Security Market Segment LS
Tuesday, 23 October 2018 08:20

Supermicro chief says Bloomberg spy story is dead wrong Featured

Supermicro chief says Bloomberg spy story is dead wrong Pixabay

Supermicro Computer, the server manufacturer at the heart of allegations of supply chain manipulation through implanting of chips on mainboards made for it by a Chinese supplier, has written to its customers saying that the story, put out by Bloomberg, is dead wrong.

Charles Liang, the company's president and chief executive, said in the letter that "no one has shown us a motherboard containing any unauthorised hardware chip, we are not aware of any such unauthorised chip, and no government agency has alerted us to the existence of any unauthorised chip".

Liang's denial comes soon after Apple chief executive Tim Cook took the unusual step of asking Bloomberg to retract the story which was published on 4 October. Supermicro's shares were badly hit by the story; they fell from US$21.40 to US$12.46 and are yet to recover, hovering around the US$15 mark.

Amazon Web Services manager Andy Jassy said in a tweet on Tuesday that Cook was right. "[The] Bloomberg story is wrong about Amazon, too. They offered no proof, [the] story kept changing, and [they] showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract [the story]," he wrote.

In its story, Bloomberg claimed security testing by Amazon in 2015 had revealed the existence of tiny chips that were not part of the original mainboard design and that this led to an extensive investigation by US Government agencies which found servers built using these boards in data centres belonging to the Department of Defence, on warships, and for processing data being handled by CIA drones.

The news agency said that major banks were also using servers made by Supermicro and that the government investigation led to several companies getting rid of the Supermicro equipment.

A few years ago, the same journalists, Jordan Robertson and Michael Riley, wrote a story, claiming that the US Government had prior knowledge of the Heartbleed bug, a serious vulnerability in OpenSSL, before it was announced. Bloomberg did not issue a follow-up after the story was denied.

Apple issued a detailed denial when the story was published. Later, its former general counsel, Bruce Sewell, said that the FBI had told him it had told him it had no knowledge of any probe into such an incident, as claimed by Bloomberg.

And the company took the additional step of writing to the US Congress denying the story. Chief security officer George Stathakopoulos said in a letter that the company had found no evidence to justify the claims made in the Bloomberg report.

There have also been strong denials from Amazon, the US Department of Homeland Security and the British National Cyber Security Centre.

Liang said in the letter: "Our motherboard technology involves multiple layers of circuitry. It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as 'pin-to-pin knowledge') of the design.

"These designs are trade secrets protected by Supermicro. The system is designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design (including hardware, software, and firmware)."

He added: "Each of our contractors has only the portion of the total engineering design of the motherboard that it needs to carry out its part in the manufacturing process.

"Modifications to the design plan must be confirmed with Supermicro, which then passes those modifications on to those downstream in the manufacturing process.

"If any single contractor attempts to modify the designs, the manufacturing process is structured so that those alterations would not match the other design elements in the manufacturing process.

"This makes it practically impossible for anyone to add an unauthorised hardware component that could both escape detection and function properly. This also ensures there are multiple quality checks built into each step of our manufacturing process."

Liang said for these reasons, he was confident that Bloomberg's allegations were wrong.

"...experts across the ecosystem, including FBI director Christopher Wray, NSA senior cyber security adviser Rob Joyce, director of National Intelligence Dan Coats, the Department of Homeland Security, the UK’s GCHQ and even an expert quoted in the article itself, have questioned these allegations. Finally, Apple and Amazon have issued strong statements denying the claims," he said.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments