Apple isn’t relenting in its attacks on last week’s Bloomberg story claiming that tiny Chinese chips had compromised the security of Apple and Amazon data centers. In a Monday letter to Congress, Apple wrote that the claims in the Bloomberg story were “simply wrong.”
Bloomberg’s story, published last Thursday, claimed that the Chinese government had secretly added spy chips to the motherboards of servers sold by Supermicro.
The stakes here are high for Apple. Millions of Americans rely on the company to protect the privacy of their data on iCloud and other online services. If there were really Chinese chips infiltrating Apple data centers, it could call into question the security of those services. But Apple insists that the story was simply bogus.
In a Monday letter to top lawmakers on the House and Senate commerce committees, Apple says that the company “worked tirelessly” to investigate Bloomberg’s claims in the months before Bloomberg published its story. “Our internal investigations directly contradict every consequential assertion made in the article,” Apple claims. “Apple has never found malicious chips, ‘hardware manipulations,’ or vulnerabilities purposely planted in any server.”
Apple’s denials are clear and unequivocal
In 2013, whistleblower Edward Snowden released documents showing that the NSA had a secret program called PRISM that allowed the agency to access private data on cloud services. A number of companies, including Apple, issued carefully worded denials. Several of them focused on claims in the initial story that the NSA had “direct access” to user data. But while some of these details may have been wrong, the basic thrust of the story was correct: major tech companies really were participating in a secret NSA spying program called PRISM.
This has led some people to wonder if something similar might be going on regarding Apple and Supermicro. But Apple’s broadly worded denials—and its decision to continue hammering away at the story days later—seem to rule that out.
“Our internal investigations directly contradict every consequential assertion made in the article,” Apple writes. “We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.” In a follow-up email to Ars, Apple confirmed that this denial applies to other government agencies as well.
Amazon’s denial, issued last Thursday, was also broad and unequivocal. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards,” the company wrote. Supermicro also says the story is wrong.
Over the weekend, Apple received backup from the Department of Homeland Security, which issued a statement that “we have no reason to doubt the statements from the companies named in the story.” That’s a narrower denial than the ones Apple and Amazon put out last week, but it still seems to bolster the companies’ claims.
And it’s notable what happened in the four days since Bloomberg published his story. Typically, in the wake of a big story like this, well-sourced reporters at major news organizations scramble to confirm it. As far as we know, that hasn’t happened here.
And so far, no one has produced a Supermicro circuit board with a spy chip embedded in it. Bloomberg claimed that nearly 30 companies were affected by the attacks, so you might expect someone at at least one of those companies to report finding a modified board—again, as far as we know, this hasn’t happened.
Bloomberg’s article included an animated image showing a tiny microchip on a crowded circuit board. But it remains unclear whether this was a photograph of an actual board or a digital recreation.