Letter to Customers Regarding Bloomberg Article on Alleged Hardware Tampering
Dear iXsystems Customers,
An October 4th Bloomberg article alleged the possibility of a security vulnerability by means of an illicitly-implanted chip onto select SuperMicro motherboards in 2014-15. The article claims that nearly 30 U.S. companies, including Amazon and Apple, were impacted. There was no allegation that currently-shipping motherboards are impacted, and SuperMicro has since undergone third-party testing that found no malicious hardware on SuperMicro motherboards.
Shortly after the article’s release, the three companies named have strongly and unequivocally refuted the Bloomberg article’s veracity (Apple’s Statement; Amazon’s Statement; SuperMicro’s Statement), disclaiming any knowledge of the chips or awareness of any related investigations by government agencies. The United States Department of Homeland Security (DHS) and UK’s National Cyber Security Centre (NCSC) issued statements that the agencies have no reason to doubt the denials of Apple, Amazon, and SuperMicro. Apple has since written the US Congress directly to further emphasize their stance that the article is false. The NSA also reported no evidence of governmental leads and is urging anyone with knowledge of the alleged hardware tampering to come forward.
At iXsystems, we use a variety of motherboards in our products, offering an array of choice to our customers: Intel, Tyan, Gigabyte, SuperMicro, ASUS, ASRock, Dell, and HPE. However, it is important to keep in mind that the manufacture of motherboards in China or Taiwan is a standard industry practice not unique to SuperMicro, and nearly all system providers use the same contract manufacturers.
iXsystems takes all cyber and supply-chain security matters very seriously, and we will continue to monitor and investigate this situation closely over the coming days and weeks. We have had preliminary inspections conducted on our most commonly used motherboards with no evidence of unexpected chips found. According to the Security firms we have contacted, further validation requires examples of actually impacted motherboards for comparison or sufficient technical detail of the alleged chips, neither of which has been made available. Therefore, until an issue is identified, we are continuing to meet the business needs of our customers and ship product.
If and when any new and relevant information is revealed, updates will be provided. We welcome any additional questions or comments.
Brett Davis, Executive Vice President
Update: October 9, 2018: added Apple’s letter to US Congress
Update: October 12, 2018: added article regarding NSA response
Update: December 11, 2018: Added link to letter from SuperMicro’s CEO regarding results of third-party testing