PC hardware manufacturer Supermicro has doubled down on denials that it has been affected by, or had any prior knowledge of, a hack purportedly carried out by the People’s Liberation Army on its servers. Supposedly, the massive US tech company was subject to a server hack unlike any ever seen before, all made capable by a minuscule microchip.
The story was reported by Bloomberg Businessweek a couple of weeks ago. It alleged that Supermicro motherboards had been distributed to corporate giants such as Apple and Amazon with tiny chips illegally tacked on to precious circuitry during the manufacturing process in China.
Supermicro denied the story immediately – as did Apple and Amazon – but this did little to prevent the company’s stock from spiralling downward in light of the news. Once all was said and done, the US company had already lost nearly half its value. Nevertheless, the company continues to fight the allegations laid out within the article, refuting every one as “wrong” within an open letter to customers published last week.
“We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong,” the letter from the CEO, CCO, and CPO of Supermicro reads. “From everything we know and have seen, no malicious hardware chip has been implanted during the manufacturing of our motherboards.
“We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip. As we have said firmly, no one has shown us a motherboard containing any unauthorised hardware chip, we are not aware of any such unauthorised chip, and no government agency has alerted us to the existence of any unauthorised chip.”
The letter holds that a chip being implanted onto its board and effectively opening a backdoor to sensitive data would be a “technical implausibility”. Supermicro claims it would be “virtually impossible” for a nefarious actor to implement any device capable of communicating with the Baseboard Management Controller due to the pin-to-pin knowledge of the design.
The base design of its motherboards is a trade secret that Supermicro claims no one employee has unfettered access to, making it incredibly difficult for even its own employees to manipulate the hardware, software, and firmware altogether to bypass security functionality.
That, too, extends to Supermicro’s contractors, the letter reads. “Modifications to the design plan must be confirmed with Supermicro, which then passes those modifications on to those downstream in the manufacturing process. If any single contractor attempts to modify the designs, the manufacturing process is structured so that those alterations would not match the other design elements in the manufacturing process.”
Tim Cook has similarly denied all claims of knowledge or involvement in the affair during an interview with Buzzfeed. The Apple CEO called for Bloomberg to retract the story, claiming “there is no truth in their story about Apple.” An Amazon exec today also joined in the calls for a retraction.
Bloomberg has reiterated its support of the story and its veracity on various occasions, although security experts, and even a source cited within the report, are now doubting the story. The publication is well-respected globally for its integrity and journalism, which all makes this story and its subsequent twists and turns especially intriguing – not to mention the global implications if this story were proved to be true.