been vocally challenged by Amazon, Apple, and more, while independent security researchers have also been critical of the accusations.

The controversy began back in October 2018, when a Bloomberg report alleged that Chinese intelligence services had managed to compromise servers used by a number of high-profile American companies. These spies, so the accusations suggested, had been able to install microchips for surveillance on Super Micro motherboards. These 'boards went on to be used by Amazon for its AWS hosting, Apple for its cloud servers, and more.

Bloomberg quoted "government and corporate sources" for the information, suggesting that the server hardware was tampered with during the production process in China. The 'boards went on to be installed in Super Micro Elemental servers. Those are not only used by commercial businesses, but also by US government agencies.

The response was swift. Apple and Amazon demanded that the report be retracted, arguing that there was no evidence to be found of any tampering for surveillance. Super Micro followed up in a letter to its customers – published by the SEC – pointing out that not a single modified motherboard had been found. It also explained some of the manufacturing processes involved.

"It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as "pin-to-pin knowledge") of the design," the company explained. "These designs are trade secrets protected by Supermicro. The system is designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design (including hardware, software, and firmware)."

However it did go on to undertake an investigation with a third-party specialist, just to underscore its own safety and manufacturing practices. The findings of that report were published today – indeed, Super Micro is buying AdWords adverts that flag the letter from President and CEO Charles Liang when you search for the company's name – along with a video explaining how production is managed.

"A representative sample of our motherboards was tested," Liang writes, "including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards."

"After thorough examination and a range of functional tests," he continues, "the investigations firm found absolutely no evidence of malicious hardware on our motherboards."

Liang also outlines some of the safeguards the company undertakes. That includes having Super Micro employees onsite their assembly contractors, responsible for undertaking inspections and tests, while "no single employee, team, or contractor has unrestricted access to our complete board design." Each board is tested through each stage of the supply chain, too, to spot any "aberration" to what's expected.

What remains to be seen is whether Bloomberg opts to retract its report, something it has stubbornly avoided doing until now.