Chinese-made microchips roughly the size of the tip of a pencil have been found hidden inside servers used by Apple, Amazon, and government contractors according to a report by Bloomberg Businessweek. The origin of the chips reportedly traces back to a U.S.-based company called Super Micro Computer Inc., which works with subcontractors with manufacturing facilities in China, where the tiny eavesdropping chips were inserted.
According to Bloomberg, the chips were discovered by Amazon’s Web Services division in 2015 during the due diligence prior to the acquisition of a video streaming company called Elemental Technologies, whose servers were assembled by Super Micro. The discovery then sparked a years-long investigation by the U.S. government that is still open to this day. While Amazon discovered the chips, it was not the only company affected. According to Bloomberg:
One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
The named companies, for their part, are disputing Bloomberg’s reporting, with Amazon insisting it knew nothing of secret chips when it ultimately acquired Elemental Technologies, and Apple claiming never to have discovered any malicious chips. Bloomberg, meanwhile, cites numerous national security officials and Amazon insiders as its sources.
The magnitude of this discovery is significant for multiple reasons, first and foremost is the level of access a hardware hack like this can provide, and the difficulty in fixing it. The chips, so small and camouflaged as to be effectively invisible to the untrained eye even during X-ray examination of the infected boards, were able to manipulate code as it travelled to its host server’s CPU and also communicated with remote, anonymous servers that could give it complex instructions by hijacking components designed to give administrators remote, high-level controls of malfunctioning units.
This power gives the chips practically unlimited control, as Bloomberg notes:
Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity.
In addition to the severity of the danger, the breach is impressive for its logistical complexity, requiring top secret coordination between a Chinese military unit and factories were the chips could be installed.
Bloomberg reports that Amazon has moved Elemental Technologies’ software over onto its own Amazon Web Services hardware and that Apple has removed servers made by Super Micro from its data centres. Officials have reportedly reached out to other select Super Micro customers privately to take similar action.
Update 10/4 6:14 PM ET: Amazon and Apple have both released full statements disputing Bloomberg’s reporting. Apple’s, “What Businessweek got wrong about Apple,” insists no malicious hardware was ever found in Apple’s servers, and that the company is not under any sort of gag order:
Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
… Apple has always believed in being transparent about the ways we handle and protect data. If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement. Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.
…Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
Amazon’s statement, “Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article,” also categorically denies the claims put forth in Blooomberg’s report, saying:
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).