Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC
Server maker drags Bloomberg in note to customers, watchdog, still checking its motherboards
The computer server maker at the center of a dramatic secret Chinese spy-chip story has again insisted the yarn is wrong, and called the whole thing "technically implausible."
US-headquartered Super Micro sent a note to its customers late last week denying all claims in a recent Bloomberg BusinessWeek article that the Chinese government had slipped tiny surveillance chips into selected Super Micro's server motherboards during their manufacture in the Middle Kingdom.
These bugged boards were supposedly shipped to some 30 organizations – from a major bank and US government contractors to Apple and Amazon – and the chips were allegedly designed to open backdoors, allowing data to be extracted by Chinese state spies. Apple and Amazon, like Super Micro, state none of this ever happened.
Crucially, Super Micro also forwarded a copy of its customer advisory to the America's financial watchdog, the Securities and Exchange Commission, which has published it online.
Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles downREAD MORE
"From everything we know and have seen, no malicious hardware chip has been implanted during the manufacturing of our motherboards," they wrote.
They also complain about the difficulty of dealing with a false negative: "We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip. As we have said firmly, no one has shown us a motherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip."
Regardless, the biz is "undertaking a complicated and time-consuming review" of its supply chain "despite the lack of any proof that a malicious hardware chip exists."
Big price to pay
The Bloomberg article – published on October 3 – wiped more than 40 per cent off Super Micro's share price within a matter of hours. But, despite all the three main companies included in the report – Apple, Amazon and Super Micro – all strenuously denying the story was true, Super Micro's share price has not recovered.
It hit a low of $12.46 following the story, a gut-wrenching plunge from $21.40, but as of the time of writing, the share price is $14.74. That represents a recovery of 9 per cent but it is still down 31 per cent from before the story was published.
Super Micro stresses that no one has come to the support of Bloomberg's article, and that numerous officials, including FBI director Christopher Wray, NSA Senior Cybersecurity Advisor Rob Joyce, Director of National Intelligence Dan Coats, the US Department of Homeland Security, and the UK’s GCHQ have all questioned the story.
Due to the nature of the allegations however – a highly confidential state-sponsored hacking effort – everyone, and particularly the stock market, remains wary. A long history of the intelligence services issuing misleading and at times downright false statements does not make them the most reliable sources of information.
Apple and Amazon have also demonstrated a strong tendency to spin their way out of embarrassing situations with carefully constructed denials. Plus, of course, it is very strongly in Super Micro's interests to deny the story.
Congrats on keeping out the hackers. Now, you've taken care of rogue insiders, right? Hello?READ MORE
That said, the denials have been unusually specific and categorical. As time has passed, the growing consensus appears to be that Bloomberg got the story wrong. Although a better explanation may be that it accurately reported a misinformation campaign put together by some part of the intelligence services.
As far as El Reg is concerned, while Bloomberg is generally a gold standard in journalism, there are numerous problems with the original piece. For one thing, it would be near impossible to exfiltrate data from a bugged machine in a data center as Apple and Amazon, at least, have sophisticated monitoring tools that should catch unexpected network traffic. Similarly, they should be able to detect unauthorized changes to operating systems and applications, caused by the alleged spy chips injecting backdoor code into the software stack during boot.
They also inspect hardware before it is put into production: as well as visual inspections, it is possible to scan a motherboard for electromagnetic emissions and identify anything unexpected, such as a tiny chip smuggled onto or inside a PCB – there's even a patent on this kind of technology. Finally, the chip shown in the Bloomberg piece is too small to realistically contain the necessary logic and all the data to insert a viable backdoor into a software stack. It is likely just an illustration – meaning, the journalists had no evidence of a chip to show.
There's more analysis, or rather, a technical takedown, of Bloomberg's reporting here by IT experts.
For its part, Super Micro tried to soothe customers by arguing that it has comprehensive checks on its products and would have noticed any effort to interfere with them.
"We are a customer-focused, engineering-led culture, so we test our products at every step along the way. We check every board, we check every layer of every board, and we check the board’s design visually and functionally, throughout the entire manufacturing process," the executives wrote, continuing: "Our employees are on site with our assembly contractors throughout the process. These inspections include several automated optical inspections, visual inspections, and other functional inspections. We also periodically employ spot checks and x-ray scans of our motherboards along with regular audits of our contract manufacturers."
And it had a dig at how Bloomberg describes the spy chip working – far from the first people to do so – arguing that the complexity of its motherboards "make it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process."
It goes on: "It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as 'pin-to-pin knowledge') of the design."
It claims that its system is "designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design."
While that explanation would suffice for most situations, the fact that Super Micro's motherboards are used by companies like Amazon and Apple as well as the US military, it remains plausible that the Chinese government would be willing to invest the enormous resources necessary to pull off such a hack.
The statement does reflect growing consensus that Bloomberg bombed the story, however. Last week, Apple CEO Tim Cook called for the newswire to retract the story, effectively admitting it got it wrong. And this morning, the head of Amazon Web Services, Andy Jassy, joined that call, tweeting: "Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract."
So far, Bloomberg has stood by its reporting. ®
Sponsored: Becoming a Pragmatic Security Leader