Supermicro tells customers it is looking for Chinese spy chips on motherboards ‘despite lack of proof’

  • The hardware maker says a ‘complicated and time-consuming review’ is under way, after Bloomberg claimed spy chips gave Beijing access to US firms and agencies
PUBLISHED : Tuesday, 23 October, 2018, 2:22am
UPDATED : Tuesday, 23 October, 2018, 5:52am

Computer hardware maker Super Micro Computer Inc said on Monday it would review its motherboards for any proof of malware chips, which a recent report by Bloomberg contended had been planted by Chinese spies.

“Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article,” the server and storage manufacturer, based in San Jose, California, said in a letter to its customers dated Thursday.

Shares of the company, which does business as Supermicro, rose 4.3 per cent to US$14.70 on Monday.

A Bloomberg report on October 4 cited 17 unidentified sources from intelligence agencies and businesses claiming that Chinese spies had placed computer chips inside equipment used by about 30 companies, including Apple and Amazon, and multiple US government agencies, which would give Beijing secret access to internal networks.

New evidence of Chinese tampering with Supermicro hardware ‘found in US telecoms company’

Supermicro denied the allegations made in the report.

This technique would only be used for high-value targets that couldn’t be easily compromised via another attack vector
Jake Williams, former US National Security Agency analyst

Supermicro said that the design complexity makes it practically impossible to insert a functional, unauthorised component onto a motherboard without it being caught by the checks in its manufacturing and assembly process.

Jake Williams, a former US National Security Agency analyst and founder of the cybersecurity firm Rendition Infosec, said it was entirely plausible that a malicious chip could be placed on a motherboard but it would be at a very high cost, and that the risk of detection increased with every such chip in the field.

“This technique would only be used for high-value targets that couldn’t be easily compromised via another attack vector,” Williams said.

The Bloomberg report also said that Apple in 2015 had found malicious chips on Supermicro motherboards and added that Amazon uncovered such chips the same year while examining servers made by Elemental Technologies, which Amazon eventually acquired.

Both Apple and Amazon have denied the allegations. Apple’s chief executive officer Tim Cook told the news website BuzzFeed on Friday that Bloomberg should retract the story.

Experts question whether China has technical know-how to pull off chip hack

On Monday, Amazon Web Services CEO Andy Jassy joined Cook in asking Bloomberg to retract the report.

“Bloomberg story is wrong about Amazon, too … Reporters got played or took liberties. Bloomberg should retract,” Jassy wrote in a post on Twitter.

Bloomberg has said it stands by its report and is confident of its reporting, which was conducted for more than a year.

Security experts as well as US and UK authorities have said they had no knowledge of the attacks.