Supermicro: Independent investigation has found 'no malicious hardware' found on our motherboards

Supermicro releases results of its independent investigation into Bloomberg's sensational supply-chain attack claims

Server maker Supermicro has told customers that its investigation into claims of a supply-chain attack on its motherboards has found no evidence of compromise.

In a letter published today, the company claimed that the third-party investigations firm that it had brought-in to examine the claims, made in a sensational Bloomberg article in October, had found no evidence of compromise, either on the motherboards depicted in the article, or more recently manufactured motherboards.

"As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products," the company asserted in its letter to customers.

https://twitter.com/taviso/status/1059609504952680448?ref\\_src=twsrc%5Etfw

"Today's announcement should lay to rest the unwarranted accusations made about Supermicro's motherboards," it continued. It's not clear whether the company plans to take legal action against Bloomberg, which continues to stand by its story.

Bloomberg had claimed that the company had fallen victim to a sophisticated supply-chain attack on its manufacturing facilities in China, compromising high-end servers destined for such clients as Apple and Amazon.

https://twitter.com/briankrebs/status/1048000538623844352?ref\\_src=twsrc%5Etfw

The attack involved the infiltration of the company's hardware with the introduction of tiny chips on server motherboards capable of exfiltrating data. The article suggested that the attack had been perpetrated by Chinese intelligence, and included interviews with a number of government and other sources to back-up the claims.

However, even at the time many knowledgeable commentators cast doubt on the report. In November, Tavis Ormandy, a high-profile vulnerability researcher at Google, for example, called on Bloomberg to either provide proof to back-up its article or to retract it.

https://twitter.com/SwiftOnSecurity/status/1053102057245286401?ref\\_src=twsrc%5Etfw

Independent security journalist Brian Krebs, meanwhile, claims to have been informed about the alleged compromise months before Bloomberg went public, but says that he was unable to make the story stand up.

In its letter, Supermicro was also keen to reiterate the various steps in its manufacturing process that, it claims, are "designed to protect the integrity and reliability" of its products:

"Among other safeguards:

We test our products at every step of the manufacturing process. We test every layer of every board we manufacture throughout the process.
We require that Supermicro employees be onsite with our assembly contractors, where we conduct multiple inspections, including automated optical, visual, electrical, and functional tests.
The complexity of our motherboard design serves as an additional safeguard. Throughout our supply chain, each of our boards is tested repeatedly against its design to detect any aberration and to reject any board that does not match its design.
To guard against tampering, no single employee, team, or contractor has unrestricted access to our complete board design.
We regularly audit our contractors for process, quality, and controls."