Audit: No Chinese surveillance implants in Supermicro boards found
In a letter to customers issued December 11, Supermicro President and CEO Charles Liang and other top executives announced that an audit conducted by an outside investigating team had found no evidence of any malicious hardware incorporated into motherboards currently or previously manufactured by the company. The letter is the latest rebuttal to Bloomberg reports in October that claimed tiny chips that provided a backdoor for China's intelligence agencies had been integrated into boards provided to major Internet and cloud providers—a report also refuted by the companies the report claimed were targeted.
"After a thorough examination and a range of functional tests, the investigative firm found absolutely no evidence of malicious hardware on our motherboards," the letter signed by Liang, Supermicro Senior Vice President and Chief Compliance Officer David Weigland, and Senior VP and Chief Product Officer Raju Penumatcha stated.
Searching for site:soylentnews.org supermicro on Google brought up a Supermicro ad linking the CEO letter, with the link entitled "Supermicro Independent Testing | No Malicious Hardware". Do you believe them?
Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Bloomberg Claims That a Major U.S. Telecom Operated a Server Backdoored by a Hidden Chip
Related: Apple Deleted Server Supplier After Finding Infected Firmware in Servers
Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal
Related Stories
A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple's App Store, as well as some production servers handling queries through Apple's Siri service.
An Apple spokesperson denied there was a security incident. However, Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased. An anonymous source was cited as the source of the information regarding infected Siri servers.
[...] A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.
Source: ArsTechnica
Submitted via IRC for mechanicjay
We have already seen both proof-of-concept and in-the-wild demonstrations of attacks targeting system firmware such as SMM rootkits, device firmware replacement, and even usurping firmware-based features for malware. As part of our ongoing security research efforts, we recently reviewed various Supermicro systems and discovered serious firmware vulnerabilities. Such issues affect many models and have persisted for many years, which could be problematic since these systems are commonly used as data center servers. As other researchers have shown, Supermicro is not alone. Security vulnerabilities in firmware continue to be discovered regularly. Unfortunately, malicious activity at the firmware and hardware level is invisible to most detection and response mechanisms in use today, leaving many critical systems exposed to attacks that target this area.
These vulnerabilities are easily exploitable and provide malware with the same impact as having physical access to the kind of system that is usually stored in a secure data center. A physical attacker who can open the case could simply attach a hardware programmer to bypass protections. Using the attacks we have discovered, it is possible to scale powerful malware much more effectively through malicious software instead of physical access.
Source: Firmware Vulnerabilities in Supermicro Systems
Though this happened earlier in the week, I just now found out about it. Given how well-known the company is, I thought other Soylentils would like to know about this, too.
Supermicro® Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal:
Super Micro Computer, Inc. (NASDAQ:SMCI) [...] today announced that, as expected, the Company received a notification letter from The Nasdaq Stock Market Hearings Panel [...] on August 22, 2018, indicating that trading in the Company's common stock on Nasdaq's Global Select Market will be suspended effective at the open of business on August 23, 2018.
The Company previously announced on August 21, 2018 that it did not expect to regain compliance with the Nasdaq continued listing requirements by August 24, 2018, the deadline previously set by the Panel.
The Panel's letter also stated that the Panel has determined to delist the Company's shares from Nasdaq after applicable appeal periods have lapsed. The Company intends to appeal the Panel's decision to the Nasdaq Listing and Hearing Review Council. During the appeal period, trading in the Company's common stock on Nasdaq will remain suspended and Nasdaq will not delist the Company's common stock pending such appeal. Once the Company has regained compliance with its SEC filing requirements, the Company intends to promptly request that Nasdaq lift the suspension in trading of its common stock or, in the event the common stock is delisted, to promptly apply to relist its common stock on Nasdaq or another national securities exchange.
While the Company's common stock is suspended from trading on Nasdaq, the Company expects that its shares will be quoted on the OTC Markets under the trading symbol SMCI.
According to Wikipedia:
Chinese spy chips are found in hardware used by Apple, Amazon, Bloomberg says; Apple, AWS say no way
The chips, which Bloomberg said have been the subject of a top secret U.S. government investigation starting in 2015, were used for gathering intellectual property and trade secrets from American companies and may have been introduced by a Chinese server company called Super Micro that assembled machines used in the centers.
[...] China has long been suspected — but rarely directly implicated — in en masse spy campaigns based on hardware made there. The majority of electronic components used in U.S. technology are manufactured in China. Companies including component manufacturers Huawei and ZTE, as well as surveillance camera maker Hikvision, have all fallen under intense suspicion and scrutiny from the U.S. government in the past year.
I'd think that the big guys would be designing their own boards. Maybe we should only buy PCBs from South Korea.
Also at Bloomberg and The Guardian.
Following up on our story from Thursday — Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro — there is a report from Ars Technica Bloomberg stands by Chinese chip story as Apple, Amazon ratchet up denials:
On Thursday morning, Bloomberg published a bombshell story claiming that the Chinese government had used tiny microchips to infiltrate the data centers of Apple and Amazon. Apple and Amazon, for their part, responded with unusually specific and categorical denials. It's clear that someone is making a big mistake, but 24 hours later, it's still not clear whether it's Bloomberg or the technology companies.
On Thursday afternoon, Apple laid out its case against the story in a lengthy post on its website. The post specifically disputed a number of Bloomberg's claims. For example, Bloomberg says that after discovering a mysterious chip in one of its servers, Apple "reported the incident to the FBI," leading to an investigation. Apple flatly denies that this occurred.
"No one from Apple ever reached out to the FBI about anything like this," Apple writes. "We have never heard from the FBI about an investigation of this kind."
Amazon's response has been equally emphatic and detailed. "There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon wrote on Thursday. "We never found modified hardware or malicious chips in servers in any of our data centers."
Yet Bloomberg reporter Jordan Robertson, one of the article's co-authors, has stood by his story. In a Thursday afternoon appearance on Bloomberg TV, Robertson said that he talked to 17 anonymous sources—both in US intelligence agencies and at affected companies—who confirmed the story.
So what's going on? It's clear that someone isn't telling the truth, but it's hard to tell what the real story is.
A comment to that story on Ars noted:
The (alleged) chip is associated with the BMC (baseboard management controller). It has indirect access to everything that the BMC can touch, which is pretty much everything in the system.
See, also, coverage on Hackaday where a comment identifies the particular board in question as being a MicroBlade MBI-6128R-T2. A link to a tweet reveals a picture of the board in question and a followup picture showing where the extra device would be located.
Major US telecom was infiltrated by backdoored Supermicro hardware, Bloomberg says
Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company.
Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenters, Motherboard reported.
Tuesday's report cites documents, analysis, and other evidence provided by Yossi Appleboum, who is co-CEO of a hardware security firm called Sepio Systems. Bloomberg said that, while Sepio was scanning servers belonging to the unnamed telecom, the firm detected unusual communications from a server designed by Supermicro. Supermicro, according to last week's Bloomberg report, is the hardware manufacturer whose motherboards were modified in the factory to include a tiny microchip that caused attached servers to come under the control of a previously unreported division of China's People's Liberation Army. Supermicro told Bloomberg it had no knowledge of the implant, marking the second time the hardware maker has denied knowing anything about the reported manipulations.
[...] The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report. "Sure this story has one named source but it technically makes even less sense than the first one," Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. "Come on @Bloomberg get somebody who knows what they're talking about to write these stories. Calling BS on this one as well."
Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Related: Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal
(Score: 2) by MostCynical on Wednesday December 12 2018, @11:08AM (7 children)
I believe they didn't find any evidence.
Did they get genuine random samples? Were they supplied special "clean" items? And.. how hard did they look?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Insightful) by Anonymous Coward on Wednesday December 12 2018, @11:50AM
Also, would it amout to corporate suicide to report otherwise? Would it be legal to do so? How honest have these guys been in the past? (dunno, honest question)
(Score: 0) by Anonymous Coward on Wednesday December 12 2018, @11:58AM
They looked just hard enough (and definitely no more expensive than!) to later claim "we looked thoroughly at everything" and have it stand up to superficial evaluation by (security) management drones.
I'll bet you lots of virtual AC-money that, were an experienced professional to look at what they actually did, he would pronounce that their activities were akin to scooping water with a sieve.
(Score: 2) by YeaWhatevs on Wednesday December 12 2018, @04:30PM
I believe they chose to sit in a sensory deprivation chamber as well as actively not retrieve their own memories in order to make this claim.
I used to work with a guy who's tried to pull this shit every day of the week as he wrecked the software. First time or two I thought this could have been a tounge-in-cheek joke with bad delivery, or maybe he just had bad memory, but no, he really did somehow think this was going to get him out of fixing his shit. I really wish I was his manager that day. I would have given him about 15 seconds to drop the act or fire his ass on the spot.
(Score: 1) by hopdevil on Wednesday December 12 2018, @05:10PM
Finding such implants would be quite the challenge. You would actually need devices from the customer's production facility, after which you would be looking for a single misplaced grain of sand in 1000x of servers.
If you are asking the people that already deny having any implants if they see any (outside team knows where the money comes from), what do you think their answer will be?
(Score: 5, Informative) by sjames on Wednesday December 12 2018, @08:01PM (2 children)
Keep in mind there is no contrary evidence at all. Bloomberg made some bald assertions backed by "anonymous sources", a mis-quoted expert who stated elsewhere that he was actually speaking of a hypothetical situation and a few "representative" photos "for illustration" that didn't actually show anything relevant to the claim. Nobody at all has ever come forward with any better evidence than NONE.
On the other side, Apple and Amazon have indicated that they haven't seen anything related to the Bloomberg story. Honestly, given the nothing on the other side, a "We don't FEEL hacked" from Supermicro would be adequate to refute the unbacked claim.
(Score: 3, Interesting) by pipedwho on Wednesday December 12 2018, @09:07PM (1 child)
This.
Expecting someone to prove a negative based on unsupported 'anonymous' accusations is ridiculous. Especially, when the corporations under 'media attack' have indicated that they have investigated the situation and found no corroborating evidence that there is any truth to the rumour.
Sadly this seems to be standard operating procedure for media. An 'anonymous source' provides some scandalous claim about companies X, Y and Z. Meanwhile 'someone' is reaping the benefits of a short call on company X, Y and/or Z stocks.
(Score: 1) by DeVilla on Friday December 14 2018, @02:47AM
I dunno. Ruining someone based on unsupported accusations seems to be du jour.
(Score: 1, Funny) by Anonymous Coward on Wednesday December 12 2018, @12:08PM (3 children)
I wonder if the audit was performed by Kaspersky?
(Score: 4, Touché) by DannyB on Wednesday December 12 2018, @03:04PM
I doubt it. AFAIK, Kaspersky does not use Faith Based audit methodology that would be a requirement in the eligibility selection criteria.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday December 12 2018, @05:59PM
everybody knows real windows users use norty!
(Score: 0) by Anonymous Coward on Wednesday December 12 2018, @06:09PM
If it was they would have found chips inserted by CIA and told the rest of us.
(Score: 4, Insightful) by Anonymous Coward on Wednesday December 12 2018, @12:12PM (4 children)
I don't believe the original accusation, so this statement is irrelevant.
If there is true evidence found by CIA/NSA whoever of intentional malfeasance by the Chinese government, they wouldn't just yell "stop buying Chinese!". I would expect a significant diplomatic response, so far I haven't seen that. Therefore I'm assuming this is a money/greed driven campaign.
At least I don't recall seeing any evidence.
(Score: 0) by Anonymous Coward on Wednesday December 12 2018, @01:30PM (1 child)
When a TLA makes a stink about something they will have to reveal (at least) some of the evidence that they have. Doing so lets their adversaries know a little bit more about how they are being surveilled by the TLA.
I'm not saying that a TLA did find any proof, or that these accusations are true/false, just that "no diplomatic kerfuffle" does not mean nothing was uncovered.
(Score: 2) by DannyB on Wednesday December 12 2018, @03:07PM
Yep. Whenever a TLA reveals something big, that revelation implies something about how the big revelation was discovered.
Conspiracy theory: Bloomberg's article author is a conspiracy theorist, or is working to help our Tirade War.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday December 12 2018, @08:00PM
You mean like with the Khashoggi murder?
(Score: 2) by Arik on Thursday December 13 2018, @07:49AM
That said I don't find the accusation at all incredible. China is the world's number 2 power and the number 1 has been metaphorically shoveling sand in their face for several years. They were a little sensitive before the teasing started and they're positively riled now - so much so that they've essentially undone all the liberalization since shortly after Mao died, and crowned the new ruler a virtual Emperor yet again.
Emperor Xi, aka Winnie the Poo, is a very dangerous man.
So this is one of those smells true even if it isn't sort of accusations. Quite safe to make, as a result. Is it true or not is another story.
My own gut response is yes, it's probably more or less true. I doubt they went to much extra expense to make sure this would work, but yeah, especially anything manufactured post Xi should be considered rooted from the factory.
Context - so should anything manufactured in the US, and starting several years earlier. :(
If laughter is the best medicine, who are the best doctors?
(Score: 2, Insightful) by Anonymous Coward on Wednesday December 12 2018, @12:16PM
Supermicro is HQd in the USA, you can't trust a word that they, or any other USAian body, says when the government has an interest in the public's belief about the matter at hand.
(Score: 5, Insightful) by Arik on Wednesday December 12 2018, @12:24PM (1 child)
And yet they sell Intel.
If laughter is the best medicine, who are the best doctors?
(Score: 4, Interesting) by Runaway1956 on Wednesday December 12 2018, @02:55PM
My Supermicro is powered by Opteron. If/when something better than Opteron happens, I may go with it. At this point in time, Opteron seems the best thing going, and Supermicro supports it quite well. I'm considering an upgrade to a newer, faster board. I deserve a nice Christmas present.
(Score: 2) by chewbacon on Wednesday December 12 2018, @10:04PM
I don’t build mobos, but I’d think sneaking in a chip that the board wasn’t engineered to have would cause other problems with the board that would pop up quickly on quality measurement graphs. The whole thing smelled of fake news.