Apple Condemns Reports of Chinese Spy Chips Hacking Its Servers

Apple Store logo

An explosive Bloomberg report claims that Chinese hackers were able to plant a tiny microchip in servers assembled by Supermicro Computers which were then used by tech giants like Apple and Amazon. This microchip provided the hacker with a secret doorway into any network the server was connected to.

The report claims the chips were inserted while the servers were being manufactured in factories in China. Hardware hacks like this are incredibly hard to pull off, though when done right, it provides the hackers with an invaluable amount of information.

The servers supplied by Microcenter were used by major tech companies including Amazon, a major bank, Apple, Microsoft, and Google. The report states that U.S. investigators found that the tiny microchip was inserted during the manufacturing process by the People’s Liberation Army.

Apple was one of Supermicro’s major customers, with the Cupertino company at one point planning to order more than 30,000 servers from it for one of its data centers within a span of two years. However, citing “senior insiders” inside Apple, the report claims that once the company found these malicious chips on Supermicro motherboards, it severed all ties with it. The company first discovered the chips in Supermicro servers in May 2015 and informed the FBI about it. Apple planned on using these servers from Supermicro for its iCloud services.

Apple for its part has already issued a statement strongly refuting all the claims made by Bloomberg in their report.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.

As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us. We also want them to know that what Bloomberg is reporting about Apple is inaccurate.

Supermicro for its part has also issued a statement refuting the claims in the report.

Bloomberg, however, states that six current and former national security officials have detailed discovering such chips and the investigation that followed. It even confirmed this information with three Apple insiders.

In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

The main motive of the hack was to gain access to secret corporate data on a long-term basis and not steal any consumer data.

Our Take

At this point, it is difficult to ascertain what’s the truth. However, it is rare to see Apple strongly refute such a rumor. I guess without any further evidence, it would be a bit too difficult to believe in the story from Bloomberg. What do you think?

[Via Bloomberg]