Supermicro, Amazon, and Apple respond to Bloomberg Businessweek's "Tiny Chip to Infiltrate U.S. Companies" article

Posted by Paul Braren on Oct 4 2018 (updated on Dec 17 2018) in
  • CPU
  • Meta
  • Security

    • TinkerTry is not a news site, but I have written a lot of how to articles about Supermicro systems based on Intel's versatile Xeon D-1500 SoC motherboard. They all have a BMC (Baseboard Management Controller) for management, as do most servers. The particular BMC chips used for Xeon D-1500 is the AST2400, and for newer Xeon D-2100, it's AST2500.

    So it's not particularly surprising that I've been asked by more than a few people what I think of this story, starting soon after Bloomberg's article was published at 5am eastern today. If the past year of CPU flaws with security taught us anything, drawing firm conclusions or even strong opinions in the first days doesn't tend to do much good.

    1) Read the whole article before drawing any conclusions

    It is worth noting that the accusations appear to be about 2015-vintage cloud-scale deployments of unnamed Supermicro systems. Based on images in the article, they seem to be in a less common form factor, with little to nothing in common with any of the Xeon D systems that home lab enthusiasts have personally benefited from, myself included.

    Bloomberg Businessweek

    Here's the article that started the remarkably strong reactions.

    the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
    • The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
      Oct 04 2018 5:00am EDT by Jordan Robertson and Michael Riley at Bloomberg Businessweek

      The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
      In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. ...

    2) Then also read each company's official response

    I'm personally not sure what I think of the accusations yet. It tends to take time for stories to be fully understood. I tried not to think much of anything until I could sit down after work and read not just the ENTIRE source story, but also ALL three official responses, which weren't all available until earlier this evening. In my personal opinion, these are some of the most vehement objections to such accusations, ever. All-in-all, a strange day.

    A) Amazon

    setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article
    • Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
      Oct 04 2018 by Stephen Schmidt, Chief Information Security Officer, at AWS Security Blog

      Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

      As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. ...

    B) Apple

    apple-statement-on-bloomberg-story
    • What Businessweek got wrong about Apple
      Oct 04 2018 by Apple at Apple Newsroom

      The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
      Apple provided Bloomberg Businessweek with the following statement before their story was published:
      Over the course of the past year ...

    C) Supermicro

    supermicro-refutes-claims-bloomberg-article

    3) Then form your own opinions

    Yes, that's all I have. Sifting through is up to you. At least this article helps guide you to first-hand information from each of the vendors involved. I'm just the messenger. See also one of the more helpful public discussions between Stephen Foskett and Patrick Kennedy below.

    Bright spots

    One nice surprise today was the gracious readers that took time to reach out to me. In their words, they each seemed to genuinely care about my little corner of the internet called TinkerTry IT @ home, and felt compelled to let me know what was happening out there as soon as possible. Which is kind of awesome, having so many people gunning for you, in this world where there's far too much negativity out there. Thank you, I certainly appreciate it.

    Like most folks in this business, we have very busy business hours. Stories like this can be distracting.

    I have so much fun in my home lab, and I look forward to getting back to all that fun with you all as soon as possible, starting with the new Microsoft releases that I downloaded just yesterday.

    Don't get me wrong, I'll keep tabs on this developing story. But I'll also keep moving forward, trying to share my variety pack of software and hardware experiences with as many other home lab enthusiasts as effectively as I can, in whatever spare time I can find. It's a true joy.

    Disclaimer/Disclosure

    I'm an active blogger and I'm also now a VMware employee, but this article was written completely on my own accord, intended to address readers who inquire about where to find the source information. Done, sources published.

    Unless something changes drastically, I'm unlikely to append updates to this article.

    Oct 24 2018 Update

    1054457602761838594

    Dec 17 2018 Update

    On December 11 2018, the CEO of Supermicro Charles Liang published this letter.

    CEO-3rdPartySecurity-Update
    Supply Chain Security at Supermicro, published Dec 11 2018 on the Supermicro YouTube Channel.

    See also at TinkerTry

    xeon-d-landscape-2017
    • Intel Xeon D is a rather versatile platform, have a look!
      Jun 04 2017

      Table of Contents
      List of companies with motherboards and/or servers based on Xeon D, click to jump to each section below:
      antsle
      Aparna Systems
      ASRock Rack
      Cisco
      Curtiss-Wright
      Facebook (used internally, not for resale)
      Gigabyte
      HPE
      Klas Telecom
      Kontron
      MPL
      Supermicro
      Themis
      Tranquil PC
      Tyan
      X-ES

    See also

    bloomberg-reports-china-infiltrated-the-supermicro-supply-chain-we-investigate

    broader-implications-of-idracula-vulnerability-a-perspective

    Social

    1048023726997098496

     
     

    1047953375692820487

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi