![Page Background](./../common/page-substrates/page0066.png)
Amazon
It’s untrue that AWS knew about
a supply chain compromise, an
issue with malicious chips, or
hardware modifications when
acquiring Elemental. It’s also
untrue that AWS knew about
servers containing malicious
chips or modifications in data
centers based in China, or that
AWS worked with the FBI to
investigate or provide data about
malicious hardware.
We’ve re-reviewed our
records relating to the Elemental
acquisition for any issues related
to SuperMicro, including re-
examining a third-party security
audit that we conducted in 2015
as part of our due diligence prior
to the acquisition. We’ve found
no evidence to support claims
of malicious chips or hardware
modifications.
The pre-acquisition audit
described four issues with a
web application (not hardware
or chips) that SuperMicro
provides for management of their
motherboards. All these findings
were fully addressed before we
acquired Elemental. The first two
issues, which the auditor deemed
as critical, related to a vulnerability
in versions prior to 3.15 of this web
application (our audit covered prior
versions of Elemental appliances
as well), and these vulnerabilities
had been publicly disclosed
by SuperMicro on 12/13/2013.
Because Elemental appliances are
not designed to be exposed to the
public internet, our customers are
protected against the vulnerability
by default. Nevertheless, the
Elemental team had taken the
extra action on or about 1/9/2014
to communicate with customers
and provide instructions to
download a new version of the
web application from SuperMicro
(and after 1/9/2014, all appliances
shipped by Elemental had updated
versions of the web application).
So, the two “critical” issues that
the auditor found, were actually
fixed long before we acquired
Elemental. The remaining two
non-critical issues with the web
application were determined to be
fully mitigated by the auditors if
customers used the appliances as
intended, without exposing them
to the public internet.
Additionally, in June 2018,
researchers made public reports
of vulnerabilities in SuperMicro
firmware. As part of our standard
operating procedure, we notified
afected customers promptly, and
recommended they upgrade the
firmware in their appliances.
Apple
Over the course of the past
year, Bloomberg has contacted
us multiple times with claims,
sometimes vague and sometimes
elaborate, of an alleged security
incident at Apple. Each time, we
have conducted rigorous internal
investigations based on their
inquiries and each time we have
found absolutely no evidence to
support any of them. We have
repeatedly and consistently
ofered factual responses, on the
record, refuting virtually every
aspect of Bloomberg’s story
relating to Apple.
On this we can be very clear:
Apple has never found malicious
chips, “hardware manipulations” or
vulnerabilities purposely planted
in any server. Apple never had any
contact with the FBI or any other
agency about such an incident. We
are not aware of any investigation
by the FBI, nor are our contacts in
law enforcement.
In response to Bloomberg’s
latest version of the narrative, we
present the following facts: Siri
and Topsy never shared servers;
Siri has never been deployed on
servers sold to us by Super Micro;
and Topsy data was limited to
approximately 2,000 Super Micro
servers, not 7,000. None of those
servers has ever been found to
hold malicious chips.
As a matter of practice, before
servers are put into production
at Apple they are inspected for
security vulnerabilities and we
update all firmware and software
with the latest protections. We
did not uncover any unusual
vulnerabilities in the servers we
purchased from Super Micro
when we updated the firmware
and software according to our
standard procedures.
We are deeply disappointed
that in their dealings with us,
Bloomberg’s reporters have not
been open to the possibility that
they or their sources might be
wrong or misinformed. Our best
guess is that they are confusing
their story with a previously-
reported 2016 incident in which
we discovered an infected driver
on a single Super Micro server
in one of our labs. That one-time
event was determined to be
accidental and not a targeted
attack against Apple.
While there has been no
claim that customer data was
involved, we take these allegations
seriously and we want users
to know that we do everything
possible to safeguard the personal
information they entrust to us.
We also want them to know that
what Bloomberg is reporting about
Apple is inaccurate.
Apple has always believed in
being transparent about the ways
we handle and protect data. If
there were ever such an event as
Bloomberg News has claimed,
we would be forthcoming about
it and we would work closely with
law enforcement. Apple engineers
conduct regular and rigorous
security screenings to ensure
that our systems are safe. We
know that security is an endless
race and that’s why we constantly
fortify our systems against
increasingly sophisticated hackers
and cybercriminals who want to
steal our data.
Supermicro
While we would cooperate with
any government investigation, we
are not aware of any investigation
regarding this topic nor have
we been contacted by any
government agency in this regard.
We are not aware of any customer
dropping Supermicro as a supplier
for this type of issue.
Every major corporation
in today’s security climate is
constantly responding to threats
and evolving their security
posture. As part of that efort
we are in regular contact with
a variety of vendors, industry
partners and government
agencies sharing information on
threats, best practices and new
tools. This is standard practice in
the industry today. However, we
have not been in contact with any
government agency regarding the
issues you raised.
Furthermore, Supermicro
doesn’t design or manufacture
networking chips or the
associated firmware and we,
as well as other leading server/
storage companies, procure them
from the same leading networking
companies.
China’s Ministry of
Foreign Afairs
China is a resolute defender
of cybersecurity. It advocates
for the international community
to work together on tackling
cybersecurity threats through
dialogue on the basis of mutual
respect, equality and mutual
benefit.
Supply chain safety in
cyberspace is an issue of common
concern, and China is also a
victim. China, Russia, and other
member states of the Shanghai
Cooperation Organization
proposed an “International
code of conduct for information
security” to the United Nations
as early as 2011. It included a
pledge to ensure the supply
chain security of information
and communications technology
products and services, in order to
prevent other states from using
their advantages in resources and
technologies to undermine the
interest of other countries. We
hope parties make less gratuitous
accusations and suspicions but
conduct more constructive talk
and collaboration so that we
can work together in building a
peaceful, safe, open, cooperative
and orderly cyberspace.
—Translated by Bloomberg News
in Beijing
Statements
59
Bloomberg Businessweek
October 8, 2018