Slashdot Mirror
China Infiltrated Apple, Amazon and Other US Companies Using Spy Chips on Servers, According To Bloomberg; Apple, and Amazon, Among Others Refute the Report (bloomberg.com)
Data center equipment run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process, Bloomberg BusinessWeek reported Thursday, citing 17 people at Apple, Amazon, and U.S. government security officials, among others. The compromised chips in question came from a server company called Supermicro that assembled machines used in the centers, the report added. The scrutiny of these chips, which were used for gathering intellectual property and trade secrets from American companies, have also been the subject of an ongoing top secret U.S. government investigation, which started in 2015, the news outlet reported. Amazon, which runs AWS, Apple, and Supermicro have disputed summaries of Bloomberg BusinessWeek's reporting.
The report states that Amazon became aware of a Supermicro's tiny microchip nested on the server motherboards of Elemental Technologies, a Portland, Oregon based company, as part of a due diligence ahead of acquiring the company in 2015. Amazon acquired Elemental as it prepared to use its technologies for what is now known as Prime Video, its video streaming service. The report adds that Amazon informed the FBI of its findings. From the report: One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. [...] [Update: Some counterpoint: According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.] A U.S. official says the government's probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack. Some background on Supermicro, courtesy of Bloomberg: Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards -- its core product -- are nearly all manufactured by contractors in China. The company's pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. Further reading: Amazon Offloaded Its Chinese Server Business Because it Was Compromised, Report Says.
The report states that Amazon became aware of a Supermicro's tiny microchip nested on the server motherboards of Elemental Technologies, a Portland, Oregon based company, as part of a due diligence ahead of acquiring the company in 2015. Amazon acquired Elemental as it prepared to use its technologies for what is now known as Prime Video, its video streaming service. The report adds that Amazon informed the FBI of its findings. From the report: One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. [...] [Update: Some counterpoint: According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.] A U.S. official says the government's probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack. Some background on Supermicro, courtesy of Bloomberg: Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards -- its core product -- are nearly all manufactured by contractors in China. The company's pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. Further reading: Amazon Offloaded Its Chinese Server Business Because it Was Compromised, Report Says.
"no reasonable person would believe [us]"
Didn't they recently suffer from a severe lapse in manufacturing, allowing the Intel Management Engine to be reprogrammed? The one that has full access to the Cpu?
Prior, they had root access without passwords.
How can they refute it so strongly? Both of those gave full access to the computer. Both had to have been introduced by someone
Remember when the USA did the same thing?
I was talking about http://toxikonconsortium.org/F...
which was medicine in Haiti.
The Chinese manufacturer had replace glycerine with propylene glycol to save money. Lots of children died.
Are you talking about a different incident?
Bloomberg published responses from the companies involved. Here are some excerpts that give you a sense of how they responded...
Amazon:
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware. [...]
And they go on to say a lot more that categorically denies Bloomberg's claims while making a mention of an unrelated firmware incident from 2016.
Apple:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement. [...]
And they go on to say a lot more that categorically denies Bloomberg's claims while suggesting that Bloomberg may be confused about the 2016 firmware incident.
Super Micro:
While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.
And they go on to say a lot more that categorically denies Bloomberg's claims, including denying that they even make the chips that were allegedly compromised and that these companies supposedly purchased from them.
Meanwhile, here's a complete list of Bloomberg's sources who were willing to speak on the record:
*crickets*
As a guy who DESIGNS hardware, I can confidently say this....
Yes, it is possible to make a tiny chip that can disguise itself as a capacitor or a resistor. However, this part must be designed into the board for that purpose. There is such a thing as a "one wire interface." The part that it is talking to must know it is there and be intentionally taking to it.
However, adding a chip like this (a two-terminal part as shown in the article) to an existing product not designed for it seems very problematic. I can immediately think of three options for such a ghost part:
1) Pretends to be a signal filter capacitor. Possible, but it likely would not have the power to actively disrupt the signal flowing past it. This thing would only have access to ONE power rail and can get parasitic power off of the signal. But this kind of part would not have the power to actively disrupt the signal.
2) Pretends to be a resistor. This is even worse, because usually low-value resistors are used, so the voltage drop would be minimal. I cannot imagine how this part would get its power.
3) Pretend to be a pull-up or pull-down resistor. This might be useful in mis-configuring a part. It could alter its configuration to get the board into some sort of test mode. The problem is that this configuration would not allow the chip to receive any information from the outside world. So how do you control it?
Of course, this assumes that the part really is just a two-terminal part (as shown in the article). If they replace an active device, something with three or more pins, then all of those limitations go away. Some sort of level converter in a signal path would be an ideal candidate. If you could drop a chip somewhere in the Ethernet interface path, then you can do anything you want... But those chips would look like chips and could not be mistaken for a passive component.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
So playing devil's advocate here: They could have modified the design, burying the extra traces in interior layers. After approval and the initial production run would you go poking around the boards being shipped out that closely to notice some small extra vias that had been masked over? Would you pull a board apart to view the inner layers if there were no problems? We aren't talking about a rogue employee here but a state sponsored program so you would expect it to have the engineering capability to modify a board design in a way as to not interfere with it's normal functionality. If they compromised the PCB manufacturer and assembly partner they could slip it in any time they wanted to.
Now I'm not saying I'm buying this story. The very specific, very adamant denials from Amazon isn't the type of denial you would normally expect in a situation like this if they coudln't talk. But it is possible.
I browse on +1 so AC's need not respond, I won't see it.
Heads rolled after the fact, yes. Mostly to save face, I think, and make a public message of "Look! See, we have laws too!" Every time it happens, it comes off looking more like PR and and an attempt to hobble further investigation. My question is always: what controls are you pitting in place to make sure this doesn't happen again?
Whether it's adulterated baby formula, or adulterated medicine, or adulterated pork buns, t comes down to someone taking risks to make a fast profit. Plenty of that happens everywhere in the world, but it seems to be in China that the controls are lax enough and the people are desperate enough to actually KILL THEIR CUSTOMERS in order to make money.