Witold Kepinski - 05 oktober 2018

Apple, AWS en Supermicro: 'Berichtgeving over server hack door China is onjuist'

Apple, AWS en Supermicro: 'Berichtgeving over server hack door China is onjuist' image

Amazon Web Services (AWS) en Apple spreken tegen dat er, volgens Bloomberg BusinessWeek, een kleine microchip in datacenter hardware van Supermicro is ontdekt die mogelijk is gebruikt voor spionagedoeleinden. De chip zou door de Chinese overheid in het productieproces van de apparatuur zijn toegevoegd aan de apparatuur en gebruikt zijn om onder andere intellectueel eigendom en bedrijfsgeheimen te stelen van Amerikaanse bedrijven. AWS en Apple melden dat het Bloomberg BusinessWeek artikel niet klopt.

De chip werd ontdekt nadat AWS een derde partij onderzoek liet doen naar de beveiliging van Elemental, een start-up die het overwoog over te nemen om te helpen bij het uitbreiden van zijn streaming video service Amazon Prime Video. Bij deze analyse is op het moederbord van servers van Elemental een microchip ontdekt die geen onderdeel uitmaakt van het ontwerp van de server.

Zowel Apple, AWS als Super Micro spreken de berichtgeving tegen. Zo geeft Super Micro aan de chips niet te hebben toegevoegd aan de servers. Apple ontkent daarnaast de microchips in zijn servers te hebben aangetroffen. Het bedrijf stelt dat de berichtgeving onjuist is en dat de bronnen van Bloomberg mogelijk doelen op een incident uit 2016 waarbij een geïnfecteerde driver werd aangetroffen op een enkele server van Super Micro. Apple stelt dat dit een eenmalig incident was en geen gerichte aanval op Apple.

Hieronder de statement van AWS (Engelstalig) van Steve Schmidt, Chief Information Security Officer:

Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ?this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we ?launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.

Statement Supermicro:

Supermicro along with Apple and Amazon refute claims in Bloomberg story

Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazonand Elemental) has issued strong statements denying the claims:

Apple stated on CNBC, "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.?" 

Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.

Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.

 

Trend Micro BW BN week 10-11-13-14-2024 Copaco | BW 25 maart tm 31 maart 2024
Trend Micro BW BN week 10-11-13-14-2024

Wil jij dagelijkse updates?

Schrijf je dan in voor onze nieuwsbrief!