Supermicro says independent investigation found no spy chips on its motherboards

Graham Cluley

Supermicro says independent investigation found no spy chips on its motherboards

Supermicro says independent investigation found no spy chips on its motherboards

San Jose-based server manufacturer Supermicro has written to its customers to tell them that an independent audit has found no evidence that malicious chips were planted on its motherboards.

The claims that Supermicro’s servers, used by the likes of Apple and Amazon, had been interfered with by the Chinese somewhere along its supply chain first surfaced in October in an extraordinary report from Bloomberg Business Week.

The claim, which Bloomberg claimed had been confirmed by umpteen unnamed current and former senior national security officials, as well as insiders at Apple and Amazon, was treated with caution by many members of the security community.

That caution turned into increasing skepticism as Amazon, Apple contested the accuracy of the Bloomberg report.

It certainly felt unlikely that the companies would deny the allegations quite so vehemently if there was a grain of truth in them.

Even the Department of Homeland Security and the UK’s GCHQ issued statements, backing Amazon and Apple in its refutations of the allegations.

In a letter to customers made public yesterday, Supermicro explains that it asked Nardello & Co., a third-party company, to conduct an independent audit of its hardware, testing both its current motherboards as well as ones that it had previously sold to Apple and Amazon.

What did the investigation find? Nothing.

Supermicro letter

“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products.”

“After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.”

It certainly feels like the ball is in the court of Bloomberg. Surely the onus is on them to produce some physical evidence of a tampered motherboard that can be examined by an independent neutral expert. If they are unable to do that, suspicions will continue to grow that the integrity of the journalists who worked on the Bloomberg story is in question.

So what is Bloomberg saying?

Not much as it happens. A brief article has been published, noting that the third-party test has found no evidence of mischief on Supermicro’s motherboards but – perhaps tellingly – the most they feel comfortable saying is:

“Bloomberg Businessweek has previously said that it stands by its story.”

Note the wording. “Previously said”. What about now? Was Bloomberg unable to get an updated quote from Bloomberg? Something makes me think that Bloomberg just wants this story to go away…

Supermicro has also made a short video about its quality assurance processes to further reassure customers.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Supermicro says independent investigation found no spy chips on its motherboards”

  1. "Even the Department of Homeland Security and the UK’s GCHQ issued statements, backing Amazon and Apple in its refutations of the allegations."

    I'd take what any spy agency says with a 1/10th of a grain of salt. as for they would harvest any such exploits for their own uses, so naturally would deny it.

    But if the audit clears them, that's great news… perhaps now time for a law suite – since SM's stock dived in the wake of this news

  2. Bloomberg has been used to propagate a false story designed to discredit and undermine both SuperMicro and the Chinese companies supplying it with components. The story's supposed authenticity was based entirely on unsubstantiated assertions and allegations from members of the American intelligence community and, supposedly, from (unidentified) employees of Apple and Amazon. No corroborating evidence has been produced to back up these allegations, but a great deal of mud has been thrown and some of it will probably stick. The story merely serves to stoke the increasing anti-Chinese sentiment in the United States (and elsewhere). I think Bloomberg is open to legal action in the US Courts for defamation, and could be forced either to disclose its sources or issue a humiliating apology.

    For some years now warnings of a confrontation with China have been current in America – John Pilger even made a film about this ("The Coming War On China"). There is a feeling that China is becoming an existential threat. So stories like this are just part of a general attempt to counter China's technological challenge to the US.

    It could backfire badly – China is a major purchaser of the US Government bonds issued to finance America's debt : over $1.15 trillion dollars, more than is held by any other country. If a trade war bites hard China won't need to buy nearly as many US Treasury Bonds, and the US will have to cut the price to make a sale. If China decides to dump those bonds and flood the market, the US won't be able to finance its debt as easily as it has done up until now.

    As a footnote, especially applicable to Huawei : unfortunately for both countries, there is apparently no-one in charge of US foreign affairs who understands the ancient Chinese concept of "loss of face". When it comes to its flagship technological companies the Chinese are justifiably proud of their achievements, and attempts by the United States to belittle and humiliate these companies and their acclaimed owners (and their families) is an affront which cannot be tolerated because to do so would entail losing face. Fortunately any retaliation by China in cases like these is likely to be asymmetrical and not done in haste.

  3. Was not the same thing said a few years back about some Internet Backbone Servers?
    This story seems to come in some form or another every so often. No evidence is produced and eventually it just dies out.
    This is the first time I've seen an audit and response from the manufacturer.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES