NCSC casts doubt on AWS and Apple's knowledge of the China chip hack

No reason to suggest Amazon and Apple knew about the supply chain attack, says agency

NCSC, the UK's national cyber security centre, has said it has no reason to doubt denials by Amazon and Apple that they knew about a supply chain compromise in which hardware destined for US companies was secretly implanted with microchips in China.

On 04 October, Bloomberg reported that Chinese intelligence authorities had placed tiny spy chips on Chinese-made motherboards used in Supermicro servers purchased by 30 American companies including Amazon and Apple, as well as governmental organisations

This, the article claimed, has allowed the Chinese authorities to evesdrop on the affected organisations, stealing secrets, designs and strategies.

The Chinese government denied the accusations, saying it it the victim of supply-chain attacks, not a perpetrator. Meanwhile both Apple and Amazon disputed the Bloomberg article's claims that they had known about the hidden microchips but had chosen to deal with the issue internally rather than going public.

"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon told Bloomberg, referring to a decision not to aquire video streaming firm Elemental Technologies, which the article alleged was using compromised Supermicro servers.

The Bloomberg piece quoted unnamed senior Apple staff who claimed that "in the summer of 2015, [Apple], too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons."

Apple, previously a major Supermicro customer, denied that its decision to change suppliers had anything to do with the hidden chips. "Apple has never found malicious chips, ‘hardware manipulations' or vulnerabilities purposely planted in any server," it said in a statement.

The statement added that Apple was unaware of any investigation into the supply chain attack.

NCSC has said it has no reason to doubt Amazon's and Apple's version of events. An NCSC spokesperson said on Friday: "We aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple.

"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us."

NCSC's statement did not question the credibility of the report of the compromise itself.

Computing Enterprise Security & Risk Management Live 2018 - Wednesday 21 November 2018

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.