Amazon and Apple victims of alleged microchip spy attack
A year-long investigation by Bloomberg has reportedly found evidence of hardware used for spying on server motherboards used by Amazon, Apple and a host of other organisations
Amazon and Apple are among 30 US companies that have experienced a hardware spy attack, according to an investigation by Bloomberg.
The attack, Bloomberg claims, was made possible by the surreptitious placement of tiny microchips on the server circuit boards that power computers and mobile devices. The boards were manufactured by California-based firm Super Micro, which makes hardware for the two tech giants and a range of other private and governmental organisations.
According to the investigation, the chips were first discovered in 2015 by AWS Elemental – formerly Elemental Technologies – a start-up that Amazon was in the process of acquiring through its cloud computing arm Amazon Web Services (AWS). As part of due diligence relating to the acquisition, Elemental’s servers, which were manufactured by Super Micro, were sent for security analysis. Testers discovered the microchips implanted in server motherboards.
The attack was made possible by the surreptitious placement of tiny microchips on the server circuit boards
Amazon allegedly reported their findings to the US authorities and a top-secret probe was launched. The investigation has so far identified 30 companies affected by the hardware attack, which include a major bank and a number of government contractors, as well as Amazon and Apple. All of the firms were using technology manufactured by Super Micro.
Super Micro is one of the world’s biggest suppliers of circuit board technology. The vast majority of its hardware is made in China, which is where Bloomberg alleges these chips were implanted. According to the report, the chips provide “long-term, stealth access” to servers and confidential information. China was well-placed to carry out the attack, said Bloomberg, as 90 percent of personal computers and 72 percent of mobile phones worldwide are manufactured there.
US officials are purportedly describing the hack as “the most significant supply chain attack known to have been carried out against American companies”.
Amazon, Apple and Super Micro have vehemently denied all knowledge of the claims set out by Bloomberg. Amazon said in a statement: “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centres based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”
Apple’s denial was even more forceful: “On this, we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
A spokesperson for the company also criticised Bloomberg’s investigation, stating: “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed… we want users to know that what Bloomberg is reporting about Apple is inaccurate.”
The FBI, CIA and National Security Agency have declined to comment on the report. Bloomberg claims to have 17 sources that have corroborated the hardware attack allegations. These include insiders at Apple and Amazon, as well as senior national security officials.
The Chinese Government did not directly address the allegations in its statement, saying: “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.”
The investigation represents a significant undertaking by Bloomberg, and the legitimacy of the claims is likely to be investigated further following the release of the report. The findings also feed into a global sense of malaise concerning data security and international espionage, topics that have occupied a significant proportion of headlines in recent months.
Many of the previous allegations, however, have concerned software hacking. A hardware attack such as this represents a far more comprehensive, organised and costly undertaking and, as such, could signal involvement at the highest levels of private enterprise or government.