Computer manufacturer Supermicro is still trying to lay to rest reports that the Chinese government tampered with its equipment to spy on Western cloud users. The San Jose-based company published a letter this week claiming that independent tests had cleared its equipment of any compromise.
Supermicro sells data centre computers to Western customers using components made by contractors in China. It has spent the last two months denying that Chinese subcontractors have been secretly embedding microscopic chips onto its motherboards that enable it to remotely control the computers’ operating systems and watch what they’re doing.
In the letter, posted on the company’s website, president and CEO Charles Liang along with two senior vice presidents said that the company had completed an independent audit to look for malicious hardware on its motherboards. It found nothing, it said:
Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm. A representative sample of our motherboards was tested, including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards.
This latest missive follows a letter to customers issued on 18 October 2018 that condemned a story published by Bloomberg on 4 October 2018. The story claimed that the Chinese government had coerced contractors to implant tiny monitoring devices on motherboards sold to Supermicro.
Apple and Amazon, which Bloomberg said knew about the compromised motherboards, both denied the tampering claims along with the manufacturer shortly after the story was published. Bloomberg didn’t back down, though. The company claimed in a story on 9 October 2018 that a security expert, Yossi Applebaum, had discovered embedded monitoring devices in the ethernet connectors on Supermicro motherboards sold to a major US telco. However, in neither story did it publish hard evidence such as photos or analysis data to support its claims.
Mind you, Supermicro didn’t publish the evidence in this latest report either, which Reuters says was conducted by investigations and cybersecurity forensics firm Nardello & Co. Supermicro said:
Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.
Why would Supermicro keep flogging this horse rather than letting the story silently die? Its share price might have something to do with it. It dropped from $21.40 to $12.60 on the day that the Bloomberg story broke, and has only just broken $16. The question is whether this new report will do anything to boost its fortunes or whether it will spark controversy all over again.
Tony Gore
As far as I could see, Bloomberg was only describing the IPMI or equivalent out of band monitoring which pretty much every server has. This sort of management is also on many motherboards for corporate remote management of laptops and PCs. I never saw any evidence that it was something that wasn’t meant to be there.
Danny Bradbury
No, the Bloomberg story published on 4 October 2018 described a lot more than just conventional out of band monitoring.
Rob
I would imagine if they did have Chinese spy chips in their products, they were applied in a targeted manner. I recall the “NSA upgrade factory.”
Somebody
Right.
Not saying these boards are compromised or not, but coming from the mouth of a company that is going to die if the reports are true, AND, despite being an “American” company, is run by Chinese *people*… Not exactly an impartial source of you know what I mean.
@Tony: it isn’t that they HAVE IPMI, it is that the spy chip uses the IPMI.
Personally, I have 3 servers with SM boards in them, and have physically removed the IPMI ROM from them. Not for fears over the spy chip, but because the firmware is anything but secure. I’d rather take a trip to the datacenter occasionally (haven’t in 5 years) over putting that crapware on the interwebz.