Following the blanket denials of its Chinese spy chips in Supermicro servers, Bloomberg is now reporting another hack in the company’s manufacturing process. This time it’s Ethernet ports in servers from a U.S. telecom company.
Bloomberg says it got the new information from security expert Yossi Appleboum. He reportedly gave Bloomberg documents and other evidence to back up the claims that China’s government had a Supermicro manufacturing subcontractor install Ethernet ports with spy technology built in.
According to the Bloomberg report,
Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China.
AT&T and Sprint said they don’t use Supermicro servers, and Verizon said their servers weren’t affected. T-Mobile didn’t respond to Bloomberg’s request for a comment.
Last week Bloomberg said small spy chips were added to Supermicro servers during the manufacturing process under the orders of China’s People’s Liberation Army. Those servers ended up in about 30 U.S. companies, including Apple and Amazon, as well as several government agencies.
The chips let China’s government intercept data as it passed through the server motherboards, and to remotely control the computers. The FBI reportedly launched an investigation, although the agency has denied any knowledge of the incidents.
Apple and Amazon denied the report, too. The iPhone and Mac maker said in a statement,
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
[Key Takeaways from Apple’s Lengthy Rebuttal of Bloomberg’s ‘Chinese Spy Chip’ Story]
The names for any of the other companies that were supposedly victims of China’s spy chips have leaked, which seems surprising at this point. Even one of the security researchers Bloomberg interviewed has been questioning the report.
The questions surrounding Bloomberg’s original report leave me casting doubt on this new one. It’s possible both are right, and I highly doubt their simply fabricated stories. Odds are there are grains of truth in both, but until more supporting evidence is found I’m treating both with a healthy dose of skepticism.