On October 4, 2018, Bloomberg Businessweek published an article detailing how China included a tiny microchip on server motherboards in an attempt to bypass corporate security at some major companies, including Amazon and Apple. They described an intricate plot, involving manufacturing plants in China that produced motherboards for Supermicro server hardware. They claim that Amazon noticed the chip, which they reported to US authorities, who have spent over 3 years investigating. The article cites information from insiders at Amazon, Apple, and the Federal government. Newsweek felt this investigative piece, which covers incidents dating back as far as 2015, was important enough that it was the cover story for October 8, 2018.
The story surprised almost nobody in the technology industry. The idea that a Chinese company could be purposely inserting spy technology into products they manufacture is not a far-fetched one. In fact, two Chinese-owned smartphone brands have previously been banned from import into the US over fears that they contained technology designed to spy on US citizens and, hopefully, intercept calls containing sensitive data. To extend the threat from smartphones to servers was a fairly mundane and, frankly, expected.
There are a few in the industry who take particular exception to the story, however; namely, the companies mentioned by name. Amazon claims that they never knew anything of compromised server hardware and have never been in contact with Federal law enforcement, either in reporting or in questioning, regarding the topic. They say that the only issues they have found regarding Supermicro servers were in a web-based application designed for server management, which was addressed prior to implementing the hardware. They say they have no record of any hardware issues ever being reported for hardware.
Apple had a similar response to the article, claiming that they also never had any hardware incidents with Supermicro and the first they were aware of the concept was when Bloomberg themselves started contacting the company asking questions. They also claim that the fact that the company canceled their contract with Supermicro to purchase over 30,000 servers immediately following the timeline Bloomberg claims would have been the disclosure of the server hacks is unrelated.
This week, Apple CEO Tim Cook, who has taken this story very personally, has upped the denial rhetoric. In fact, he has gone so far as to demand Bloomberg retract the entire story. He told Buzzfeed,
I personally talked to the Bloomberg reporters along with Bruce Sewell, who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions. Each time they brought this up to us, the story changed, and each time we investigated we found nothing...
We turned the company upside down. Email searches, data center records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this.
For Cook, this seems to be some sort of personal attack, either on his credibility or his intelligence; maybe both. To have employees of Apple being part of the investigation, and 4 Federal agents claiming that Apple both reported and participated in the investigation when he believes that it never happened does not seem to be something that he can heal from. It could have to do with the relationship that Supermicro has with Foxconn, who also manufactures most of Apple's products. A stain on their manufacturing process could leave a stain on all of Apple's hardware and security, which is something that has been in question following a couple of security issues at the company. If Cook had ignored it, no one would even remember the report today, but he keeps picking at it, meaning that it keeps being brought to the top of everyone's minds.
Considering their commitment to the story, it is unlikely that Bloomberg is going to retract the story, no matter how much noise Cook makes, though anything is possible at this point.