Both Apple and Amazon are vehemently denying claims that their servers were compromised by Chinese spies following an explosive report from Bloomberg on Thursday. The report claims that spies were able to infiltrate some of the country’s biggest tech companies by inserting microchips the size of “a grain of rice” into Chinese-manufactured servers, part of the tech giants’ infrastructure. The report alleges that the companies discovered the chips on their own and notified US authorities, but both Apple and Amazon are refuting that any of the claims cited in the story are actually founded in reality.
The responses are heavily detailed, denying the Bloomberg report point-by-point. It’s something these companies rarely, if ever, do. Most statements following the discovery of security flaws or public backlash only ever acknowledge the concerns and make vague promises on behalf of consumer privacy.
After the Celebgate iCloud breach, for example, which included leaks of prominent celebrities’ nude photos, Apple’s response was one of minor outrage and a simple refutation of any security flaws. Amazon was met with a separate, but similarly detrimental exploit in 2014 when researchers discovered that by way of the Heartbleed bug, websites hosted on Amazon Web Services (AWS) had the potential to leak sensitive information like credit card numbers. Amazon’s response to the Heartbleed was simply, “AWS is aware of the HeartBleed Bug (CVE-2014-0160) in OpenSSL and investigating any impact or required remediation. We will post back when we have more detail.”
But in this case, Apple and Amazon are denying it all. According to the companies, this infiltration never happened, and they’ve been telling Bloomberg that for a very long time.
Some highlights from the responses released by Amazon, Apple, and the Chinese server manufacturer, Supermicro are listed below:
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
. . .
. . .
These assertive statements are leading national security experts to question who exactly is telling the truth. If the Bloomberg story checks out, Amazon and Apple would seem to be lying and invalidating a potential national security risk.
“If anything, there are only official denials on the story and the lack of technical details doesn’t really favor the conclusions from a technical standpoint,” said Andrea Barisani, head of hardware security at F-Secure, an antivirus and cybersecurity company. “It is certainly possible to mount supply chain attacks that can affect the security of COTS (Commercial Off The Shelf) hardware, albeit posing notable implementation difficulties.”
I have to say, this is all really bizarre. The Bloomberg story is very detailed, citing documents and inside sources. But the company denials are also detailed and emphatic. You don't often see the latter when a company is trying to hide something or be coy. https://t.co/qjA1TFKzZ3
— Kim Zetter (@KimZetter) October 4, 2018
No one in Congress has called for an investigation into these allegations, but Republicans and Democrats alike have been wary of Chinese hardware use within the country’s borders.
Ultimately, allegations this specific met with explicit denials like these may warrant further investigation. A deeper look into this potential attack wouldn’t be the first time members of Congress have criticized the use of Chinese hardware within the US. Over the summer, senators decided to include an amendment to a must-pass defense authorization bill banning the use of products by two other Chinese manufacturers (ZTE and Huawei) by government officials and contractors, citing national security concerns.