Wednesday, October 4th 2017

Supermicro Refutes Claims in Bloomberg Article

Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims:
Apple stated on CNBC, "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.‎"

Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.

Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.
Add your own comment

24 Comments on Supermicro Refutes Claims in Bloomberg Article

#1
mcraygsx
How is this any different then Intel Management Engine?. If this story has any merit to it, then every component manufactured in China is susceptible.

ED: "IME subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep. As long as the chipset or SoC is connected to current (via battery or power supply), it continues to run even when the system is turned off."
Posted on Reply
#2
StrayKAT
Occam's Razor would tell me SM got duped by a lowly employee. If someone went through all of this trouble to spread FUD and knock the crap out of a relatively humble (relative to the big players) server provider, that's harder for me to believe. Why them?

edit: Crap, even QAnon has something to say. I won't direct you to it.. I'm not in the mood for ridicule. Q has been a curious figure to me for a year now though.. and I still don't know what to think. Disinfo everywhere. Not just SM or China.. it's everywhere.
Posted on Reply
#3
btarunr
Editor & Senior Moderator
Someone should tell Supermicro the difference between denial and refutation. Nothing in this PR refutes Bloomberg's claims. It only denies them. They only used quotes by AWS and Apple from CNBC, which are denials in themselves.
Posted on Reply
#4
NdMk2o1o
btarunr said:
Someone should tell Supermicro the difference between denial and refutation. Nothing in this PR refutes Bloomberg's claims. It only denies them. They only used quotes by AWS and Apple from CNBC, which are denials in themselves.
What do you want? the blood of their first born? they have publicly stated it's not something they practice in, can they prove it any more? Any more than for example the indian government taking 100's of £illions in aid every year for it's starving people whilst spending just as much to send a rocket to the moon? Someone should tell india the difference between aid and feeding their population imo, but who am I to comment?
Posted on Reply
#5
mcraygsx
This story does remind me of Kaspersky conspiracy on a larger scale. This is escalation of a trade war.
Posted on Reply
#6
R-T-B
mcraygsx said:
How is this any different then Intel Management Engine?
a.) It's not supposed to be there

b.) At least the Intel Management Engine does what it says on the tin, for better or for worse. There literally ISN'T a tin in this case. So yeah, it's worse.
Posted on Reply
#7
cdawall
where the hell are my stars
I have several supermicro boards where are they traces where these supposed chips are?
Posted on Reply
#8
newtekie1
Semi-Retired Folder
btarunr said:
Someone should tell Supermicro the difference between denial and refutation. Nothing in this PR refutes Bloomberg's claims. It only denies them. They only used quotes by AWS and Apple from CNBC, which are denials in themselves.
The original source that allegedly found this hidden chip was evaluating the hardware for Elementals and AWS. So statements from AWS and Elementals that the actual fact is it never happened and nothing of this nature was ever actually found is a pretty darn good way to refute Bloomberg's claims. At this point, I haven't seen one bit of evidence from Bloomberg other than them saying it happened, and citing unnamed sources. So getting a statement from as close to the source as humanly possible is more evidence than Bloomberg has presented.
Posted on Reply
#9
Xzibit
newtekie1 said:
The original source that allegedly found this hidden chip was evaluating the hardware for Elementals and AWS. So statements from AWS and Elementals that the actual fact is it never happened and nothing of this nature was ever actually found is a pretty darn good way to refute Bloomberg's claims. At this point, I haven't seen one bit of evidence from Bloomberg other than them saying it happened, and citing unnamed sources. So getting a statement from as close to the source as humanly possible is more evidence than Bloomberg has presented.
It was a third party auditer.

AWS can claim they never found anything because they didn't conduct the audit themselves. As for during the purchasing of Elementals it happened prior so they can say they never found anything there as well during their review.
Posted on Reply
#10
hat
Enthusiast
Hmm... so let's pretend for a moment there really isn't anything there. Why would someone make this up? Could it be another CTS Labs type deal, attempting to besmirch Supermicro's name? Political motivations (big bad China, Red Scare Round 2)?
Posted on Reply
#11
StrayKAT
hat said:
Hmm... so let's pretend for a moment there really isn't anything there. Why would someone make this up? Could it be another CTS Labs type deal, attempting to besmirch Supermicro's name? Political motivations (big bad China, Red Scare Round 2)?
That's what I don't get... why the hell Supermicro? As ubiquitous as their servers are, they're not exactly the biggest company.. if this was just a smear campaign. I could see someone attacking them to get to their clients though.
Posted on Reply
#12
R0H1T
NdMk2o1o said:
What do you want? the blood of their first born? they have publicly stated it's not something they practice in, can they prove it any more? Any more than for example the indian government taking 100's of £illions in aid every year for it's starving people whilst spending just as much to send a rocket to the moon? Someone should tell india the difference between aid and feeding their population imo, but who am I to comment?
What, did you get up on the wrong side of the bed today or something hit you on the head?
Posted on Reply
#13
btarunr
Editor & Senior Moderator
NdMk2o1o said:
What do you want? the blood of their first born? they have publicly stated it's not something they practice in, can they prove it any more? Any more than for example the indian government taking 100's of £illions in aid every year for it's starving people whilst spending just as much to send a rocket to the moon? Someone should tell india the difference between aid and feeding their population imo, but who am I to comment?
Your example doesn't even begin to qualify as an analogy, and is flamebait. Spend the next three months writing to your MP on unsolicited aid to India.

The Indian government already stated for the past 20 years it doesn't need aid from the UK, but if the UK government insists on absolving its colonial guilt by handing us 100s of millions of your tax monies each year (which is chump-change for a $3.2 trillion/$7.8 trillion PPP economy that's overtaking Britain's as we speak), then we'll use it for whatever we want.

Space exploration is never an unproductive use of money, and the UK is better off bankrolling the Indian space program. NASA and ESA hate our space program because we get things done at 1/10th their budgets, and have a very nice success rate. Just this month we launched three British satellites for a fraction of the cost the French were asking, saving "£illions."

You're welcome. Back to topic.
Posted on Reply
#14
StrayKAT
A part of me doesn't want them to sink. I really wish there were more no frills, smaller mobo manufacturers out there. Sick of the Big 3 or 4 who all make tacky looking equipment, that seems to take it's cues from Ricer/Street Racing culture.

edit: Ahem! That wasn't meant to be racist either! Besides, I'm Asian myself. :p
Posted on Reply
#15
TheLostSwede
cdawall said:
I have several supermicro boards where are they traces where these supposed chips are?
If you read the original source article, you would quickly understand that the said spy chips were only installed on very specific boards that had a chance to end up with very specific customers. They're not all on all Supermicro products.

Supermicro would obviously deny this, especially as their stock price has dropped 41% since this story broke.
Posted on Reply
#16
RCoon
Gaming Moderator
NdMk2o1o said:
Any more than for example the indian government taking 100's of £illions in aid every year for it's starving people whilst spending just as much to send a rocket to the moon? Someone should tell india the difference between aid and feeding their population imo
This was entirely unnecessary and against forum guidelines, but you already knew that because...
NdMk2o1o said:
who am I to comment?
You're damn right.
Posted on Reply
#17
R0H1T
Just to be clear, there's no documented evidence of SMCI hardware being compromised? What about the NSA or US govt, do they audit such products, especially when they're used by their agencies or contractors?
Posted on Reply
#18
RCoon
Gaming Moderator
R0H1T said:
Just to be clear, there's no documented evidence of SMCI hardware being compromised? What about the NSA or US govt, do they audit such products, especially when they're used by their agencies or contractors?
Bloomberg has both government and corporate sources. And there is some evidence. In 2016 Apple dumped 7000 supermicro servers very suddenly and no longer does business with them. Amazon also abruptly sold off a Chinese data server.
Posted on Reply
#19
newtekie1
Semi-Retired Folder
Xzibit said:
It was a third party auditer.

AWS can claim they never found anything because they didn't conduct the audit themselves. As for during the purchasing of Elementals it happened prior so they can say they never found anything there as well during their review.
A mystical 3rd party auditor according to Bloomberg. But AWS and Elements are who hired the auditor, so they can't really truthfully say they didn't find anything if someone they allegedly hired in fact did.

hat said:
Hmm... so let's pretend for a moment there really isn't anything there. Why would someone make this up? Could it be another CTS Labs type deal, attempting to besmirch Supermicro's name? Political motivations (big bad China, Red Scare Round 2)?
StrayKAT said:
That's what I don't get... why the hell Supermicro? As ubiquitous as their servers are, they're not exactly the biggest company.. if this was just a smear campaign. I could see someone attacking them to get to their clients though.
Their stock took a 41% drop over night...so take a guess.
Posted on Reply
#20
cdawall
where the hell are my stars
TheLostSwede said:
If you read the original source article, you would quickly understand that the said spy chips were only installed on very specific boards that had a chance to end up with very specific customers. They're not all on all Supermicro products.

Supermicro would obviously deny this, especially as their stock price has dropped 41% since this story broke.
So they redesign the whole board for these specific customers? That's why asked about the traces for it specifically.
Posted on Reply
#21
Xzibit
RCoon said:
Bloomberg has both government and corporate sources. And there is some evidence. In 2016 Apple dumped 7000 supermicro servers very suddenly and no longer does business with them. Amazon also abruptly sold off a Chinese data server.
One of the outlets reported on the sources
  • Two Amazon employees
  • Three Apple employees
  • Six intelligence agencies officials
  • Six other people that Bloomberg says confirmed various different aspects of the story
newtekie1 said:
A mystical 3rd party auditor according to Bloomberg. But AWS and Elements are who hired the auditor, so they can't really truthfully say they didn't find anything if someone they allegedly hired in fact did.
WT?

Amazon
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition
Posted on Reply
#22
FordGT90Concept
"I go fast!1!11!1!"
hat said:
Hmm... so let's pretend for a moment there really isn't anything there. Why would someone make this up? Could it be another CTS Labs type deal, attempting to besmirch Supermicro's name? Political motivations (big bad China, Red Scare Round 2)?
Soften their shares for buyout.
newtekie1 said:
Their stock took a 41% drop over night...so take a guess.
Yeah, that.

R0H1T said:
What about the NSA or US govt, do they audit such products, especially when they're used by their agencies or contractors?
Doubt US government does any business with SuperMicro. They buy from HP, Dell, IBM, etc. and if those OEMs used SuperMicro components, the hammer would fall on HP/Dell/IBM, not SuperMicro, because SuperMicro doesn't hold the government contract.
Posted on Reply
#23
hat
Enthusiast
Wouldn't such a buyout be suspicious, then? Pretty sure that would be illegal... but also hard to prove.
Posted on Reply
#24
FordGT90Concept
"I go fast!1!11!1!"
SuperMicro is a Taiwanese company, US law doesn't apply.
Posted on Reply
Add your own comment