A news report saying Chinese spies had successfully planted tiny chips onto Super Micro Computer motherboards destined for data centers of nearly 30 US companies, including Apple’s and Amazon’s, sent Super Micro stock tumbling Thursday.
The chip, KVM VPS in Europe according to the report, was designed to give Chinese intelligence backdoor access to any private network its mother system was part of.
Shares of the San Jose, California-based hardware maker, known as Supermicro, were down more than 40 percent in the afternoon following the report’s release by Bloomberg BusinessWeek. Apple and Amazon each saw their stock price go down about 2 percent.
Amazon, Apple, and Supermicro went on the offensive Thursday. All three issued statements saying the report’s central claims were false. Statements by Amazon and Apple each pointed out multiple alleged inaccuracies in the report to make their case.
Apple’s statement also added that the company was “not under any kind of gag order or other confidentiality obligations,” addressing a concern that it could be legally prohibited from discussing the issue.
The report, which according to Bloomberg News is “based on more than a year of reporting and more than 100 interviews,” cites multiple former and current Apple and Amazon insiders, as well as current and former US national security officials, all of whom spoke on condition of anonymity.
Amazon discovered the malicious chips in 2015 during due diligence in connection with its acquisition of the video streaming software company Elemental, according to the report. A security KVM VPS in USA contractor working for Amazon made the discovery as its engineers were testing Elemental’s hardware, which was based on Supermicro motherboards.
Amazon reported the discovery to US authorities then, spurring an investigation by US intelligence agencies that is still open today, the report said.
Apple, which had Cloud VPS in Romania already been a major Supermicro customer, was planning to buy another 30,000 servers from the vendor in 2015, when it also discovered the chip, “three senior insiders at Apple” told BusinessWeek.
If true, the report’s consequences are sure to ripple well beyond the three companies or the other two dozen or so companies said to have been affected.
IBM has been known as a big Dedicated Server in Europe customer of Supermicro, which supplied servers for its cloud business, formerly known as SoftLayer. Last year, Intel was reported to have placed a massive Supermicro server order for one of its data centers.
Super Micro, or Supermicro, makes most of its money from the sale of “systems,” which means servers, storage arrays, and network switches. But a substantial portion of its revenue also comes from selling components, including motherboards, to other hardware makers.
The company uses Chinese manufacturers to produce its systems and components, some of whom subcontract the work to other companies, according VPS per Hour in Europe to BusinessWeek. The Chinese military used those subcontractors to covertly install the chips on Supermicro motherboards, according to the report.
In the statements issued Thursday, Apple, Amazon, and Supermicro categorically denied the claims, saying they were not aware of such a security breach in their hardware supply chain.
“In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015,” the vendor said in a statement. “Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.”
Apple said it “has never found malicious chips” in any server:
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
In his statement, Amazon Web Services chief information security officer Stephen Schmidt said AWS had never “found any issues relating to modified hardware or malicious chips in Supermicro motherboards…”:
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue… There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.
Super Micro shipped 175,000 servers, or about 6 percent of all servers shipped, in the second quarter of 2018, according to IDC. It was a fifth largest server vendor during the quarter if ranked by the number of units shipped, splitting the fifth place with another Chinese vendor, Huawei.
Chinese server suppliers Lenovo and Inspur were both third on the list, each responsible for about seven percent of all servers shipped during the quarter.