Both Apple and Amazon are vehemently denying claims that their servers were compromised by Chinese spies following an explosive report from Bloomberg on Thursday. The report claims that spies were able to infiltrate some of the country’s biggest tech companies by inserting microchips the size of “a grain of rice” into Chinese-manufactured servers, part of the tech giants’ infrastructure. The report alleges that the companies discovered the chips on their own and notified US authorities, but both Apple and Amazon are refuting that any of the claims cited in the story are actually founded in reality.
The responses are heavily detailed, denying the Bloomberg report point-by-point. It’s something these companies rarely, if ever, do. Most statements following the discovery of security flaws or public backlash only ever acknowledge the concerns and make vague promises on behalf of consumer privacy.
After the Celebgate iCloud breach, for example, which included leaks of prominent celebrities’ nude photos, Apple’s response was one of minor outrage and a simple refutation of any security flaws. Amazon was met with a separate, but similarly detrimental exploit in 2014 when researchers discovered that by way of the Heartbleed bug, websites hosted on Amazon Web Services (AWS) had the potential to leak sensitive information like credit card numbers. Amazon’s response to the Heartbleed was simply, “AWS is aware of the HeartBleed Bug (CVE-2014-0160) in OpenSSL and investigating any impact or required remediation. We will post back when we have more detail.”
But in this case, Apple and Amazon are denying it all. According to the companies, this infiltration never happened, and they’ve been telling Bloomberg that for a very long time.
Some highlights from the responses released by Amazon, Apple, and the Chinese server manufacturer, Supermicro are listed below:
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
. . .
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.
. . .
Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.
These assertive statements are leading national security experts to question who exactly is telling the truth. If the Bloomberg story checks out, Amazon and Apple would seem to be lying and invalidating a potential national security risk.
“If anything, there are only official denials on the story and the lack of technical details doesn’t really favor the conclusions from a technical standpoint,” said Andrea Barisani, head of hardware security at F-Secure, an antivirus and cybersecurity company. “It is certainly possible to mount supply chain attacks that can affect the security of COTS (Commercial Off The Shelf) hardware, albeit posing notable implementation difficulties.”
I have to say, this is all really bizarre. The Bloomberg story is very detailed, citing documents and inside sources. But the company denials are also detailed and emphatic. You don’t often see the latter when a company is trying to hide something or be coy. https://t.co/qjA1TFKzZ3
— Kim Zetter (@KimZetter) October 4, 2018
No one in Congress has called for an investigation into these allegations, but Republicans and Democrats alike have been wary of Chinese hardware use within the country’s borders.
Ultimately, allegations this specific met with explicit denials like these may warrant further investigation. A deeper look into this potential attack wouldn’t be the first time members of Congress have criticized the use of Chinese hardware within the US. Over the summer, senators decided to include an amendment to a must-pass defense authorization bill banning the use of products by two other Chinese manufacturers (ZTE and Huawei) by government officials and contractors, citing national security concerns.