Supermicro, Amazon, and Apple respond to Bloomberg Businessweek's "Tiny Chip to Infiltrate U.S. Companies" article
TinkerTry is not a news site, but I have written a lot of how to articles about Supermicro systems based on Intel's versatile Xeon D-1500 SoC motherboard. They all have a BMC (Baseboard Management Controller) for management, as do most servers. The particular BMC chips used for Xeon D-1500 is the AST2400, and for newer Xeon D-2100, it's AST2500.
So it's not particularly surprising that I've been asked by more than a few people what I think of this story, starting soon after Bloomberg's article was published at 5am eastern today. If the past year of CPU flaws with security taught us anything, drawing firm conclusions or even strong opinions in the first days doesn't tend to do much good.
1) Read the whole article before drawing any conclusions
It is worth noting that the accusations appear to be about 2015-vintage cloud-scale deployments of unnamed Supermicro systems. Based on images in the article, they seem to be in a less common form factor, with little to nothing in common with any of the Xeon D systems that home lab enthusiasts have personally benefited from, myself included.
Here's the article that started the remarkably strong reactions.
- The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Oct 04 2018 5:00am EDT by Jordan Robertson and Michael Riley at Bloomberg Businessweek
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. ...
2) Then also read each company's official response
I'm personally not sure what I think of the accusations yet. It tends to take time for stories to be fully understood. I tried not to think much of anything until I could sit down after work and read not just the ENTIRE source story, but also ALL three official responses, which weren't all available until earlier this evening. In my personal opinion, these are some of the most vehement objections to such accusations, ever. All-in-all, a strange day.
- Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
Oct 04 2018 by Stephen Schmidt, Chief Information Security Officer, at AWS Security Blog
Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. ...
- What Businessweek got wrong about Apple
Oct 04 2018 by Apple at Apple Newsroom
The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
Apple provided Bloomberg Businessweek with the following statement before their story was published:
Over the course of the past year ...
- Supermicro Refutes Claims in Bloomberg Article
Supermicro along with Apple and Amazon refute claims in Bloomberg story
Oct 04 2018 by Investor Relations at Supermicro Press Releases
Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. ...
3) Then form your own opinions
Yes, that's all I have. Sifting through is up to you. At least this article helps guide you to first-hand information from each of the vendors involved. I'm just the messenger. See also one of the more helpful public discussions between Stephen Foskett and Patrick Kennedy below.
One nice surprise today was the gracious readers that took time to reach out to me. In their words, they each seemed to genuinely care about my little corner of the internet called TinkerTry IT @ home, and felt compelled to let me know what was happening out there as soon as possible. Which is kind of awesome, having so many people gunning for you, in this world where there's far too much negativity out there. Thank you, I certainly appreciate it.
Like most folks in this business, we have very busy business hours. Stories like this can be distracting.
I have so much fun in my home lab, and I look forward to getting back to all that fun with you all as soon as possible, starting with the new Microsoft releases that I downloaded just yesterday.
Don't get me wrong, I'll keep tabs on this developing story. But I'll also keep moving forward, trying to share my variety pack of software and hardware experiences with as many other home lab enthusiasts as effectively as I can, in whatever spare time I can find. It's a true joy.
I'm an active blogger and I'm also now a VMware employee, but this article was written completely on my own accord, intended to address readers who inquire about where to find the source information. Done, sources published.
Unless something changes drastically, I'm unlikely to append updates to this article.
Oct 24 2018 Update
Dec 17 2018 Update
On December 11 2018, the CEO of Supermicro Charles Liang published this letter.
- Security Update
CEO Update on Independent 3rd Party Security Testing of Motherboards and Systems
Testing Finds No Malicous Hardware on Supermicro Motherboard
See also at TinkerTry
- Intel Xeon D is a rather versatile platform, have a look!
Jun 04 2017
Table of Contents
List of companies with motherboards and/or servers based on Xeon D, click to jump to each section below:
Facebook (used internally, not for resale)
- Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate
Oct 04 2018 by Patrick Kennedy at STH
Something is certainly strange here, and at STH, we review more server platforms than anywhere else on the Internet, including those from Supermicro. We also, by chance, started diving into the BMC security space more recently so it is clearly time to investigate.
- Broader Implications of iDRACula Vulnerability a Perspective
Sep 30 2018 by Patrick Kennedy at STH
During our initial iDRACula vulnerability coverage, we had a Q&A interview with one of the discoverers Jon Sands (see the interview here.) For those who missed the original article, it is worth spending a few minutes reading through iDRACula Vulnerability Impacts Millions of Legacy Dell EMC Servers.