Supermicro Says They Found No Spy Chips in Their Motherboards

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Following a lengthy investigation, Supermicro sent an open letter to their customers claiming that they "found absolutely no evidence of malicious hardware on our motherboards." The company hired a "leading, third party investigations firm" to assist with the review, and they tested both newer motherboards and the older ones specifically mentioned in the Bloomberg story. Supermicro's stock price still hasn't recovered from the massive drop in October, but it has been steadily rising since then.

In an effort to reassure customers, Supermicro also uploaded a "Supply Chain Security" video, which you can check out here.

We test our products at every step of the manufacturing process. We test every layer of every board we manufacture throughout the process. We require that Supermicro employees be onsite with our assembly contractors, where we conduct multiple inspections, including automated optical, visual, electrical, and functional tests. The complexity of our motherboard design serves as an additional safeguard. Throughout our supply chain, each of our boards is tested repeatedly against its design to detect any aberration and to reject any board that does not match its design. To guard against tampering, no single employee, team, or contractor has unrestricted access to our complete board design. We regularly audit our contractors for process, quality, and controls.
 
"We investigated ourselves and found that we are innocent"!

Trust us...
Was going to say that, but they said they hired a third party, which is why I want to know who they were and where their report is. If Supermicro really wants stave off peoples' fears then they need to make the report publically available with appropriate redactions to hide trade secrets.
 
Was going to say that, but they said they hired a third party, which is why I want to know who they were and where their report is. If Supermicro really wants stave off peoples' fears then they need to make the report publically available with appropriate redactions to hide trade secrets.


We will probably just get a, "Just trust us!"
 
Last edited:
Was going to say that, but they said they hired a third party, which is why I want to know who they were and where their report is. If Supermicro really wants stave off peoples' fears then they need to make the report publically available with appropriate redactions to hide trade secrets.

My post was sarcasm mainly. I didn't believe the fake news story to begin with but you don't double down by investigating yourself then leave out the details.

I stand by my original post...:D
 
Do wish the letter had named the investigative firm used. Quite possible the report is being withheld until legal options have been fully explored. No point in fully exposing your hand until discovery forces it.

Did see the mention in the letter about testing boards used by companies alleged to have been spied upon by the modified boards. One of my points on this was that examination of the allegedly modified boards should either prove or disprove the story. If the report holds up, doesn't look good for Bloomberg.

The very likely slander/libel lawsuit should be entertaining.
 
  • Like
Reactions: PaulP
like this
Do wish the letter had named the investigative firm used. Quite possible the report is being withheld until legal options have been fully explored. No point in fully exposing your hand until discovery forces it.

that would be my guess as well.
 
Bloomberg is usually reporting on financial items and it isn't known for fabricating. Its factual index rating is High. Any news source no matter how credible can make a mistake but I don't just assume Bloomberg to be lying.
 
Bloomberg is usually reporting on financial items and it isn't known for fabricating. Its factual index rating is High. Any news source no matter how credible can make a mistake but I don't just assume Bloomberg to be lying.

And yet Bloomberg produced no evidence of the spy chips being real. If the problem was as pervasive as they say, they should have easily been able to identify the chips and show the actual chips + network traffic for evidence.
 
  • Like
Reactions: PaulP
like this
It happened, was not fabricated. These are national security issues where the people who actually know and are not in the press are bound by gag orders. It amazes me the people who are smart enough to be on this forum but not smart enough to know this story is true. Simply put, people were asked to stop talking about this by our government.
 
Last edited:
It happened, was not fabricated. These are national security issues where the people who actually know and are not in the press are bound by gag orders. It amazes me the people who are smart enough to be on this forum but not smart enough to know this story is true. Simply put, people were asked to stop talking about this by our government.

So you have actual proof?
 
  • Like
Reactions: PaulP
like this
Didn't the "spy chip" story get discredited already?
Yes, but Supermicro still hasn’t recovered from it. Due to the nature of the original story they are forced to prove their innocence before they can explore their options.
 
Its interesting that supermicro doesnt have enough confidence in the security of their supply chain to go on the offensive.
 
And yet Bloomberg produced no evidence of the spy chips being real. If the problem was as pervasive as they say, they should have easily been able to identify the chips and show the actual chips + network traffic for evidence.
I'm pretty sure Bloomberg was given this information from somewhat reliable sources that were incorrect and didn't have enough access to corroborate and ran with it. They had a couple sources which = good enough to publish but given the ramifications, they should have dug harder. At no point would I believe SuperMicro was involved. Also if this did happen I would expect it to have happened after it exited their control like in route for shipping out of China. We still don't 100% know this isn't true. Do I believe anything from a APPLE CEO? Nope. Supermicro would cover their own ass but also their structure and policy would typically prevent such a thing. So if it did happen I would expect it to have occurred in an odd point. Possibly even in the US.
 
Yes, but Supermicro still hasn’t recovered from it. Due to the nature of the original story they are forced to prove their innocence before they can explore their options.
Wow this is almost like a #metoo type situation.

Court of public opinion is getting insane.
 
The thing about this is they could have placed snooping devices on SOME hardware - but we'll never know which from an inspection / random sampling of the hardware will we?
 
It happened, was not fabricated. These are national security issues where the people who actually know and are not in the press are bound by gag orders. It amazes me the people who are smart enough to be on this forum but not smart enough to know this story is true. Simply put, people were asked to stop talking about this by our government.
Kind of like the aliens at Area 41, or the 200mpg carburetor, eh? Massive Government coverup!
 
You see, instead, I am going to organize... a special, blue-ribbon fact-finding commission... made up of myself and, uh, Miss Betty Childs, and we will get to the bottom of this dastardly deed. - Stan Gable in Revenge of the Nerds
 
My post was sarcasm mainly. I didn't believe the fake news story to begin with but you don't double down by investigating yourself then leave out the details.

I stand by my original post...:D


But the same kind of thing happened with CISCO and that one was proven out.

I say the same kind of thing, it really did have a different wrinkle to it. The CISCO story was actually about government purchasers buying compromised hardware from outside the approved CISCO supply chain. If I remember correctly, the Bloomberg story claimed a compromise of Supermicro's manufacturing facilities, so it is a different animal.
 
It happened, was not fabricated. These are national security issues where the people who actually know and are not in the press are bound by gag orders. It amazes me the people who are smart enough to be on this forum but not smart enough to know this story is true. Simply put, people were asked to stop talking about this by our government.
And this is a prime example of a conspiracy theory.
 
Bloomberg is usually reporting on financial items and it isn't known for fabricating. Its factual index rating is High. Any news source no matter how credible can make a mistake but I don't just assume Bloomberg to be lying.

i still don't think they willingly went out of their way to release the story knowing it was fake, i think the writer was legitimately misled buy some one that sounded believable. shit happens and the world moves on..
 
It happened, was not fabricated. These are national security issues where the people who actually know and are not in the press are bound by gag orders. It amazes me the people who are smart enough to be on this forum but not smart enough to know this story is true. Simply put, people were asked to stop talking about this by our government.

From the main story, the chip was supposedly attached to the network interface through 2 leads, but such a chip would need FAR more than that. It would need at least 2 leads for power and at least 6 to hook into the sideband interface on a network interface chip. Then, to get any usable information, it would have to hook into the memory or processor subsystems like an IPMI interface, and that would be a couple dozen more leads. In addition, it would need some sort of configuration storage, which could potentially be internal to the package, making the package much bigger, but that would be more difficult than an external NVRAM interface, which would require another dozen leads. That would make it big enough to be visibly noticeable.

Then there's the little fact that it shows that this chip would be interfacing on a 1Gb NIC interface, which few actually use on servers anymore. Most servers use a 10Gb interface now for active traffic. Such a chip wouldn't catch much from a 1Gb interface. However, I can believe government would be using that 1Gb interface much of the time, with their incompetence in technology.

I don't believe it. It just doesn't line up with the technology we know.
 
is there any actual proof of these allegations?

or is it we heard it from the janitors mailman's brother.
 
You said "and never proven by those with the most to gain". Who would that be?

That would be the fake news site. Or are you saying the news site has no obligation to publish truthful news and back it up with proof? A breaking story like that could catapult them to a huge main stream news site. Might as well classify it as SUN level busllshit then. Mybad, I thought you were going to have an actual counter argument?
 
That would be the fake news site. Or are you saying the news site has no obligation to publish truthful news and back it up with proof? A breaking story like that could catapult them to a huge main stream news site. Might as well classify it as SUN level busllshit then. Mybad, I thought you were going to have an actual counter argument?

Not a counter-argument, I dont see what they have to gain? This isn't some mom and pop blog, this is bloomberg.
 
Not a counter-argument, I dont see what they have to gain? This isn't some mom and pop blog, this is bloomberg.

They have everything to gain and nothing to lose if no proof is needed. Web clicks...lots of them. One of the most talked about tech news of 2018. If you can't see the benefit in that I don't know what to tell you. Without proof this has hurt their reputation not help them.
 
1. Christopher Wray, our FBI director already told Congress that there is an active investigation on this exact matter and they are unwilling to comment because of that.

2. Anybody who claims to know anything on this matter would get contacted by the FBI quicker then you could type a reply in this thread.
 
One of Bloomberg article states:

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline.

Call me skeptical, but " odd network activity" is the kind of attack that can easily be detected and reproduced, and rarely requires "national security" levels of secrecy. 2 months after the articles, proofs would have surfaced, at least from affected companies outside the North american influence.

Some os us [H]ere have supermicro boards, and no one reported [h]ere, or found a report on the dark web about "odd network activity".

it may be true, but a zero day exploit tat does not becomes public knowledge 2 months after being revealed is unheard of.
 
Back
Top