Microchips made by China, which were roughly the size of the tip of a pencil were found hidden inside the servers which were used by Apple, Amazon and Government contractors. The origin of the chips traces back to a US-based company called Super Micro Computers Inc, which works with subcontractors with manufacturing facilities in China. These tiny chips were inserted there. The microchips were discovered by Amazon’s Web Services division in 2015 during the due diligence before the acquisition of a video streaming company called Elemental Technologies. Super Micro was behind the assembly of these servers.
The discovery of the microchips opened investigations by the US government which is still open till now. Amazon was the company that discovered the microchips. However, it was not the only company which was being spied at. Bloomberg wrote a report about the incident stating, “One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.”
The companies which are named in the report had started a dispute that they knew nothing about the secret microchips before Elemental Technologies was acquired, and Apple also claimed that they never came across any malicious microchips. The magnitude of this discovery is significant for various reasons. First is the level of access a hardware hack like this provide and the difficulty level to get it fixed. The microchips are so small that they are almost invisible to ordinary eye even during the x-ray tests. The power gives the microchips unlimited control over anything and everything. The Bloomberg report further states, “Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity..”
The breach is also impressive for its logistical complexity which requires two top-secret coordinations between a Chinese military unit and factories where the microchips would have been installed. Bloomberg also reported that Amazon had moved Elemental Technologies software over to its own Amazon Web services. It also said that Apple had removed servers made by Super Micro from its data centers. Officials have also reached out to other customers of Super Micro to take the similar action.
Amazon and Apple released statements on the dispute as well. Apple’s statement went under “What Businessweek got wrong about Apple” and insisted that no malicious hardware was found on Apple’s server. The statement said, “Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement. … Apple has always believed in being transparent about the ways we handle and protect data. If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement. Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data. Finally, in response to questions, we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.”
Amazon shared its statement under the title “Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article” and also denied all the claims made by Bloomberg’s report. Amazon’s statement said, “As we shared with Bloomberg BusinessWeek multiple times over the last couple of months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ?this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported another report with us).”