Vulnerability Management

Apple, Amazon deny servers affected by China microchip plot

After reports that China’s People Liberation Army (PLA) slipped microchips into Supermicro motherboards, creating a backdoor that could be used by hackers to obtain information stored on servers around the globe, both Apple and Amazon deny that their servers were affected.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the company said in a statement that also refuted a Bloomberg report’s claim that Apple had reported the chips to authorities. “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI nor or any of our contacts in law enforcement.

The company also pushed back on claims that Siri and Topsy shared servers.

“Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000,” Apple said. “None of those servers has ever been found to hold malicious chips.”

Apple said it inspects all servers for security vulnerabilities before they go into production and updates “all firmware and software with the latest protections.”

Amazon, too, denied that it had discovered chips in Supermicro motherboards. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental [Media, which Amazon acquired in 2015] or Amazon systems,” Amazon said in a statement. “Nor have we engaged in an investigation with the government.”

The company said it did “a lot of due diligence” with its internal security team and used an external security company for an assessment before acquiring Element.

“That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed,” Amazon said. “This was the sole external security report commissioned.”

The company stressed its “stringent security standards across our supply chain” that includes investigating “all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners.” 

The companies denials found support from the National Cyber Security Center of the British GCHQ. “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” the NCSC said in a statement to Reuters. “The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.