alswart - stock.adobe.com

Compromised Supermicro chips reportedly infiltrated US

News roundup: A Bloomberg report claimed China infiltrated U.S. companies and government agencies through tiny Supermicro chips on motherboards. Plus, a new Telegram flaw and more.

This week, Bloomberg Businessweek published an explosive article that claimed Chinese government-backed actors have infiltrated American companies and government organizations by compromising the hardware supply chain and implanting a microchip in the motherboards of popular servers.

According to the Bloomberg report, motherboards from San Jose-based company Super Micro Computer Inc., known as Supermicro, were found to have tiny microchips nested in them that were not part of the original design.

The report claimed that a third-party security company commissioned by AWS in 2015 found the microchips hidden on the Supermicro motherboards. Amazon then reported the findings to U.S. federal authorities, which, according to the article, led to a government investigation that is still open. Bloomberg further claimed that the federal investigation led authorities to discover that the Supermicro chips created backdoors in the servers and that the chips were manufactured in China.

The report said that the investigation found the Supermicro chips in nearly 30 U.S. companies, including Apple Inc., which had also found the malicious microchips on Supermicro motherboards in 2015.

The Bloomberg report relies solely on anonymous sources, including one person said to be close to the AWS testing process, three senior Apple insiders and multiple people familiar with the federal investigation.

The article stated that, based on the word of two anonymous U.S. officials, this is one of the largest supply chain attacks against the U.S.

Amazon, Apple and Supermicro have all issued statements clearly and vehemently denying any truth to these claims.

In its statement, Amazon said that it did not know of a supply chain compromise, issues with malicious chips or any hardware modification. The company also said that it is not true that AWS worked with federal investigators on such an inquiry.

"We've found no evidence to support claims of malicious chips or hardware modifications," Amazon said in its statement.

Apple released a separate, detailed denial statement, saying that the Bloomberg report is incorrect and that it had told the news outlet as much.

"We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg's story relating to Apple," the company wrote in the statement.

The report highlights the importance of supply chain security. The 2013 Target data breach was one of the most high-profile examples after attackers compromised an HVAC contractor that was connected to Target's critical systems.

In other news:

  • Following the announcement of its data breach last week, Facebook Inc. said that the third-party sites that use Facebook single sign-on were not affected. The login information of nearly 50 million Facebook accounts was stolen, and there were concerns that the applications and websites connected to the social networking site would also be affected. But, on Tuesday, Facebook said it had investigated and found no evidence of hackers accessing anything else using the Facebook logins. Since the disclosure of the data breach, users in California have filed a lawsuit claiming that Facebook did not properly protect their data. The company has also had to scramble to gather the necessary information and take the necessary actions to remain compliant with the European Union's GDPR.
  • Google announced five new rules this week for the Chrome Web Store where users download browser extensions. The rules are intended to make Chrome extensions trustworthy by default. The first rule is that users will be able to have a custom list of sites or extensions for which they can restrict host access, enabling users to have some measure of control over when extensions are permitted to access site data. Next, extensions will undergo a more extensive review process, particularly when they request "powerful permissions." Another rule now bans browser extensions with obfuscated code from the Chrome Web Store, and developer accounts will now be required to use two-step verification. Finally, next year Chrome plans to roll out the new version of Manifest for developers with a greater focus on security and privacy.
  • A new vulnerability was discovered in the Telegram messaging service that enables leaks of public and private user IP addresses. A security researcher found that the vulnerability, tracked as CVE-2018-17780, affects the desktop version of the secure messaging service on Windows and "leaks end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the My Contacts list." Telegram is a cloud-based, end-to-end, encrypted instant messaging app for both mobile and desktop. Telegram also recently dealt with a malware called Telegrab that could get around the app's end-to-end encryption.

Dig Deeper on Security operations and management