APPLE AND AMAZON MAY HAVE DENIED the presence and indeed knowledge of any Chinese spying chips on their servers, but a US telecoms firm found the sneaky slices of silicon on one of its servers.
Bloomberg first published a report last week detailing how Chinese intelligence had managed to sneak surveillance chips into the server motherboards provided by US company Supermicro, which provides server components to some of the largest US firms.
Unnamed sources from Apple, Amazon, and US authorities had informed Bloomberg of the presence of the spy chips and a US investigation into the situation. But Apple and Amazon, vehemently refuted the story, with the US Department of Homeland Security supporting the two tech firms' claims. Supermicro also said it wasn't aware of any investigation.
This cast doubt on the Bloomberg report. But now the news outlet has another report citing that security expert Yossi Appleboum, who works as a contractor for a "major US" telecoms firm has said, on the record, that the claims in the original report are correct and that the company found a surveillance device implanted into the Ethernet port of one of its servers made by Supermicro.
Under a non-disclosure agreement with the telecoms firm, Appleboum can't name it, but he provided Bloomberg with documentation that supports the discovery of a spying device.
From inspecting the device Appleboum figured out that it got onto the server's Ethernet port from being modified at the factory where it was manufactured. Said factory appears to be one in Guangzhou, China, which Supermicro uses as a subcontractor.
"The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," said Appleboum.
It was unclear what data the spying device might have sucked up and Bloomberg noted it doesn't know if the telecoms firm contacted the FBI to report the situation, as the FBI has declined to comment.
But Appleboum said he contacted agencies outside of the US which have apparently been tracking such hardware manipulation for some time.
Supermicro, however, had some stuff to say that threw some shade at Bloomberg.
"We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found," Supermicro said. "We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations."
The plot to this story looks to be thickening all the time, and we're sure that more investigations will throw up more twists as time goes on. µ
We should be shocked, but...
But the search giant has now squashed the bug
But it's not yet available here in Blighty