back to article Super Micro says audit found no trace of Chinese spy chips on its boards

Hardware builder Super Micro has delivered another effort to prove to the public its machines were not bugged by the Chinese government. The US-based company on Tuesday issued the findings of an investigation it says show no indication that its motherboards were ever compromised at the factory level and modified with …

  1. Anonymous Coward
    Anonymous Coward

    Where's SEC when you need it..

  2. shawnfromnh

    I so believe this

    Because the security and integrity of our products is our highest priority

    I thought money and not being jailed for not cooperating with the chinese government was the actual priority. Really doesn't matter because no matter where you build something in this politically charged world the chinese, russians, cia, nsa, or mi6 and a slew of others will force you to put spy shit in your boards or else. So this huge lie about your highest priority is shit since any boardmaker in China has plants in them that swap out parts occasionally so it's a hit or miss if you catch them and it's probably multiple parts so they can go to part B for a while then keep switching out as needed. Hell the parts are probably also switched along the chain so if one part of the chain goes down an existing one starts up.

    1. Medixstiff

      Re: I so believe this

      I'm waiting to see the fall out from the idiots putting through the encryption laws here in Aus.

      You can bet as a Five Eyes nation, any changes they request manufacturers to make will get shared around with other partners.

      Blind Freddie can see it's just a matter of time before a work around get's out and if it's by an ex-employee, they better make the most horrific example of them that they can, because if there's large scale identity or data theft that occurs afterwards, voters are going to be mega p1ssed.

      1. Lyle Dietz

        Re: I so believe this

        I want the Russians* to lift data about our pollies through a TCN mandated back-door and then publish it somehow. Bonus points if it's Christian Porter, Mr Potato-head or AFP top brass.

        * or anyone but the Chinese, because if its China the chuckle-heads in Canberra will just blame hardware back-doors from Chinese kit.

        1. Voland's right hand Silver badge

          Re: I so believe this

          or anyone but the Chinese, because if its China

          China does not publish what it lifts for now. So from the perspective of demonstrating that there is little difference between a "special" hole in your pants and being pantless they are not particularly useful.

          1. Paul Crawford Silver badge
            Gimp

            Re: a "special" hole in your pants

            I pay extra for those!

    2. Trevor_Pott Gold badge

      Re: I so believe this

      I think you're a bit out to lunch on this. Want to not be jailed by the Chinese? Don't go to China. Especially when the nation you live in is in the middle of a pissing match with China, and you're a high-powered executive. That's just life at that level, regardless of whether or not someone has asked you to compromise your gear.

      As for the "money is the only thing that matters" bit...you had damned well better believe that "the security and integrity of [Supermicro's] products is [Supermicro's] highest priority". A single accusation - and one that most of the infosec world didn't buy at the outset, and which has since been considered completely debunked - absolutely tanked Supermicro's shares. Please do explain to me exactly how letting $nation stick shit on their boards is somehow making Supermicro money.

      Or any manufacturer.

      One does not have to do business with China. One does not have to manufacture things there. China may be a few points cheaper than Taiwan, India, Vietnam, or what-have-you, but a few points is absolutely not enough to entice a manufacturer like Supermicro if the tradeoff was "we will put spy chips on your stuff".

      Let's consider this rationally for a moment:

      1) Supermicro isn't - and hasn't been - the low-cost tin shifter for some time. You want some of the Chinese server manufacturers for that. Supermicro, Dell, HPE and even Lenovo can't compete with the likes of Inspur, and they're not really trying to, either. Supermicro's schtick is flexibility. They have a server room widget for anything you can possibly imagine. That means higher R&D costs, which means no playing in Inspur's sandbox.

      2) The big buyers are the public cloud providers. Chinese cloud providers buy predominantly from Chinese companies. Non-Chinese cloud providers don't build a lot of data centers in China. There's a lot more money to be made putting data centers near China, but not actually inside the Great Firewall, with all its geopolitical restrictions. Why in Jibbers' name would Supermicro - or any non-Chinese tin shifter - knowingly let the Chinese government put spy chips on their board, when they know damned well that the instant it was discovered it would alienate the customers responsible for 50%+ of their revenue? There is zero logic in that.

      3) Supermicro are terrible at politics. Absolutely terrible. They can't even deal with their own internal politics. They are not about to start playing geopolitical bullshit, because the people in charge of that company know that they would fail catastrophically.

      Look, Supermicro has a lot of problems, but willingly getting mixed up in these sort of shenanigans? I just don't buy it. Their CEO is a giant nerd. Obsessive engineer type. He is emphatically not someone who is any good at politics, and he's perfectly aware of that. This extends to pretty much all of Supermicro's leadership.

      Supermicro are heavy on nerds, heavy on suit-and-tie from-the-past marketing/PR/sales types, and are more or less what you'd expect from any large predominantly USian corporation that got where they got by building something useful, but never did the ruthless, cutthroat thing and brought in corporate fixers.

      If China - or anyone else - had somehow demanded that Supermicro knowingly compromise their own gear, you would not have gotten a full-throated denial from them. You would have gotten a stone wall of "no comment", and lots of "talk to our lawyers".

      This is because the people in charge of Supermicro aren't masterful political chess players who even attempt to play complicated geopolitical bullshit games. They'd piss themselves in terror and do whatever their lawyers told them to, and lawyers always tell their clients the same thing: shut the hell up.

      So, to me at least, the fact that this particular pack of politically mediocre nerds and empty corporate suits decided that they were going to stand up and say "nyet" actually lends Supermicro's story some credibility.

      Some.

      They could always have been compromised without knowledge of the decision makers...but so far, the evidence doesn't seem to be bearing that out either. And that leaves me with all sorts of questions about this entire thing...but that's a rant for another day.

  3. Malcolm Weir Silver badge

    There were always huge problems with the allegations, best summed up as a total lack of evidence either of actual modifications *or* (and probably more importantly) any command-and-control network that would have been required to do anything with the modified boards.

    1. Phil Kingston Silver badge

      It still surprises me that Bloomberg stick by their story. With zero evidence to back it up. It's almost as if they'd been pressured by the US to damage the perception of a Chinese brand.

      1. Ishtiaq
        FAIL

        Err

        @Phil Kingston

        Supermicro is an American company.

        Cheers… Ishy

        1. imanidiot Silver badge

          Re: Err

          Minor nit-pick: Super Micro is an american company that does most of it's manufacturing in China.

          1. Crazy Operations Guy Silver badge

            Re: Err

            "Super Micro is an american company that does most of it's manufacturing in China."

            So you mean like IBM, Apple, Dell, HPE, Cisco, Oracle; Intel, AMD, Nvidia, Micron, Kingston, Asus, Acer, MSI, Crucial, Texas Instruments, and so on.

            I don't think there is a single "American" company that hasn't offshore'd the vast majority of its manufacturing to Pegatron, Foxxconn, TSMC, or some other Chinese-owned manufacturer.

        2. Phil Kingston Silver badge

          Re: Err

          Good spot

    2. SuccessCase

      Also the fact that there is a security researcher - Joe Fitzpatrick - who talked to Bloomberg journalists over many meetings/calls about speculative "this is how it is theoretically possible to do this" scenarios, and then was surprised to find the article in question claimed *exactly* the scenarios he described had been executed by the Chinese. Fitzpatrick said, given he is not working at State level with State level resources, and his speculations were his own personal pet hobbyist theories as to how it could be done (when there are many alternative possibilities) he was very surprised to find it claimed it had been done by the Chinese exactly how he had described. In other words it very much appears his speculative theoretical scenarios were lifted by the Bloomberg Journalists and published as fact.

      All in all Bloomberg's failure to retract this story leaves a sizeable stain on their integrity.

      1. CrazyOldCatMan Silver badge

        All in all Bloomberg's failure to retract this story leaves a sizeable stain on their integrity.

        What little they had left anyway..

  4. Dabbb Bronze badge

    Again, why bother

    The one below is more than enough to control everything

    https://www.aspeedtech.com/products.php?fPath=20

    1. Roland6 Silver badge

      Re: Again, why bother

      I would love to see an example of a spy break into a factory and inconspicuously add one of these to a few motherboards; although I'm sure it wouldn't be beyond the capability of a Hollywood plot line...

      1. SuccessCase

        Re: Again, why bother

        @Roland6. I think you will find the issue is that the manufacturing is taking place in China. So it wouldn't be so much a break-in as, "oh shit, this guy in mirror shades working for my government who still make people disappear without trial has asked me if we can modify the motherboard, but hasn't smiled once as he asked"

        1. SuccessCase

          Re: Again, why bother

          Not that I believe the story in the first place BTW.

      2. Dabbb Bronze badge

        Re: Again, why bother

        "I would love to see an example of a spy break into a factory and inconspicuously add one of these to a few motherboards;"

        Inconspicuously ? BMC Pilot is THE most widely used LOM chip for servers, it's literally everywhere. It's firmware is closed source, what inside silicon only Chinese know.

        To make it clear - it controls everything and has access to everything on a server. There's no need to add anything else.

    2. phuzz Silver badge

      Re: Again, why bother

      Why bother adding an extra board when you can just use the built in lights-out management which is built into practically every server?

      1. Paul Crawford Silver badge

        Re: Again, why bother

        Yes, and bugger-all security or patching for most ILOM systems...

  5. bombastic bob Silver badge
    Devil

    'Fake News' by Bloomberg, then?

    I think SuperMicro has at least done the right thing and made a SERIOUS effort to, well, "take it seriously" and ensure that NONE of their products have been tampered with. It's also likely they'll continue to look for the possibility just so they can SAY they are.

    It's hard to re-build a reputation that's been SO DAMAGED like this.

    THAT being said, reputations are what they are, and I think the ball is NOW in Bloomberg's court.

    'Fake News' has been getting out of hand a LOT. These "un-named sources" who seem to know SO much, wanting to blow the lid off of some scandal, blah blah yotta yotta TABLOID NEWS.

    Bloomberg, I think you guys SCREWED THE PROVERBIAL POOCH. Funny how they doubled down on it, too.

    I hope they have really GOOD evidence to support their claim, if it's true. Because it's PLAUSIBLE. But if they have NOTHING, which I suspect is the case, they'll end up on the wrong side of a defamation and libel lawsuit. And, don't forget the drop in stock value.

    Then again, the drop in stock might be 'stock manipulation'. Did anyone MAKE LOTS OF MONEY by SELLING SHORT on SuperMicro stock? S.E.C. where are you?

    I'd like to see how this plays out. Needless to say, if spy chips WERE being planted, I doubt it will happen again any time soon, because NOW people are LOOKING for it...

    1. Anonymous Coward
      Anonymous Coward

      Re: 'Fake News' by Bloomberg, then?

      It was not only SuperMicro stock that fell. The main target for NYSE Shorters, namely APPL were hit as well along with others like AMZN.

      Bloomberg is regarded with contempt by many TSLA stock holders for their continual 'Tesla is doomed. Chapter 11 filing next week' sort of stories.

      Putting my conspiracy tin-foil hat on for a moment...

      "Could all this be part of an orchestrated plan by people behind those who are behind Bloomberg to destabilise the NYSE or at the very least, certain widely held stocks?"

      Once upon a time, Bloomberg was the 'go-to' place for financial information. I still go there but view everything that that say with suspicion and at a lenght of several 40ft barge poles.

      [disclaimers]

      I don't directly own any stock in any of the companies mentioned in this post.

      Stock prices may go down as well as up and...

      This is not financial advice in any way shape or form.

      1. DougS Silver badge

        Re: 'Fake News' by Bloomberg, then?

        Apple barely fell the day the story broke, and to the extent it did it fell about the same as the similar tech stocks. Apple has fallen a lot since, but well after the story had faded away so if you think Apple's stock price drop over the past month had ANYTHING to do with this story, you are an idiot.

        If you want to short Apple, you don't make up a story without evidence that elicits immediate denials from all companies involved. You report a rumor that one of its suppliers is reporting reduced demand from "one of its largest customers". That's been proven to cause Apple's stock to fall many times in the past, both when the rumor turned out to be true and when it turned out to be false.

        Reporting a story you know is false will get you in a lot more trouble than reporting a rumor that you have plausible deniability for because you state outright that it is a RUMOR.

    2. LeahroyNake Bronze badge

      Re: 'Fake News' by Bloomberg, then?

      Fracking hell Bob, CAPS are irritating.

  6. Neoc

    Look, I don't know if SuperMicro's producst have been tampered with or not - but when company tells you they have looked at their own product and found nothing wrong, you *have* to take that news with a grain of salt.

    1. Potemkine! Silver badge
      Facepalm

      when company tells you they have looked at their own product and found nothing wrong, you *have* to take that news with a grain of salt.

      In the article: now the company says it has the results of a third-party investigator on its side.

      1. Neoc

        Woops, my bad. :(

    2. Jeffrey Nonken Silver badge

      Please prove to me that you're not schtupping my wife.

      1. LeahroyNake Bronze badge

        You wish.

      2. Paul Crawford Silver badge

        @Jeffrey Nonken

        He is not, because I am...

  7. Potemkine! Silver badge

    "Slander! slander! some of it always sticks"

  8. Will Godfrey Silver badge
    Unhappy

    Dodgy Dealing

    Right from the start I thought this was some kind of stock market scam. I'm even more convinced now.

  9. happy but not clappy
    Black Helicopters

    Not a scam

    It's US foreign policy driven from the White House. Look at all the other Chinese manufacturers that have been banned/harassed and generally interfered with over the past few years. Not that the Chinese are being especially targeted, just that the dirty tricks are much more public.

    Anyone entering the US market does so with trepidation IME.

  10. Andy The Hat Silver badge

    Some sympathy

    I feel that this was, as eluded to at the time, an elaborately baited US 'government' hook with the aim of discrediting the use of Chinese made equipment. It probably is fake news but based on believable information from more than one source.

    In this situation Bloomberg were damned if they did and damned if they didn't. Fail to report what fifteen (?) individuals have 'corroborated' and pass up a truly massive scoop or report a story that you are now convinced is true as it has been corroborated by fifteen individuals and get shot down because the 'government' smoke screen was so thick that you ended up trusting the web of deceit ...

    The obvious loser is SM's reputation who have that nightmare to prove that something that never existed was never fitted to a few of their boards which themselves may not even have existed ...

  11. Steve Graham
    Big Brother

    1. American government discusses cutting CIA funds for Chinese technical matters.

    2. CIA gives industry a "confidential" briefing on the dangers of Chinese manipulation.

    3. Anonymous sources brief Bloomberg on alleged actual Chinese manipulation.

    Join the dots, people.

  12. juice Bronze badge

    Get your tin-foil hats ready...

    IIRC, the article claimed that it was a small number of motherboards which were affected, and that they were delivered to specific companies.

    So if the perpetrators withdrew and covered their tracks, there'd be nothing at the "manufacturing" side to see.

    OTOH, at this point, I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard would be enough to give them the benefit of the doubt.

    Either way, may the best conspiracy theory win!

    1. mutin

      Re: Get your tin-foil hats ready...

      You write :"I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard"

      So, do you really expect that such evidence can be found? All what was altered has been destroyed. It was not in Apple or Amazon or Super Micro interest to keep any evidence for investigation.

  13. adam payne Silver badge

    "After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,"

    So they have had now jumped through hoops and proven to the best of their ability that the claims are completely false. What's bloopersberg going to do now? probably nothing.

    Super Micro lawsuit?

    1. mutin

      Had anybody seen such report or knows the company name? So, what are we discussing? The word of SM CEO? Do you trust such word saying nothing more than Bloomberg? Come on!

  14. trev101

    If there is suspicion manufacturing should be done in the UK. Good for us.

    1. Ken 16 Silver badge
      Trollface

      That's one way of ensuring data security, in the same way British Leyland used to ensure speed limits were obeyed - if it can't start, it can't break any laws.

  15. mutin

    It is really funny - have anybody tried to follow the link in the article likely to pointing to a report from independent company? It goes to Super Micro site saying that it was a company and a report. Super Micro DOES NOT provide a link or a document or disclosing the name of the company. So, what are you talking about? What SM proved as we cannot see it published?

    Nobody mentioned in original article really wants INDEPENDENT PUBLIC investigation. It is all cover-up. Too much money and reputation i.e. money involved.

    So far Super Micro does bla-bla-bla and no proof that Bloomberg was incorrect.

    1. Jeffrey Nonken Silver badge

      It's pretty well known that you can't prove a negative. Yet here you are, demanding exactly that.

      Please prove to me that you're not schtupping my wife.

  16. Jay Lenovo Silver badge

    Everything seems plausible...but has no evidence, not even a public source.

    Sorry not news, but big commentary.

  17. EnviableOne Bronze badge

    As was Said

    Absence of evidence is not evidence of absence.

    It will take a lot for SM to lose this tag

  18. Crazy Operations Guy Silver badge

    Release the schematics?

    I'd breathe a lot easier if they were to publicly release the schematics of one or two of the products at the center of this. From my knowledge of electrical engineering, the suspected part wouldn't even have access to the proper buses to even doing anything like what Bloomberg is alleging. From Bloomberg's report, the device looked to be a simple two-conductor component, but was quite difficult to see exactly what the device looked like in the images.

    I'd go a long way to dispelling rumors if SuperMicro were to release the schematic and board layout drawings so that independent researches and private individuals could take a look to see if such a device is even possible in the first place. It would also allow researchers to test suspected boards to see if the component behaves as expected and is the intended device.

    The security researcher in me also doubts the Bloomberg report in that no one in their right mind would go through the effort of breaking a system by inserting a chip into the assembly logistics in the hopes that one of the tens of thousands of parts actually made it into their target's system and the system is in a location that can be compromised and that particular system actually contains the target data. Especially since if they wanted that much access, the IPMI chip and the Intel Management Engines are already present in the system to begin with, either one could be compromised and would give you ridiculous amounts of control over the system without the risk of compromising a component.

    Really, it would be so much easier to just send fake firmware patches to the target and produce a much more direct attack rather than casting a massive net in the slim chance of getting access to that specific target.

  19. Big Al 23

    Bloomberg has provided zero proof of their claims

    It must be about time for the lawsuits to begin as Bloomberg has provided zero evidence to support their claims which have been denied by virtually all parties involved not just Super Micro. It's time to put up or pay dearly for unsubstantiated rumors and beliefs. You know this has cost Super Micro major revenue and will continue to do so until Bloomberg admits they have no evidence to support their allegations.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019