Published on the 10/10/2018 | Written by Pat Pilcher
Did they or did they not?..
Apple and Amazon are both strenuously denying Bloomberg reports of a sophisticated hardware attack involving computer chips inserted into server motherboards by Chinese manufacturers.
According to Bloomberg, the hardware hack was discovered in 2015 when Amazon was considering purchasing a video compression company called Elemental Technologies to help with the expansion of Amazon Prime Video. Elemental made software for compressing video files. The company also had national security contracts that were a good fit with Amazon’s existing AWS government businesses.
“We have conducted rigorous internal investigations and found absolutely no evidence to support any of the allegations.”
In conducting due diligence ahead of the purchase, Amazon hired a third-party company to inspect Elemental’s security. Before long, several issues came to light that saw Amazon taking a closer look at the servers Elemental sold to customers for handling video compression.
Those servers were manufactured for Elemental by Super Micro Computer, a US company which is also one of the world’s largest server motherboard suppliers. Hidden among the many components on the servers’ motherboards was a chip smaller than the tip of a sharpened pencil, that wasn’t on the motherboard’s original design layout.
The chip was disguised to look like a signal coupler and according to sources quoted by Bloomberg, was placed between the baseboard management controller (BMC) and the BMC firmware.
In theory, this would mean that when the BMC executed code from firmware memory, the spy chip could intercept and modify data to inject backdoor code. It could also theoretically install spyware. The net effect would be that the hack would be difficult to spot and allow access to networks connected to the compromised server.
With Elemental servers used by the Department of Defence, the CIA and the Navy, the news caused ructions throughout the US intelligence community. Of even more concern was the fact that Elemental is just one of many hundreds of customers using Super Micro motherboards.
Bloomberg’s story alleges that US investigators found a further 30 companies, including a bank and Apple, who were victims of the spy chip. According to Bloomberg, Apple was a large Super Micro customer before dropping the company, citing reasons unrelated to security issues.
Bloomberg says a secret probe into the issue has been underway for three years and is still happening. The investigation reportedly found the chips let hackers enter any network using the doctored servers.
The Bloomberg story alleges that investigators also determined that the spy chips got inserted onto the motherboards in factories run by manufacturing subcontractors in China.
Since the story surfaced, both Apple and Amazon have vehemently denied the allegations that their servers were compromised. (Unsurprisingly, Super Micro has also denied the allegations.)
Apple said it was contacted ‘multiple times’ over the past year by Bloomberg with claims, ‘sometimes vague and sometimes elaborate, of an alleged security incident at Apple’.
“Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.”
Amazon’s denial was equally strong, with the company saying there are ‘so many inaccuracies in this article as it relates to Amazon that they’re hard to count’.
“We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us)”.
The denials have since resulted in a game of ‘he said, they said’ and are not all that surprising given the impact of the Bloomberg allegations on the market. Super Micro’s share price has plummeted by just under 50 percent and both Apple and Amazon have seen their share prices drop just shy of two percent.
That the public-facing denials have almost certainly gone through multiple layers of corporate legal teams to ensure both Amazon and Apple do not get exposed to lawsuits makes checking Bloomberg’s allegations challenging. Adding additional complexity to an already messy situation, Bloomberg stuck to their guns and argued that they use seasoned reporters whose content is fact checked by teams of editors.
While the Bloomberg story makes for fascinating reading, it does raise some questions.
Firstly, why introduce an additional chip onto the server motherboard? Such an approach is risky. Comparing the motherboard’s original design plans would make finding even the smallest and most cunningly disguised chip a straightforward process. Besides, wouldn’t it just be easier to incorporate additional circuitry or code into an existing chip which would make it far more difficult to detect? Adding altered code to the firmware chip would also not require complex motherboard re-designs, and be far easier to implement.
Then there’s the obvious point that Apple and the other 30 organisations supposedly affected by the hack would be able to quickly detect and trace any unusual network traffic generated by the affected servers using both firewalls and security appliances.
The final nail in the coffin of this otherwise fascinating spy thriller story is that Bloomberg has since reported that Homeland security back Apple and Amazon’s denials.
Meanwhile, despite all the denials, two US senators have officially written to Super Micro, giving the company until October 17 to respond to a series of questions on the issue – including whether the Chinese government ever requested access to Super Micro’s confidential security information or sought to restrict information regarding the security of the company’s products.