Denials Surround Reports of Amazon, Apple Server Hacks

A hack of unnerving size and scope … or … much ado about nothing?

Amid the controversy are some very big names. You might know a few of them, such as Apple, Amazon and a host of others – all told, 30 companies based in the United States.

Reports came via Bloomberg Thursday (Oct. 4) that hardware, specifically data center hardware, allegedly was set up with microchips via motherboards built by Super Micro, which in turn were used in surveillance activities. How did the chips get in? Bloomberg said that people masquerading as Super Micro employees at factories (the company has operations in China and Taiwan) pushed for design changes to the motherboard to allegedly include the chips.

Bloomberg’s sources, anonymous, were individuals from the corporate and government realms.

The bounty was intellectual property and trade secrets, said Bloomberg, while no consumer data had been targeted.

The denials came swiftly, via Apple and from Amazon, and those two firms said they did not find evidence of wrongdoing. As Amazon said, it found “no evidence to support claims of malicious chips or hardware modifications.”

China? The country has said that it is a “resolute defender of cybersecurity.”

In one case, the reaction was rather swift, at least among investors. Super Micro said it has not been behind the alleged activities, and on Thursday its shares were trading down over 50 percent.

According to Bloomberg, the chips-as-surveillance effort had been first discovered by Apple more than three years ago, in May 2015, and was disclosed to the FBI. Amazon also was in touch with authorities, claim the initial Bloomberg reports, and reportedly dropped Super Micro from its supply chain two years ago.

In statements Thursday, Apple said that “over the course of the past year, Bloomberg has contacted us multiple times with claims” of security incidents. “We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple,” said the statement. “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”

In further comment relayed by CNBC, Apple said that “we are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”

Super Micro said in its own statement that “while we would cooperate with any government investigation, we are not aware of any investigation regarding this topic, nor have we been contacted by any government agency in this regard,” Super Micro said in a statement. “We are not aware of any customer dropping Super Micro as a supplier for this type of issue.”