Follows Supermicro in refuting claims of Chinese spy hardware in its products
SAN DIEGO — Tech giants Apple and Amazon are denying a report by Bloomberg Businessweek that they are among nearly 30 companies that had their hardware compromised by Chinese spies that allegedly implanted tiny microchips for the purpose of accessing their networks.
Both Apple and Amazon, as well as server vendor Super Micro Inc., issued statements Thursday that strongly refuted the report, which said the attacks were first discovered in 2015.
The Bloomberg report — based on interviews with 17 people, including two Amazon Web Services insiders, three Apple insiders and six U.S. government officials — the U.S. is still conducting a top-secret investigation of the incidents more than three years later. Investigators have determined that the chips let attackers create a stealth doorway into any network that included the compromised servers, according to the report.
Sources told Bloomberg that the chips — about the size of a grain of rice and not part of the servers’ original design — were inserted at factories run by manufacturing subcontractors in China. The attacks were made on servers sold by Supermicro, according to the report.
The report comes at a time when tensions between the U.S. and China are high. The world’s two largest economies are currently embroiled in a trade war, and the U.S. has accused China of involvement in hacking and cybercrimes, including the recent suggestion by U.S. President Donald Trump that China is interfering in the U.S. election process.
Most allegations of espionage-related security breaches involve remote hackers gaining access to networks and systems through operating systems and other software. The allegations in the Businessweek story are unusual because they involve the physical placement of an IC on a board by a government agency.
Super Micro, based in San Jose, Calif., said it “strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.”
Super Micro went on to say it “has never found any malicious chips, nor been informed by any customer that such chips have been found.”
Apple said it has been contacted by Bloomberg multiple times with claims of alleged security incidents. The company said it has conducted rigorous internal investigations which have not yielded any evidence to support the claims.
“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple said in a statement “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Amazon said there were “many inaccuracies” in the Bloomberg article. The article stated that Amazon discovered the implanted chips when it was working with Elemental Technologies — which it later acquired — in 2015, after Elemental sent several servers to a third-party tech security firm, which discovered the tiny chips.
Amazon said Thursday that the third-party’s report did not identify any issues with modified chips or hardware, but instead made some typical recommendations for shoring up security that Amazon implemented prior to finalizing the deal to buy Elemental. Bloomberg, Amazon said, has admittedly never seen the results of the report from the third-party vendor.
“Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners,” Amazon said in a statement. “We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.”