Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
Who's your money on? Bloomberg's sources? Apple? Amazon? Super Micro?
Denials starting to making sense
Both of those things happened in the right timeframe for it to be a direct result of such an investigation. But Apple claims that the decision to ditch Super Micro was over malware that had been inadvertently fetched from Super Micro's customer portal: a downloadable network interface driver had been infected with a software nasty by Chinese hackers in 2015, and accidentally installed on an internal Apple Windows-based development machine, it is claimed. Facebook also may have fetched the dodgy driver for the Super Micro boxes it had in its lab. The malware apparently attempted to spy on network traffic. There was another issue with the server motherboards' network cards: they shipped with outdated firmware that had a known security hole in it, we're told.
Amazon says its sale to Sinnet was a "transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China," and had nothing to do with discovering any spy chips.
Up to this point, you could be forgiven for believing Bloomberg's story in its entirely and discounting Amazon, Apple and Super Micro's denials for trying to cover their backs while refusing to acknowledge understandably confidential national security investigations.
Except the denials are far more precise and concrete than typical non-denial denials. It remains very unlikely that public companies would issue outright falsehoods, even in the current political climate, due to the market and regulatory ramifications if they were found to be outright lying to investors. Usually, assessing whether a company is telling the truth comprises of carefully parsing statements and seeing what aspects of a story they don't address.
Typical giveaways are when such statements are over-the-top, using emotive but imprecise language, or when a denial is either overly specific – such that it walks past the main allegation – or is unnecessarily vague – so it sounds like a denial but actually isn't.
And there are examples of those in the various statements put out by the companies. For example, Amazon brings up in its response to Bloomberg the old canard "there are so many inaccuracies in this article as it relates to Amazon that they’re hard to count," which is a classic way of casting doubt without actually tackling the issues substantively.
It also calls the suggestion that it sold off its Beijing data center to step away from compromised servers as "absurd" – a strong, emotive word but such a decision would not be absurd at all if the story is true.
But Amazon also says: "It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware."
You can parse this. For example the key element in the first denial is "when acquiring Elemental." What timeframe does that encompass? And how do you define "AWS"? Did the security people making the decision work for AWS, or another arm of Amazon?
If Amazon wanted to outright deny the story, it could have said something like: "AWS and Amazon deny any knowledge of supply chain compromise, an issue with malicious chips, or hardware modifications with respect to Elemental or Super Micro beyond the assertions made to us by Bloomberg."
In a second denial, the wording gets a little stronger: "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government."
This is a much harder denial to parse. It seems like a pretty straight-up denial. There is one possible parsing escape route – the use of "we" – as in "at no time have we ever found." Strictly speaking, it wasn't Amazon but the third-party security company that it asked to carry out the audit. But things are definitely growing a little thin at this point.
Amazon's denial goes on to detail other issues it had with Super Micro motherboards – the implication being that Bloomberg has got the wrong end of the stick. But other problems with the boards don't preclude the spy-chip explanation and could in fact be manifestations of the fact that third-parties are able to install whatever they want on the motherboards through such a chip.
Apple's denial is typical Apple. Reflecting its superiority complex, it mocks the news organization: "Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them."
It also talks about how "deeply disappointed" it is in the reporters because they were "not open to the possibility that they or their sources might be wrong or misinformed." And even suggests they may have got confused with a "previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs."
So far, so Apple. But it also makes a strong denial that deserves attention: "On this we can be very clear: Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement."
Whichever way you parse that, it remains a strong denial. If it turns out the Bloomberg report is true, it would be hard to paint that sentence as anything but a lie.
It is also worth noting that neither Amazon nor Apple went for the usual "we do not discuss any national security or law enforcement issues as a matter of policy" – which is the most common tacit way of acknowledging something happened without saying what.
As for Super Micro, it denies knowing anything about any investigations – which is likely entirely true – but does not impact the story at all. No one is suggesting that Super Micro knowingly compromised its own products. The server maker ultimately "strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems."
Sponsored: Becoming a Pragmatic Security Leader