Apple has gone to unusual lengths to thoroughly and definitively refute a Bloomberg Businessweek article that suggested Chinese spies had planted microchips in the Chinese-made Supermicro server motherboards.
On Thursday, Bloomberg published a bombshell article uncovering an extraordinary hardware hacking effort by state-sponsored Chinese agents. “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” details successful efforts by the People’s Liberation Army (PLA) to implant tiny chips into the motherboards of servers made by Super Micro, to compromise those systems and give them access.
Super Micro is one of the world’s largest producers of such hardware, supplying hardware used by the Department of Defense, Department of Homeland Security, NASA, Congress, and of many of the world’s largest companies. The attack ultimately reached almost 30 companies, Bloomberg claims.
Ultimately, Bloomberg says, Apple had deployed about 7,000 Super Micro servers when the company’s security team found the tiny hidden added chips. It claims Apple discovered the compromised servers in 2015 and reported the issue to the FBI, but “kept details about what it had detected tightly held, even internally.” The article cites an unnamed U.S. official who says that Apple didn’t allow government investigators to access its facility or the hardware in question.
Bloomberg didn’t provide specific details as to precisely what the alleged Chinese spy chip actually did. It outlined the principle of how it says the spy chip worked, but without describing exactly how the feat was achieved.
In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.
Apple released a strongly worded statement calling Businessweek‘s report inaccurate with no evidence to support the claims, and this afternoon, Apple went further and published an entire rebuttal on its website.
Apple’s press release includes the same statement that was initially provided to Bloomberg Businessweek, along with additional information that the company says it shared with Bloomberg Businessweek ahead of when the server article was released.
While Bloomberg Businessweek‘s report claims that Apple reported the alleged microchip incident to the FBI in 2015, Apple told the news site in no uncertain terms that no one from Apple ever reached out to the FBI, nor had Apple ever heard from the FBI about an investigation.
Apple also told Bloomberg Businessweek that despite “numerous discussions” across teams and organizations, no one at Apple had heard anything about the supposed microchip investigation.
Apple’s updated statement clarifies that Apple is not under any kind of gag order or held to a confidentiality obligation, and it says clearly that the report is “completely untrue” and that no malicious chips have been found in Apple servers.
Along with Apple, Bloomberg Businessweek claimed that other companies, such as Amazon, were also affected. Amazon has also issued a similarly worded denial. According to Amazon, the report is untrue and Amazon has never found any issues “relating to modified hardware or malicious chips in Supermicro motherboards” nor has Amazon participated in an investigation with the government.
Supermicro has also denied all reports and says it is not aware of any investigation regarding the topic.