US DHS and UK's NCSC defend Apple and Amazon's denial of China spy chip infiltration

Computer keyboard with a "China" and "Security" button
(Image credit: Shutterstock)

The US Department of Homeland Security and the UK's National Cyber Security Centre have both supported Apple and Amazon's refutes of claims their servers were infiltrated by chips that facilitated Chinese surveillance.

"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story," the DHS stated in response to an investigation by Bloomberg that claimed China had managed to infiltrate a major US server component supply chain with surveillance chips.

"Information and communications technology supply chain security is core to DHS's cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely."

That statement followed the response of the National Cyber Security Centre, which told Reuters: "We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple."

"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us," it added.

That does not categorically rule out the chance of Chinese spying chips infiltrating the motherboards of server parts supplier Supermicro. But it would suggest that both Apple and Amazon had not fallen foul of China's alleged attempts to infiltrate a significant technology supply chain in the US.

The statements from the DHS and NCSC also suggest that there has been no official investigation into China's alleged hardware surveillance. Though it is worth noting that if an ongoing investigation is in effect it may be kept under wraps by the investigating agencies so as not to tip-off the potential infiltrators, state-sponsored or otherwise.

Apple also issued a letter to Congress, reiterating that it had found no evidence of tampering in its servers. Apple's VP for IT Security, George Stathakopoulos wrote that "Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found".

Bloomberg has thus far stood by its report, which cites multiple unnamed sources, likely due to their whistleblowing as opposed to questionable legitimacy.

But without any official backing, the publication's investigation has been called into question, and further evidence will likely be needed if the report is going to prompt any major cyber security investigations by official bodies.

05/10/18: China allegedly infiltrated US companies with a tiny spy chip

Chinese operatives have allegedly conducted clandestine snooping on major US companies by inserting "malicious chips" into the widely used Supermicro motherboards, Bloomberg has discovered.

Through several steps in the supply chain, Supermicro motherboards have ended up being used in the servers of US companies, notably Amazon and Apple, though the latter severed its ties with the component supplier in 2016.

According to the in-depth report, three "senior insiders at Apple" said that in summer 2015, the company found the spying chips on the Supermicro motherboards it uses.

However, Apple has since denied this in a statement to Bloomberg: "On this we can be very clear: Apple has never found malicious chips, hardware manipulations' or vulnerabilities purposely planted in any server."

But in summer 2015, Apple began removing all Supermirco servers from its data centres, which would suggest that there was indeed a malicious chip in them, though Apple also denies this.

In Amazon's case, the report claims the spying chips found their way into its servers used for Amazon Web Services (AWS), through the acquisition of server assembler Elemental, which used Supermicro motherboards and provided servers to US national security.

In a due diligence process ahead of completing the acquisition, testing of Elemental's servers reportedly revealed the existence of a microchip around the size of a grain of rice that was not part of the server's motherboard design.

But Amazon told Bloomberg that despite the comments of the sources it had no knowledge of the spying chips on Elemental's servers.

"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," said Amazon.

However, Amazon had reportedly alerted US authorities to the presence of the malicious chip, given Elemental's servers could be found in the Department of Defense data centres and on the networks of US Navy warships.

This then prompted a top-secret probe which noted that the chips allowed a clandestine backdoor to be created into any network that used servers with the tiny spying chip onboard. That investigation revealed that nearly 30 US companies had fallen foul to infected servers.

According to multiple Bloomberg sources, these chips got into Supermicro motherboards due to the San Jose-based company's use of Chinese subcontractors.

Two US officials, according to Bloomberg, noted that after a lengthy investigation it was concluded that this infection of a major US computer supply chain was orchestrated by China's People's Liberation Army, with the ultimate goal to spy on US government activity.

Somewhat unsurprisingly, China has denied this is the case and noted it too was a victim of such snooping.

Despite retorts to the report, Bloomberg noted that "six current and former senior national security officials" described the discovery of the spying chips through a government investigation. "Two people inside AWS" also provided "extensive information on how the attack played out at Elemental and Amazon", and, alongside the three Apple insiders, four of the six US officials confirmed Apple was indeed a victim of China's alleged spying activity.

Clandestine chip claims refuted

Despite presenting what appears to be solid and detailed evidence, Apple and Amazon both published lengthy statements denying the presence of the malicious chip and stated Blomberg's report is incorrect.

"Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg's story relating to Apple," Apple said, noting it has no knowledge of any US government investigation into the matter.

"We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures," Cupertino added.

"We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

Amazon also refuted Bloomberg's report highlighting what it claims to be major inaccuracies in an "erroneous" article.

"As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government," said Steve Schmidt, chief information security officer at Amazon.

Meanwhile, Supermicro denied any knowledge of the issue or investigation: "While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue."

In previous cases, the responses companies normally tout at the beginning of such security revelations are vague and lack detail, But in this example, all three - in particular Apple - have been detailed and assertive in their responses, which raises questions to the validity of Bloomberg's report and if there has been some misinformation that lead it to the conclusions in its report.

Supply chain infiltration

Despite the denials of the major companies, it would appear the there is still considerable evidence to suggest that servers belonging to Amazon and Apple were infected with the spying chips, and that, if the report does stand up to scrutiny, the compromising of Supermico would be one of the largest attacks ever against the US server supply chain.

The malicious chips themselves were not found to be extracting any data from infected servers, but appear to be contacting an external source for check-in communications, indicating that they were either waiting to be used in a backdoor related cyber attack or that the snooping had already begun before the chips were detected.

Infecting a supply chain on a hardware level is an extremely complex process and one that requires a deep knowledge of the target nation's supply chain and considerable resources in order to pull such an infiltration off. As such, it would likely take a nation-state sponsored group to carry out such an operation, particularity as Bloomberg's report noted that Chinese subcontractors were subject to bribes, pressure and threats from middlemen allegedly working for the People's Liberation Army.

But detecting the presence of the breaches in supply chains is equally challenging, as Bloomberg reported that experts have said there is no commercially viable way to detect malicious chips.

Companies could use fewer servers and check each one in detail but that is time-consuming and could leave them short on resources. Or alternatively they could get in the resources they need but knowingly take on the risks of not carrying out granular investigations into each bit of hardware they acquire. In short, there is no straightforward solution to the problem, particularly when a lot of technology firms and their enterprise customers rely on parts created in China.

"In this case, the adversary would be tampering with a component that plays a troubleshooter role within systems and data centres. This means that this small component among dozens has high levels of access to any number of other components and processes across dozens of systems," Steve Grobman, chief technology officer at McAfee told IT Pro in a statement.

"If an adversary was to break the design chain of trust here, it enables him to implant logic or instructions that could enable him to spy on us undetected. He could access tremendous amounts of data from those other links and gain tremendous insights about organizations and people reliant upon them."

Grobman noted there needs to be a degree of caution and to a certain extent paranoia when assessing the potential of breaches in supply chain cyber security.

"In cyber security, we already face the challenge of vulnerabilities that were accidentally introduced into products. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where an adversary could introduce defects that practically an entire industry might use for many years," he said. "We need greater levels of transparency around technology design. We need greater visibility into what different components do, and how. We need greater visibility into what they should and shouldn't be doing. There needs to be a greater understanding and effort to secure the most sensitive components of every technology upon which we rely every day."

How exactly that could be achieved isn't clear, but in this case it highlights that cyber security and advanced hacking techniques are very much the future of clandestine activity and, potentially, warfare.

Roland Moore-Colyer

Roland is a passionate newshound whose journalism training initially involved a broadcast specialism, but he’s since found his home in breaking news stories online and in print.

He held a freelance news editor position at ITPro for a number of years after his lengthy stint writing news, analysis, features, and columns for The Inquirer, V3, and Computing. He was also the news editor at Silicon UK before joining Tom’s Guide in April 2020 where he started as the UK Editor and now assumes the role of Managing Editor of News.

Roland’s career has seen him develop expertise in both consumer and business technology, and during his freelance days, he dabbled in the world of automotive and gaming journalism, too.