On Thursday, Bloomberg published a bombshell article uncovering an extraordinary hardware hacking effort by state-sponsored Chinese agents. “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” details successful efforts by the People’s Liberation Army (PLA) to implant tiny chips into the motherboards of servers made by Super Micro, to compromise those systems and give them access. It’s an extensive piece of reporting, too complex to fully summarize here. To really understand all the details, you should read the original article.
Citing many sources both inside affected companies and the U.S. government, the article explains that the PLA infiltrated Super Micro or its suppliers to sneak tiny hardware chips—as small as the tip of a sharpened pencil—into server motherboards. Super Micro is one of the world’s largest producers of such hardware, supplying hardware used by the Department of Defense, Department of Homeland Security, NASA, Congress, and of many of the world’s largest companies. The attack ultimately reached almost 30 companies, Bloomberg claims.
The Apple connection
The Bloomberg piece alleges that Apple was one of the victims of the hardware hacking scheme.
Apple, for its part, has used Super Micro hardware in its data centers sporadically for years, but the relationship intensified after 2013, when Apple acquired a startup called Topsy Labs, which created superfast technology for indexing and searching vast troves of internet content. By 2014, the startup was put to work building small data centers in or near major global cities. This project, known internally as Ledbelly, was designed to make the search function for Apple’s voice assistant, Siri, faster, according to the three senior Apple insiders.
Documents seen by Businessweek show that in 2014, Apple planned to order more than 6,000 Super Micro servers for installation in 17 locations, including Amsterdam, Chicago, Hong Kong, Los Angeles, New York, San Jose, Singapore, and Tokyo, plus 4,000 servers for its existing North Carolina and Oregon data centers. Those orders were supposed to double, to 20,000, by 2015. Ledbelly made Apple an important Super Micro customer at the exact same time the PLA was found to be manipulating the vendor’s hardware.
Ultimately, Bloomberg says, Apple had deployed about 7,000 Super Micro servers when the company’s security team found the tiny hidden added chips. It claims Apple discovered the compromised servers in 2015 and reported the issue to the FBI, but “kept details about what it had detected tightly held, even internally.” The article cites an unnamed U.S. official who says that Apple didn’t allow government investigators to access its facility or the hardware in question.
Bloomberg published responses to its story from Amazon, Apple, Super Micro, and the Chinese Ministry of Foreign Affairs. Apple’s response is detailed and forceful in its denial:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.
As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us. We also want them to know that what Bloomberg is reporting about Apple is inaccurate.
Apple has always believed in being transparent about the ways we handle and protect data. If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement. Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.
This is probably only the beginning
As a company that has made privacy and security a core part of its identity, Apple has a lot to lose from a big hacking scandal, even if one of its server suppliers deserves most of the blame. It’s also the world’s most valuable publicly traded company, and could suffer serious penalties from misrepresenting the facts of serious security issues like this.
Apple’s statement leaves little room for interpretation. The company claiming that it “has never found malicious chips, hardware manipulations, or vulnerabilities purposely planted in any server” is totally unambiguous, as is the assertion that the company never had contact with the FBI or any other agency about it.
Bloomberg, for its part, says that it has detailed accounts from three Apple insiders and four of six U.S. officials that confirm Apple was a victim.
Given the seriousness of the report, and the potential financial, legal, and diplomatic fallout from it, it is likely we’ll hear a lot more about it in the coming days and weeks.