Although it may feel like the industry is “beating a dead horse,” the impacts of the Bloomberg Businessweek hardware hack article are still being felt. As a result, Supermicro, as it stated it would, commissioned a third party to audit its products in search of the implausible spy chip. The results are what we expected, but it is another step in the process.
We were the first major site to call into question Bloomberg’s reporting immediately after the piece broke. Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate. Bloomberg tried bolstering its story with a follow-up piece and we fact-checked them using their own source Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro. Finally, Apple’s Tim Cook, AWS, Supermicro, various government agencies, and all of the named sources in Bloomberg’s article have disavowed its accuracy which we highlighted in a broader piece Investigating Implausible Bloomberg Supermicro Stories.
At this point, the story should be dead. The damage of Bloomberg’s story which now has no external corroboration has been done. It is time for the SEC to investigate those who materially benefited from such a story such as the investment firms, authors, editors, publisher, and others who benefited from the publication and lack of timely retraction. It is one thing to publish a mistake. Mistakes happen. It is another to refuse to publish a timely retraction on a false article.
There is not much more to be said on this until we see a retraction from Bloomberg. The publishing house seems to have another editorial team trying to save the story doing another investigation on Supermicro but their first story, as written, seems to be untrue fake news.
Supermicro CEO Letter on 3rd Party Testing
Here is Charles Liang, Supermicro CEO’s, letter to its employees, suppliers, and customers about the 3rd party audit they commissioned:
December 11, 2018
Testing Finds No Malicious Hardware on Supermicro Motherboards
Dear Valued Customer,
Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process.
Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm. A representative sample of our motherboards was tested, including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards.
Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.
These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products. Among other safeguards:
- We test our products at every step of the manufacturing process. We test every layer of every board we manufacture throughout the process.
- We require that Supermicro employees be onsite with our assembly contractors, where we conduct multiple inspections, including automated optical, visual, electrical, and functional tests.
- The complexity of our motherboard design serves as an additional safeguard. Throughout our supply chain, each of our boards is tested repeatedly against its design to detect any aberration and to reject any board that does not match its design.
- To guard against tampering, no single employee, team, or contractor has unrestricted access to our complete board design.
- We regularly audit our contractors for process, quality, and controls.
We appreciate the industry support regarding this matter from many of our customers, like Apple and AWS. We are also grateful for numerous senior government officials, including representatives of the Department of Homeland Security, the Director of National Intelligence, and the Director of the FBI, who early on appropriately questioned the truth of the media reports.
As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products.
Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards. We know that many of you are also addressing these issues with your own customers. To assist in those conversations, we have prepared a short video that highlights our quality assurance process.
We appreciate your patience as we have diligently conducted a thorough investigation into the reports. We are truly proud of the security, integrity, and quality of our products. And we are proud to stand by our products. Please contact our team if you have any questions.
Sincerely,
Charles Liang
President & CEO
David Weigand
SVP and Chief Compliance Officer
Raju Penumatcha
SVP and Chief Product Officer
(Source: Supermicro)
If I recall original Bloomberg’s article, then there was a paragraph about different 3rd party factories working for supermicro in completion of boards. Only one of 4 (IIRC!) was the one producing modified boards. That means if audit just got the right board no wonder they have not found anything. Also what’s the purpose of audit which is auditing just small fraction of produced boards (if small fraction at all and not just one board from the line per every board type/kind produced!) especially when Bloomberg claims only some part of boards were modified. I kind of do not understand this supermicro movement. It’s probably not enough even to get Bloomberg sued… Strange.
Similar to @KarelG, I agree that this audit proves nothing.
Not commenting on the validity of the original Bloomberg story, but it was my understanding they were not modifying every single motherboard, but targeting a small batches of those intended for specific customers.
So even if the Bloomberg article was 100% true, this audit wouldn’t show up anything anyway.
I agree that sampling could miss the boards in question, but the one piece that stands out in my mind is that they stated “motherboards purchased by companies referenced in the article” were tested. To me this means that they pulled working boards in production at one of the named target companies and tested those. Again, it could still be missed, but one would think that if you were going to the trouble of bugging a board for installation at a major datacenter you’d want as many of those boards to be bugged as possible.
I think we need more details, just like we did with the original Bloomberg article…
The burden of proof is on Bloomberg, not Supermicro. So far we only heard conjecture, if not outright lies. They should be held to account.
Only stupids will enjoy lip-servicing like Bloomberg, but U.S. citizens and residents should understand “innocent until proven guilty,” shouldn’t they?
No wonder Trump, as the leader, needs to keep reminding stupids about fake news 😀