Supermicro, Amazon, and Apple respond to Bloomberg Businessweek's "Tiny Chip to Infiltrate U.S. Companies" article

Posted by Paul Braren on Oct 4 2018 (updated on Dec 17 2018) in
  • CPU
  • Meta
  • Security
  • TinkerTry is not a news site, but I have written a lot of how to articles about Supermicro systems based on Intel's versatile Xeon D-1500 SoC motherboard. They all have a BMC (Baseboard Management Controller) for management, as do most servers. The particular BMC chips used for Xeon D-1500 is the AST2400, and for newer Xeon D-2100, it's AST2500.

    So it's not particularly surprising that I've been asked by more than a few people what I think of this story, starting soon after Bloomberg's article was published at 5am eastern today. If the past year of CPU flaws with security taught us anything, drawing firm conclusions or even strong opinions in the first days doesn't tend to do much good.

    1) Read the whole article before drawing any conclusions

    It is worth noting that the accusations appear to be about 2015-vintage cloud-scale deployments of unnamed Supermicro systems. Based on images in the article, they seem to be in a less common form factor, with little to nothing in common with any of the Xeon D systems that home lab enthusiasts have personally benefited from, myself included.

    Bloomberg Businessweek

    Here's the article that started the remarkably strong reactions.

    • The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
      Oct 04 2018 5:00am EDT by Jordan Robertson and Michael Riley at Bloomberg Businessweek

      The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
      In 2015, Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. ...

    2) Then also read each company's official response

    I'm personally not sure what I think of the accusations yet. It tends to take time for stories to be fully understood. I tried not to think much of anything until I could sit down after work and read not just the ENTIRE source story, but also ALL three official responses, which weren't all available until earlier this evening. In my personal opinion, these are some of the most vehement objections to such accusations, ever. All-in-all, a strange day.

    A) Amazon

    • Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
      Oct 04 2018 by Stephen Schmidt, Chief Information Security Officer, at AWS Security Blog

      Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

      As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. ...

    B) Apple

    • What Businessweek got wrong about Apple
      Oct 04 2018 by Apple at Apple Newsroom

      The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
      Apple provided Bloomberg Businessweek with the following statement before their story was published:
      Over the course of the past year ...

    C) Supermicro


    3) Then form your own opinions

    Yes, that's all I have. Sifting through is up to you. At least this article helps guide you to first-hand information from each of the vendors involved. I'm just the messenger. See also one of the more helpful public discussions between Stephen Foskett and Patrick Kennedy below.

    Bright spots

    One nice surprise today was the gracious readers that took time to reach out to me. In their words, they each seemed to genuinely care about my little corner of the internet called TinkerTry IT @ home, and felt compelled to let me know what was happening out there as soon as possible. Which is kind of awesome, having so many people gunning for you, in this world where there's far too much negativity out there. Thank you, I certainly appreciate it.

    Like most folks in this business, we have very busy business hours. Stories like this can be distracting.

    I have so much fun in my home lab, and I look forward to getting back to all that fun with you all as soon as possible, starting with the new Microsoft releases that I downloaded just yesterday.

    Don't get me wrong, I'll keep tabs on this developing story. But I'll also keep moving forward, trying to share my variety pack of software and hardware experiences with as many other home lab enthusiasts as effectively as I can, in whatever spare time I can find. It's a true joy.


    I'm an active blogger and I'm also now a VMware employee, but this article was written completely on my own accord, intended to address readers who inquire about where to find the source information. Done, sources published.

    Unless something changes drastically, I'm unlikely to append updates to this article.

    Oct 24 2018 Update


    Dec 17 2018 Update

    On December 11 2018, the CEO of Supermicro Charles Liang published this letter.

    Supply Chain Security at Supermicro, published Dec 11 2018 on the Supermicro YouTube Channel.

    See also at TinkerTry

    • Intel Xeon D is a rather versatile platform, have a look!
      Jun 04 2017

      Table of Contents
      List of companies with motherboards and/or servers based on Xeon D, click to jump to each section below:
      Aparna Systems
      ASRock Rack
      Facebook (used internally, not for resale)
      Klas Telecom
      Tranquil PC

    See also