Is Supermicro innocent? 3rd party test finds no malicious hardware
Earlier this year one of the larger scandals within IT circles took place with Bloomberg firing shots at Supermicro.
The media company claimed Supermicro had sold motherboards containing malicious chips to around 30 US customers – of which included the likes of Apple and Amazon – which would give Chinese spies the ability to create backdoor access to all the private networks the mother systems were involved with.
Supermicro rubbished these claims but it wasn’t enough to help its share price which according to Reuters fell by 50 percent (although it has since risen). The company promised to conduct an internal investigation to prove its innocence, and now in a letter sent to customers worldwide, it has the results.
“Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process,” the letter states, signed by Supermicro president & CEO Charles Liang, SVP & chief compliance officer David Weigand, and SVP and chief product officer Raju Penumatcha.
“Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm.”
According to Supermicro, a representative sample of motherboards was tested, including the specific type of motherboard detailed in the article as well as motherboards that were sold to the referenced companies and more recently manufactured hardware.
“Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,” the letter states.
“These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products.”
After listing all the procedures the company takes to ensure something like this can’t happen, Supermicro fires further shots back at Bloomberg.
“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products,” the letter states.
“Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards.”
Of course, this report from Bloomberg ruffled a lot of feathers. Aside from Supermicro’s reaction, Apple sent a public letter to US Congress signed off by Apple Information Security vice president George Stathakopoulos, who effectively rubbished the claims.
“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.
Following this, Apple CEO Tim Cook attended an interview with Buzzfeed News where he demanded the article be retracted – the first time Apple has ever publically requested an article to be withdrawn.
However despite the denials from Supermicro and the pressure from the tech superpowers, Bloomberg remained steadfast.
“Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a Bloomberg spokesperson said.
"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
Bloomberg has yet to comment since the results of Supermicro’s internal investigation emerged.