San Jose-based server manufacturer Supermicro has written to its customers to tell them that an independent audit has found no evidence that malicious chips were planted on its motherboards.
The claims that Supermicro’s servers, used by the likes of Apple and Amazon, had been interfered with by the Chinese somewhere along its supply chain first surfaced in October in an extraordinary report from Bloomberg Business Week.
The claim, which Bloomberg claimed had been confirmed by umpteen unnamed current and former senior national security officials, as well as insiders at Apple and Amazon, was treated with caution by many members of the security community.
It certainly felt unlikely that the companies would deny the allegations quite so vehemently if there was a grain of truth in them.
In a letter to customers made public yesterday, Supermicro explains that it asked Nardello & Co., a third-party company, to conduct an independent audit of its hardware, testing both its current motherboards as well as ones that it had previously sold to Apple and Amazon.
What did the investigation find? Nothing.
“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products.”
“After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.”
It certainly feels like the ball is in the court of Bloomberg. Surely the onus is on them to produce some physical evidence of a tampered motherboard that can be examined by an independent neutral expert. If they are unable to do that, suspicions will continue to grow that the integrity of the journalists who worked on the Bloomberg story is in question.
So what is Bloomberg saying?
Not much as it happens. A brief article has been published, noting that the third-party test has found no evidence of mischief on Supermicro’s motherboards but - perhaps tellingly - the most they feel comfortable saying is:
“Bloomberg Businessweek has previously said that it stands by its story.”
Note the wording. “Previously said”. What about now? Was Bloomberg unable to get an updated quote from Bloomberg? Something makes me think that Bloomberg just wants this story to go away…
Supermicro has also made a short video about its quality assurance processes to further reassure customers.