A new report by Bloomberg Businessweek has alleged that Chinese spies hacked into almost 30 American companies, including Amazon and Apple, by entering their supply chain and adding tiny microchips into the computers that these companies were buying for their servers. 17 people have confirmed this information in the report. Since then, however, both Amazon and Apple have specifically denied the allegations, including the statements from three alleged Apple insiders.
Due to the lack of forensic evidence, most security experts say that, right now, it's not possible to determine whether the allegations hold up, but most also agree that the details appear to be at least plausible.
According to the report, the data centre hardware purchased by the US firms from a company called SuperMicro had been fitted with special surveillance microchips. One of the government officials Bloomberg spoke to said that China's goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen. The issue was reportedly first discovered by Apple—and reported to the FBI—in 2015, and then Amazon also found the chip independently and reported it to the authorities.
The servers, the report added, were also being used by many organisations in the US security apparatus. The microchip allegedly gave access to any network that includes the affected machines, a hack that was potentially implemented at the time of manufacturing, in China. As the report noted, China makes the vast majority of the world's hardware, giving it a big advantage over any other country that wants to compromise hardware meant for use in secure facilities. And because the hack is at the hardware level, it's far less likely to be detected.
Although Bloomberg spoke to many insiders and government officials, it did not have access to the modified motherboards with the suspect microchips, and has not been able to carry out a forensic analysis of the attack itself. Amazon and Apple have strongly denied the incident, with detailed responses rather than blanket statements. This is unusual, and has raised some concerns about the report.
In a blog post, Steve Schmidt, Amazon's chief information security officer, said that the details in the report are untrue. "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government." He denied that an external security had raised red flags about the hardware either, and wrote: "Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us)."
Apple also made a public response: "On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement."
Noting that it had already denied the events to Bloomberg in the course of reporting the story, Apple added: "Finally, in response to questions we have received from other news organizations since [Bloomberg] Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations."
Amid strong denials and a lack of forensic evidence, it's not possible for third parties to comment on how accurate the report is. However, the attack as detailed in the report is certainly possible, and highlights the dangers of relying purely on digital security. The way global supply chains are now set up, even technology giants rely on small companies around the world to provide critical hardware, and if that is compromised in some way, it can have devastating results.