Amazon

It’s untrue that AWS knew about

a supply chain compromise, an

issue with malicious chips, or

hardware modifications when

acquiring Elemental. It’s also

untrue that AWS knew about

servers containing malicious

chips or modifications in data

centers based in China, or that

AWS worked with the FBI to

investigate or provide data about

malicious hardware.

We’ve re-reviewed our

records relating to the Elemental

acquisition for any issues related

to SuperMicro, including re-

examining a third-party security

audit that we conducted in 2015

as part of our due diligence prior

to the acquisition. We’ve found

no evidence to support claims

of malicious chips or hardware

modifications.

The pre-acquisition audit

described four issues with a

web application (not hardware

or chips) that SuperMicro

provides for management of their

motherboards. All these findings

were fully addressed before we

acquired Elemental. The first two

issues, which the auditor deemed

as critical, related to a vulnerability

in versions prior to 3.15 of this web

application (our audit covered prior

versions of Elemental appliances

as well), and these vulnerabilities

had been publicly disclosed

by SuperMicro on 12/13/2013.

Because Elemental appliances are

not designed to be exposed to the

public internet, our customers are

protected against the vulnerability

by default. Nevertheless, the

Elemental team had taken the

extra action on or about 1/9/2014

to communicate with customers

and provide instructions to

download a new version of the

web application from SuperMicro

(and after 1/9/2014, all appliances

shipped by Elemental had updated

versions of the web application).

So, the two “critical” issues that

the auditor found, were actually

fixed long before we acquired

Elemental. The remaining two

non-critical issues with the web

application were determined to be

fully mitigated by the auditors if

customers used the appliances as

intended, without exposing them

to the public internet.

Additionally, in June 2018,

researchers made public reports

of vulnerabilities in SuperMicro

firmware. As part of our standard

operating procedure, we notified

afected customers promptly, and

recommended they upgrade the

firmware in their appliances.

Apple

Over the course of the past

year, Bloomberg has contacted

us multiple times with claims,

sometimes vague and sometimes

elaborate, of an alleged security

incident at Apple. Each time, we

have conducted rigorous internal

investigations based on their

inquiries and each time we have

found absolutely no evidence to

support any of them. We have

repeatedly and consistently

ofered factual responses, on the

record, refuting virtually every

aspect of Bloomberg’s story

relating to Apple.

On this we can be very clear:

Apple has never found malicious

chips, “hardware manipulations” or

vulnerabilities purposely planted

in any server. Apple never had any

contact with the FBI or any other

agency about such an incident. We

are not aware of any investigation

by the FBI, nor are our contacts in

law enforcement.

In response to Bloomberg’s

latest version of the narrative, we

present the following facts: Siri

and Topsy never shared servers;

Siri has never been deployed on

servers sold to us by Super Micro;

and Topsy data was limited to

approximately 2,000 Super Micro

servers, not 7,000. None of those

servers has ever been found to

hold malicious chips.

As a matter of practice, before

servers are put into production

at Apple they are inspected for

security vulnerabilities and we

update all firmware and software

with the latest protections. We

did not uncover any unusual

vulnerabilities in the servers we

purchased from Super Micro

when we updated the firmware

and software according to our

standard procedures.

We are deeply disappointed

that in their dealings with us,

Bloomberg’s reporters have not

been open to the possibility that

they or their sources might be

wrong or misinformed. Our best

guess is that they are confusing

their story with a previously-

reported 2016 incident in which

we discovered an infected driver

on a single Super Micro server

in one of our labs. That one-time

event was determined to be

accidental and not a targeted

attack against Apple.

While there has been no

claim that customer data was

involved, we take these allegations

seriously and we want users

to know that we do everything

possible to safeguard the personal

information they entrust to us.

We also want them to know that

what Bloomberg is reporting about

Apple is inaccurate.

Apple has always believed in

being transparent about the ways

we handle and protect data. If

there were ever such an event as

Bloomberg News has claimed,

we would be forthcoming about

it and we would work closely with

law enforcement. Apple engineers

conduct regular and rigorous

security screenings to ensure

that our systems are safe. We

know that security is an endless

race and that’s why we constantly

fortify our systems against

increasingly sophisticated hackers

and cybercriminals who want to

steal our data.

Supermicro

While we would cooperate with

any government investigation, we

are not aware of any investigation

regarding this topic nor have

we been contacted by any

government agency in this regard.

We are not aware of any customer

dropping Supermicro as a supplier

for this type of issue.

Every major corporation

in today’s security climate is

constantly responding to threats

and evolving their security

posture. As part of that efort

we are in regular contact with

a variety of vendors, industry

partners and government

agencies sharing information on

threats, best practices and new

tools. This is standard practice in

the industry today. However, we

have not been in contact with any

government agency regarding the

issues you raised.

Furthermore, Supermicro

doesn’t design or manufacture

networking chips or the

associated firmware and we,

as well as other leading server/

storage companies, procure them

from the same leading networking

companies.

China’s Ministry of

Foreign Afairs

China is a resolute defender

of cybersecurity. It advocates

for the international community

to work together on tackling

cybersecurity threats through

dialogue on the basis of mutual

respect, equality and mutual

benefit.

Supply chain safety in

cyberspace is an issue of common

concern, and China is also a

victim. China, Russia, and other

member states of the Shanghai

Cooperation Organization

proposed an “International

code of conduct for information

security” to the United Nations

as early as 2011. It included a

pledge to ensure the supply

chain security of information

and communications technology

products and services, in order to

prevent other states from using

their advantages in resources and

technologies to undermine the

interest of other countries. We

hope parties make less gratuitous

accusations and suspicions but

conduct more constructive talk

and collaboration so that we

can work together in building a

peaceful, safe, open, cooperative

and orderly cyberspace.

—Translated by Bloomberg News

in Beijing

Statements

59

Bloomberg Businessweek

October 8, 2018