Apple and Amazon denied that they were targets of Chinese spying, after a report Thursday alleged surveillance microchips had been inserted into their data center equipment during the manufacturing process.
The spy chips were allegedly used to gather intellectual property and trade secrets from the iPhone maker and Amazon Web Services, an Amazon subsidiary that provides cloud computing services, according to Bloomberg Businessweek. The chips were found in servers assembled in China for a US company called Super Micro, according to the report, and could have been subject to a secret US government investigation that began in 2015.
Apple, AWS, Super Micro and China's Ministry of Foreign Affairs dispute the report, which cites anonymous government and corporate sources. Each of their denials was included in the Bloomberg story.
The report comes against a backdrop of growing concern over potential surveillance and security issues in Chinese-made equipment that has hindered the country's bid to become a global technology powerhouse. The Australian government, for instance, 5G network in August. Meanwhile, President Donald Trump that would be free of the possibility of overseas interference.from building the country's
On Saturday, the US Department of Homeland Security said it was aware of the reports of compromised supply chains in the technology industry. However, "at this time we have no reason to doubt the statements from the companies named in the story," the department said in its statement.
In a statement to Bloomberg, Apple suggested its reporters may have confused an earlier incident that involved an infected driver on a single Super Micro server at one of its labs for a new event.
"That one-time event was determined to be accidental and not a targeted attack against Apple," the iPhone maker was quoted as saying.
CNET also received a statement from Apple that said the company took the report seriously. It stressed there was no suggestion customer data was affected.
"Apple has always believed in being transparent about the ways we handle and protect data," the company said. "If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement."
On Sunday, Apple sent a letter to committees in the US Congress saying that it had found no evidence of a hacking incident, according to the Reuters news agency, which saw a copy of the letter. "Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found," the letter reportedly said.
Apple didn't immediately respond to a request for comment on the letter.
Similarly Amazon told Bloomberg that it had found "no evidence" indicating the presence of malicious hardware at its sites.
"At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems," an AWS spokesperson added in a statement emailed to CNET. Elemental is a video-compression company that Amazon purchased as part of its effort to expand streaming services.
In the statement, which is also posted online, Steve Schmidt, Amazon's chief information security officer, dismissed the Bloomberg report. "There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," he wrote.
Bloomberg stands by its story
The Bloomberg story noted that "six current and former senior national security officials" -- members of both the Obama and Trump administrations -- offered details of the discovery of the chips and a government investigation into the matter.
"We stand by our story and are confident in our reporting and sources," a Bloomberg News spokesperson said in a statement provided to CNET.
Four of the US government officials and three Apple insiders reportedly confirmed the company fell victim to the chips, while one official and two people in AWS reportedly offered information on how it impacted Amazon, according to the Bloomberg story. Amazon cooperated with a US government investigation, according to two of the people cited in the story.
The report says 17 people confirmed that Super Micro's hardware was "manipulated." The sources weren't named because the information was sensitive and, in some cases classified, the story said.
Bloomberg said Amazon had sold off its data centers in China to Beijing Sinnet for about $300 million because it had been compromised by the chips. Amazon's Schmidt denied the motivation, saying the sale was prompted by a"transfer-of-assets agreement" required by new Chinese regulations.
In a statement posted on Thursday afternoon, Super Micro joined Amazon and Apple in denying the article. The company said it hadn't been contacted by government agencies about Chinese spies compromising its motherboards. It added that it's never found malicious chips on its own.
A spokesperson for China's foreign ministry told Bloomberg that the country is a defender of cybersecurity.
"We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace," the spokesperson said.
The Chinese foreign ministry did not immediately responded to requests for further comment.
You can read Apple, Amazon and Super Micro's full statements here:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg's story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.
As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.
We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us. We also want them to know that what Bloomberg is reporting about Apple is inaccurate.
Apple has always believed in being transparent about the ways we handle and protect data. If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement. Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that's why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.
Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media's hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS's China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they're hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).
The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we launched in China, they owned these data centers from the start, and the hardware we "sold" to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.
Amazon employs stringent security standards across our supply chain - investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.
Security will always be our top priority. AWS is trusted by many of the world's most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.
In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.
Each company mentioned in the article (Supermicro, Apple, Amazonand Elemental) has issued strong statements denying the claims:
Apple stated on CNBC, "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems."
Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.
Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.
First published Oct. 5 at 5:30 a.m. PT.
Updated Oct. 5 at 8 a.m. PT: Added more details from the Bloomberg report; at 9:44 a.m. PT: Included full statements from Apple and Amazon; at 12:31 p.m. PT: Added statement from Super Micro; at 3:03 p.m. PT: Added statement from Bloomberg News. On Oct. 6 at 9:16 p.m. PT: Added Department of Homeland Security comment. On Oct. 7 at 1:21 p.m. PT: Added mention of Apple's letter to Congress.
Corrected Oct. 19 at 4:50 p.m. PT to note that Super Micro is a US company.