The Department of Homeland Security released a statement this weekend, which supports the denial by Apple and Amazon related to a report that claims a Chinese military unit inserted microchips into Super Micro Computer Inc (Supermicro) server motherboards. These motherboards were allegedly being used by companies throughout the United States. The Department of Homeland Security has gone on record, indicating, “at this time we have no reason to doubt the statements from the companies named in the story”. Bloomberg is reporting that the chips, which were the size of a pencil tip and were to have ended up in server boards used by almost 30 companies as well as government agencies.
It was believed that Chinese agents were operating on behalf of the People’s Liberation Army and has used a combination of dishonesty, bribery, and threats in order to insert the compromising chips during various stages of Supermicro’s supply chain. Once it made it this far, it would have been nearly impossible to detect which systems were given backdoor access as a result of these chips.
Both Amazon and Apple have been painted as being part of this grand scheme to allow this kind of hacking. Which certainly isn’t the case. In fact, both companies are denying it. According to The Verge:
Both Amazon and Apple strongly refute the story. Amazon says it is “untrue” that it knew of “servers containing malicious chips or modifications in data centers based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.” Apple is equally definitive, telling Bloomberg: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
Apple has given a statement to BuzzFeed News, which indicated that they had conducted a detailed investigation into the Bloomberg report and found no corroborating evidence:
“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”
A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”