Apple and Amazon have strongly denied a media report that claimed a massive “supply chain attack” by Chinese spies planted chips in motherboards in data servers bought by these two giants among 30 tech companies.
Bloomberg Businessweek on Thursday reported that malicious chips, as small as a sharpened pencil tip, were planted by a unit of the Chinese People’s Liberation Army to gain access to the supply chain of SuperMicro, often called the “Microsoft of the hardware world”.
According to the report, Apple discovered suspicious chips in its servers in 2015. The Cupertino-based iPhone maker replied it has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.
“The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims,” Apple said in a statement.
“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them,” Apple said.
“Apple never had any contact with the Federal Bureau of Investigation (FBI) or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement,” the tech giant added. According to Apple, its digital assistant Siri and social search and analytics company Topsy never shared servers.
“Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips,” said Apple. According to Apple, its best guess is that “they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs”.
According to Steve Schmidt, Chief Information Security Officer at Amazon Web Services (AWS) which is Amazon’s Cloud arm, “there are so many inaccuracies in this article as it relates to Amazon that they are hard to count”.
“Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners,” Schmidt said in a statement. “We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment,” he added.