Amazon and Apple deny claims Chinese government bugged their servers

The article, published by Bloomberg BusinessWeek, claims the Chinese government deployed surveillance chips into servers made by hardware manufacturer SuperMicro, and used by Apple, Amazon and various US public sector organisations.

The report alleges that the chips, described as being the size of a grain of rice, could be used by attackers to create a “stealth doorway into any network that included the altered machines”, and were installed on the server motherboards by subcontractors working in SuperMicro’s supply chain.

The recipients of these servers allegedly included video data compression software provider, Elemental, which Amazon acquired in 2015 in a deal overseen by its AWS cloud services arm.

According to the Bloomberg article, the presence of the nefarious chips came to light during some pre-acquisition due diligence, prompting Amazon to report the discovery to the US authorities and an investigation ensued revealing around 30 other companies had been affected too.

These include consumer electronics giant Apple, which the report claims was on the cusp of placing an order for more than 30,000 server units for installation in its datacentres, before details of the chip’s existence came to light. It is claimed Apple severed ties with SuperMicro in 2015 for “unrelated reasons”.

The report further claims the alleged discovery of the chips within Elemental’s servers resulted in Amazon carrying out a large-scale audit of its SuperMicro server estate, resulting in similar surveillance chips being discovered in a datacentre it operates in Beijing.

It then goes on to infer this may have been a factor in Amazon’s decision to sell off the facility to a local operator in November 2016.

AWS chief information security officer, Stephen Schmidt, described the article as “erroneous” in a lengthy blog post, before stating that it has never found any issues pertaining to “modified hardware or malicious chips” in any SuperMicro server mother boards used by Elemental or Amazon as a whole.

“When Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and we commissioned a single external security company to do a security assessment for us as well,” wrote Schmidt.

“That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed.

“This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other – and refused to share any details of any purported other report with us.”

Schmidt also goes on to deny claims that the offending chips were found in an Amazon datacentre in Beijing, and therefore had no bearing on its decision to offload the facility.

“This claim is similarly untrue. We never found modified hardware or malicious chips in servers in any of our datacentres. And this notion that we sold off the hardware and datacentre in China… because we wanted to rid ourselves of SuperMicro servers is absurd.”

Apple has issued a similarly comprehensive public rebuttal of the article’s claims, while SuperMicro and the Chinese government have also released denials of their own.

 Like the AWS blog post, Apple’s statement denies claims it has ever found “malicious chips” or “hardware manipulations” in any of its servers, and disputes allegations made to this effect elsewhere in the article, and that this prompted it to report the discovery to the FBI.

“Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement,” the statement continues.

“Apple has always believed in being transparent about the ways we handle and protect data. If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement.

“Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cyber criminals who want to steal our data.”