Super Micro tells US lawmakers it found no Chinese spy chips, denying Bloomberg report

  • Server maker says ‘recent Bloomberg Businessweek stories are wrong’ in letter to US senators
  • ‘It is impossible as a practical matter to insert unauthorised malicious chips onto our boards during manufacturing,’ senior exec writes
PUBLISHED : Wednesday, 31 October, 2018, 10:45am
UPDATED : Thursday, 01 November, 2018, 10:32pm

Super Micro has said it has found no malicious hardware in its products, in another effort to refute a news report that China’s intelligence services planted malicious chips in the company’s server motherboards.

The server maker, whose products were said to be compromised in a bombshell article by Bloomberg Businessweek magazine on October 4, said that, contrary to the report’s claim, no government agency had contacted the company about such hardware.

In a letter emailed to Florida Senator Marco Rubio and Connecticut Senator Richard Blumenthal – a copy of which was obtained by the South China Morning Post – Super Micro (also known as Supermicro) denied Bloomberg’s reports.

“We are confident the recent Bloomberg Businessweek stories are wrong,” wrote Perry Hayes, president of Super Micro Netherlands and its senior vice-president of investor relations.

New evidence of Chinese tampering with Supermicro hardware ‘found in US telecoms company’

“In fact, we believe that it is impossible as a practical matter to insert unauthorised malicious chips onto our boards during the manufacturing process.”

The letter was sent in response to a request for information from the senators earlier this month.

Addressing the allegation that chips were planted during manufacturing to infiltrate companies, Hayes wrote that Super Micro’s “test processes at every step are designed to alert us to any discrepancies from our base design”.

The designs are “extremely complex, making it practically impossible to insert an unauthorised component onto a motherboard without it being caught by the checks”.

Hayes went on to write that “because Supermicro is the only one that maintains the master files”, changes to the design by one downstream manufacturer “would create an obvious mismatch between the design and manufactured board”.

The company “has never found any unaccounted-for modifications of its firmware”, the letter said.

In Bloomberg Businessweek’s October cover story, titled “The Big Hack”, it claimed that Chinese spies infiltrated the supply chains to install tiny chips the size of a grain of rice onto the company’s motherboards.

All you need to know about Supermicro, the US computer firm allegedly compromised by China

The story also said investigators found the Chinese infiltration through Super Micro reached almost 30 companies, including Amazon and Apple.

Amazon, Apple and Super Micro immediately denied the veracity of the story in separate statements on the same day.

In the days that followed, the US Department of Homeland Security issued a statement to say that “we have no reason to doubt the statements from the companies named in the story”, in support of the three companies’ denials.

Officials at the Federal Bureau of Investigation and the National Security Agency expressed caution at a Senate hearing and to a reporter, respectively, saying the related claims in the story had not been corroborated.

Amazon and Supermicro back Tim Cook and call for Bloomberg to withdraw China chip hack story

On October 19, Apple chief executive Tim Cook, in a BuzzFeed interview, called for Bloomberg to retract the story, in a first-ever move by the executive to demand a news story be pulled.

Andy Sassy, head of Amazon Web Services, and Charles Liang, Super Micro’s chief executive, joined Cook in requesting a retraction of the story in the same week.

In Tuesday’s letter, Super Micro stressed that the company “has not been approached by law enforcement regarding an ongoing investigation that Bloomberg claims exists”.

Super Micro said it also “independently investigated Apple’s report”.

“Based on information from Apple and our own investigation, Supermicro reached the same conclusion as Apple – our products had not been systematically affected by malicious actors.”

In response to the senators’ questions about the company’s interactions with the Chinese government, Hayes wrote that “the Chinese government has never requested access to Supermicro’s confidential security information or sought to restrict information regarding the security of Supermicro’s products”.

In an email response to a request to comment on Tuesday’s story, a Bloomberg News spokesperson referred the South China Morning Post to the statement given on October 4.

“Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” the email said.

“We also published three companies' full statements, as well as a statement from China's Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources,” it said.