Supermicro to Review Hardware for Malicious Chips

October 23, 2018 Updated: October 23, 2018

Computer hardware maker Supermicro said on Oct. 22 it would review its motherboards for any proof of malicious chips as alleged in a recent media report.

“Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article,” the server and storage manufacturer said in a letter to its customers, dated Oct. 18.

Shares of the San Jose, California-based company rose 4.3 percent to $14.70 on Monday.

A Bloomberg report on Oct. 4 cited 17 unidentified sources from intelligence agencies and businesses that claimed Chinese spies had placed computer chips inside equipment used by about 30 companies, including Apple and and multiple U.S. government agencies, which would give Beijing secret access to internal networks.

Bloomberg reported that the malicious chips were planted by a unit of the Chinese military into servers manufactured by Supermicro.  The operation is thought to have been targeting valuable commercial secrets and government networks, the news agency said.

Supermicro denied the allegations made in the report.

The company said the design complexity makes it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by the checks in its manufacturing and assembly process.

It is entirely plausible that a malicious chip can be placed on a motherboard but it will be at a very high cost, and the risk of detection increases with every such chip in the field, said Jake Williams, a former National Security Agency analyst and founder of the cyber security firm Rendition Infosec.

“This technique would only be used for high value targets that couldn’t be easily compromised via another attack vector,” Williams said.

The Bloomberg report also said Apple in 2015 had found malicious chips on Supermicro motherboards. It also said that Amazon uncovered such chips the same year while examining servers made by Elemental Technologies, which Amazon eventually acquired. Amazon reported the matter to U.S. authorities, who determined that the chips allowed attackers to create “a stealth doorway” into networks using those servers, according to the Bloomberg report.

Both Apple and Amazon have denied the allegations. Apple Chief Executive Officer Tim Cook told online news website BuzzFeed on Oct. 19 that Bloomberg should retract the story.

Amazon Web Services CEO Andy Jassy also joined Cook in asking Bloomberg to retract the report.

Bloomberg had previously said it stood by its report and was confident of its reporting, which was conducted for more than a year.

Security experts as well as the U.S. and U.K. authorities have said they had no knowledge of the attacks.

The Bloomberg report comes amid increased concerns over foreign intelligence agencies infiltrating U.S. and other companies via so-called “supply chain attacks,” particularly from China where multiple global tech firms outsource their manufacturing.

The U.S. government on Oct. 3 warned that a hacking group widely known as cloudhopper, which Western cybersecurity firms have linked to the Chinese government, has launched attacks on technology service providers in a campaign to steal data from their clients.

The warning came after experts with two prominent U.S. cybersecurity companies warned that Chinese hacking activity has surged amid the escalating trade war between Washington and Beijing.

By Sonam Rai, Jack Stubbs & Sweta Singh