Bloomberg Businessweek has a blockbuster story up this morning, “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” (A headline crying out for a movie option if there ever was one.) It’s a pretty thrilling read, even if you’ve never thought about motherboards before in your life.
The story, as laid out by Businessweek, is that Amazon was looking to acquire Elemental Technologies, a firm that did video-compression work, and things quickly got hairy. As part of the acquisition process, a third party took a close look at Elemental’s tech, and quickly found things that set off red flags. Elemental used servers provided by San Jose–based company Supermicro. And those servers’ motherboards had something strange on them:
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
Another major user of Supermicro chips? Apple!
One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
The whole story is worth a read and goes down easy — it has all the thrills of a good airport page-turner. It’s important to note that there’s no evidence that any company was actually compromised, and the investigation by the NSA and FBI into these Supermicro motherboards remains open. But after reading the story, there’s one point that remains maddeningly unresolved: Both Apple and Amazon both strongly deny that they were ever compromised by Supermicro motherboards.
Here’s Amazon’s statement to Bloomberg Businessweek:
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
And here’s Apple’s:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
There seem to be three options. One, Businessweek is lying or heavily shading its reporting, which is, frankly, highly unlikely; this is a big claim made on the cover of a well-respected magazine by two veteran reporters, and it’s hard to see any of the parties involved throwing everything away for one story.
Two, Businessweek or reporters Jordan Robertson and Michael Riley got badly led astray by the 17 sources speaking anonymously to Businessweek. This is possible but still unlikely — this is a print cover story, and would have been subject to heavy fact-checking and vetting by Businessweek’s legal department. Still, it could have happened.
Three, Amazon’s and Apple’s statements are, at best, carefully worded to just skirt around admitting that they didn’t get badly hacked. Both Apple and Amazon are walking very careful lines in their statements — Amazon says it never used Supermicro servers in AWS infrastructure — but not in Amazon infrastructure overall. Apple says it never found anything in any of its servers — but it could have detected that something was funky with the Supermicro chips before installing them into its own server infrastructure, thus making its statement technically true. (Apple terminated its contract with Supermicro in 2016 over “firmware update security issues,” a few months after Businessweek claims the hardware hacks first came to light in 2015.)
At worst, Apple’s and Amazon’s statements are outright lies. (This would be a good time to remind you that an NSA lawyer said that nearly every major tech company lied when it claimed ignorance about PRISM in 2013, the surveillance program brought to light by leaker Edward Snowden.)
Absent other information — and, to be fair, there’s a lot of information missing here! — you’d have to say option three is the most likely.
Update, 3:18 p.m.: So the idea that Amazon and Apple are trying to skirt around