Although it may feel like the industry is “beating a dead horse,” the impacts of the Bloomberg Businessweek hardware hack article are still being felt. As a result, Supermicro, as it stated it would, commissioned a third party to audit its products in search of the implausible spy chip. The results are what we expected, but it is another step in the process.
We were the first major site to call into question Bloomberg’s reporting immediately after the piece broke. Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate. Bloomberg tried bolstering its story with a follow-up piece and we fact-checked them using their own source Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro. Finally, Apple’s Tim Cook, AWS, Supermicro, various government agencies, and all of the named sources in Bloomberg’s article have disavowed its accuracy which we highlighted in a broader piece Investigating Implausible Bloomberg Supermicro Stories.
At this point, the story should be dead. The damage of Bloomberg’s story which now has no external corroboration has been done. It is time for the SEC to investigate those who materially benefited from such a story such as the investment firms, authors, editors, publisher, and others who benefited from the publication and lack of timely retraction. It is one thing to publish a mistake. Mistakes happen. It is another to refuse to publish a timely retraction on a false article.
There is not much more to be said on this until we see a retraction from Bloomberg. The publishing house seems to have another editorial team trying to save the story doing another investigation on Supermicro but their first story, as written, seems to be untrue fake news.
Supermicro CEO Letter on 3rd Party Testing
Here is Charles Liang, Supermicro CEO’s, letter to its employees, suppliers, and customers about the 3rd party audit they commissioned:
December 11, 2018
Testing Finds No Malicious Hardware on Supermicro Motherboards
Dear Valued Customer,
Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process.
Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm. A representative sample of our motherboards was tested, including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards.
Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.
These findings were no surprise to us. As we have stated repeatedly, our process is designed to protect the integrity and reliability of our products. Among other safeguards:
- We test our products at every step of the manufacturing process. We test every layer of every board we manufacture throughout the process.
- We require that Supermicro employees be onsite with our assembly contractors, where we conduct multiple inspections, including automated optical, visual, electrical, and functional tests.
- The complexity of our motherboard design serves as an additional safeguard. Throughout our supply chain, each of our boards is tested repeatedly against its design to detect any aberration and to reject any board that does not match its design.
- To guard against tampering, no single employee, team, or contractor has unrestricted access to our complete board design.
- We regularly audit our contractors for process, quality, and controls.
We appreciate the industry support regarding this matter from many of our customers, like Apple and AWS. We are also grateful for numerous senior government officials, including representatives of the Department of Homeland Security, the Director of National Intelligence, and the Director of the FBI, who early on appropriately questioned the truth of the media reports.
As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products.
Today’s announcement should lay to rest the unwarranted accusations made about Supermicro’s motherboards. We know that many of you are also addressing these issues with your own customers. To assist in those conversations, we have prepared a short video that highlights our quality assurance process.
We appreciate your patience as we have diligently conducted a thorough investigation into the reports. We are truly proud of the security, integrity, and quality of our products. And we are proud to stand by our products. Please contact our team if you have any questions.
President & CEO
SVP and Chief Compliance Officer
SVP and Chief Product Officer