Super Micro trashes Bloomberg chip hack story in recent customer letter

Server vendor calls Bloomberg report a "technical implausibility" and "wrong."

supermicro.png

In a letter sent to customers last week, Super Micro Computer (dba Supermicro) has thrashed a Bloomberg article that claimed the company's motherboards contained a secret chip inserted by the Chinese government for cyber-espionage purposes.

"We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong," the Super Micro letter starts.

The company said it's now "undertaking a complicated and time-consuming review to further address the article."

"We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip," the letter continued.

The San Diego-based hardware maker is fighting to keep its company afloat. The Bloomberg article cause Super Micro stock price to drop roughly 55 percent following its publication and the price has hardly recovered.

The company denied the Bloomberg report from the start, and then again last week, in a reply to two US senators seeking clarification on Bloomberg's report.

The Bloomberg piece also claimed that Super Micro motherboards also made their way into the server infrastructure of the government agencies and over 30 companies, including Apple and Amazon.

Apple, Amazon, the DHS, and the GCHQ have also vehemently denied the initial report, claiming they have seen no evidence of the such, or have accused Bloomberg reporters of misconstruing facts.

And more denials have kept piling on as time went by.

Acting Homeland Security Advisor Rob Joyce said the Bloomberg report caused a distraction inside the US government that has led to a waste of resources.

Director of National Intelligence Dan Coats also came out to say that he's seen no evidence of Chinese actors tampering with Super Micro motherboards.

Even one of the security experts named in the Bloomberg piece cast some doubt on the original story.

Members of a well-known and respected IT community dedicated to server and storage hardware also called Bloomberg's piece "technically inaccurate" in a five-page report published this week.

Through all this, Bloomberg elected to stand by its reporters and their article.

All these denials and a lack of technical details included in the original Bloomberg piece have changed the public mindset in regards to the original report, which most IT experts now see as flawed or blatantly inaccurate.

Apple CEO Tim Cook went as far as to demand Bloomberg to retract its story last week. He was joined this week by Andy Jassy, the CEO of Amazon's Web Services division.

But among all these denials, it's the letter that Super Micro sent to its customers that brings the strongest rejection to Bloomberg's report.

The letter refers to the entire article as a "technical implausibility" and "wrong," but Super Micro does not go on the record to call for a retraction just yet.

Below are the most important excerpts from the letter where Super Micro describes its manufacturing process and why the company believes that a malicious chip wouldn't go unnoticed because of its multi-layered approach to its motherboard assembly process.

[...] we test our products at every step along the way. We check every board, we check every layer of every board, and we check the board's design visually and functionally, throughout the entire manufacturing process. Every board we manufacture has Supermicro oversight, including multiple layers of testing, from design to delivery.

Specifically, our process requires the inspection of the layout and components of every product at the beginning and end of each stage of manufacturing and assembly. Our employees are on site with our assembly contractors throughout the process. These inspections include several automated optical inspections, visual inspections, and other functional inspections. We also periodically employ spot checks and x-ray scans of our motherboards along with regular audits of our contract manufacturers. Our test processes at every step are not only designed to check functionality, but also to check for the integrity and composition of our designs and to alert us to any discrepancies in the base design.

Our motherboard designs are extremely complex. This complexity makes it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process. The complex design of the underlying layers of the board also makes it highly unlikely that an unauthorized hardware component, or an altered board, would function properly.

Our motherboard technology involves multiple layers of circuitry. It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as "pin-to-pin knowledge") of the design. These designs are trade secrets protected by Supermicro. The system is designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design (including hardware, software, and firmware).

[...]

Our manufacturing process is designed to prevent unauthorized physical alterations of our motherboards by either our contract manufacturers or anyone at Supermicro. Motherboard design is systematically compartmentalized along the supply chain and within Supermicro in order to maintain security and product integrity. No party in the manufacturing process-other than Supermicro-has full information about the design of our motherboards during our multi-step production process. Even at Supermicro, the system is designed so that no single employee or team has unrestricted access to the entire design.

Each of our contractors has only the portion of the total engineering design of the motherboard that it needs to carry out its part in the manufacturing process. Modifications to the design plan must be confirmed with Supermicro, which then passes those modifications on to those downstream in the manufacturing process. If any single contractor attempts to modify the designs, the manufacturing process is structured so that those alterations would not match the other design elements in the manufacturing process. This makes it practically impossible for anyone to add an unauthorized hardware component that could both escape detection and function properly.

[...]

For these reasons, we are confident that these allegations are wrong.

A copy of the full letter is available here, as part of an SEC filing the company made last week.

RELATED CYBERSECURITY COVERAGE: