Tiny Chinese spy chips were embedded onto Super Micro motherboards that were then sold to companies in the US, including Amazon and Apple, reports Bloomberg. The report has attracted strenuous denials from Amazon, Apple, and Super Micro.
Bloomberg claims that the chips were initially and independently discovered by Apple and Amazon in 2015 and that the companies reported their findings to the FBI, prompting an investigation that remains ongoing. The report alleges that the tiny chips, disguised to look like other components or even sandwiched into the fiberglass of the motherboards themselves, were connected to the management processor, giving them far-reaching access to both networking and system memory. The report says that the chips would connect to certain remote systems to receive instructions and could then do things like modify the running operating system to remove password validation, thereby opening a machine up to remote attackers.
The boards were all designed by California-based Super Micro and built in Taiwan and China. The report alleges that operatives masquerading as Super Micro employees or government representatives approached people working at four particular factories to request design changes to the motherboards to include the extra chips. Bloomberg further reports that the attack was made by a unit of the People’s Liberation Army, the Chinese military.
In response to the discovery, Apple is reported to have scrapped some 7,000 Super Micro servers in its data centers, and Amazon sold off a Chinese data center. Apple ended its relationship with Super Micro in 2016, although it maintains that this was for unrelated reasons.
Super Micro, Apple, and Amazon all deny every part of the Bloomberg story. Amazon says that it’s untrue that “[Amazon Web Services] worked with the FBI to investigate or provide data about malicious hardware;” Apple writes that it is “not aware of any investigation by the FBI,” and Super Micro similarly is “not aware of any investigation regarding this topic.” Apple suggests further that Bloomberg may be misunderstanding the 2016 incident in which a Super Micro server with malware-infected firmware was found in Apple’s design lab.
Apple’s denial in particular is unusually verbose, addressing several different parts of the Bloomberg report explicitly, and is a far cry from the kind of vague denial that one might expect if the company were subject to a government gag order preventing it from speaking freely about the alleged hack.