CYBER COPS at the UK's National Cyber Security Centre (NCSC) say they have no reason to doubt denials by Amazon and Apple that they knew about a supply chain compromise in which hardware destined for US companies was secretly implanted with microchips in China.
Last week, Bloomberg reported that Chinese intelligence authorities had placed tiny spy chips on Chinese-made motherboards used in Supermicro servers purchased by 30 American companies including Amazon and Apple, as well as governmental organisations
This, the article claimed, allowed the Chinese authorities to eavesdrop on the affected organisations, stealing secrets, designs and strategies.
The Chinese government denied the accusations, saying it was the victim of supply-chain attacks, not a perpetrator. Meanwhile, both Apple and Amazon disputed the Bloomberg article's claims that they had known about the hidden microchips but had chosen to deal with the issue internally rather than going public.
"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon told Bloomberg, referring to a decision not to acquire video streaming firm Elemental Technologies, which the article alleged was using compromised Supermicro servers.
The Bloomberg piece quoted unnamed senior Apple staff who claimed that "in the summer of 2015, [Apple], too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons."
Apple, previously a major Supermicro customer, denied that its decision to change suppliers had anything to do with the hidden chips. "Apple has never found malicious chips, ‘hardware manipulations' or vulnerabilities purposely planted in any server," it said in a statement.
The statement added that Apple was unaware of any investigation into the supply chain attack.
NCSC has said it has no reason to doubt Amazon's and Apple's version of events. An NCSC spokesperson said on Friday: "We aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple.
"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us."
NCSC's statement did not question the credibility of the report of the compromise itself. µ
Firm argues that Cupertino prevents devs from operating on equal terms
Under pressure, pushing down on me, pushing down on my screen
Keep an eye on that neighbour who's been talking about making a killer drone...
WiFi, why Delilah