The recent Bloomberg story claiming that Chinese spy chips made it into servers sold by California-based Super Micro is “simply wrong,” Apple said in a letter sent on Monday to Congress.
The tech giant has denied claims that its servers were compromised and noted that its internal investigations have not found any evidence to support the Bloomberg report. The company also pointed out that some of the allegations from the article are based on a single anonymous source.
“While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts,” wrote George Stathakopoulos, Apple’s VP for information security.
“We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true,” he added.
Apple has denied finding any malicious chips or hardware manipulations, or contacting the FBI regarding such concerns, as claimed by Bloomberg.
The article describing the Chinese spy chips said the compromised devices were making outbound connections, and Apple is confident that its security systems would have detected this type of traffic.
According to Bloomberg, the Chinese government planted tiny chips in Supermicro motherboards in an effort to spy on more than 30 organizations, including government agencies and tech giants such as Apple and Amazon.
The report, based on information from 17 sources, claims that Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built. Once the chips were planted, they would allow attackers to remotely access the compromised devices.
Amazon and Super Micro have also strongly denied the claims, and their statements have been backed up by security agencies in the United States and the United Kingdom.