Amazon and Apple respond to Bloomberg’s Chinese “Tiny Chip” hack piece – It’s nonsense

Amazon and Apple respond to Bloomberg's Chinese

Amazon and Apple respond to Bloomberg’s Chinese “Tiny Chip” hack piece – It’s nonsense

Earlier today, Bloomberg released a lengthy article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies“, alleging that Chinese spies were able to compromise American companies, including Apple and Amazon, by covertly adding chips that are “smaller than a sharpened pencil tip” into Supermicro motherboards that were manufactured in China. 

While the article is an entertaining read, the problem is that both Amazon and Apple have claimed that Bloomberg’s report is untrue, beyond that, both companies have told Bloomberg that the story is untrue on multiple occasions before the release of their article. 

Below is a small portion of Amazon’s official response to the article (which is available to read in full here), claiming that the report is “erroneous” and that the company has no knowledge of any investigation from the government.  

     As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

Apple has also released a similar statement to regarding the Bloomberg article, pointing out several accuracies within their “malicious chips” article, including the fact that Siri servers were never on Supermicro servers and that Topsy data was held on 2,000 Supermicro servers, over three times fewer than the number of Supermicro servers quoted in the article.

To summarise their statement, Apple states that the story is “completely untrue” and that Apple has told Bloomberg this several times over the past few months, just like Amazon. Apple’s full response is available to read here.   

     On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

Amazon and Apple respond to Bloomberg's Chinese  

In their official statement, Supermicro has also refuted Bloomberg’s allegations, stating that their servers did not contain malicious microchips and that government agencies have not contacted them regarding the matter (Full Press Release here).

    Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.

Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.

You can join the discussion on Apple, Amazon and Supermicro refuting Bloomberg’s Chinese ” Malicious Chip” claims on the OC3D Forums.