The letter from Senator Marco Rubio and Senator Richard Blumenthal expresses concern about the potential tampering of computer hardware produced by Supermicro, reports Business Insider, allegedly as part of a sophisticated espionage scheme by the Chinese government.
The report from Bloomberg, where the allegations stem from, made claims tiny chips were planted on motherboards to provide backdoors to Chinese operatives, granting access to data without needing to perform a more traditional and short-term hack.
“If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks,” the letter states. “As Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation’s sensitive networks are kept safe.”
The letter details a list of eight question areas that the Senators ask to be responded to by October 17.
The list starts by asking when Supermicro became aware of reports regarding malicious hardware and firmware, and if the company ever found tampering of components in its products. It is also asked if an investigation of the supply chain has been conducted to identify any tempering, and if it has severed ties with any firms that performed such actions.
Referring to a report from February 2017 by The Information that Apple had discovered compromised firmware, the letter asks if Supermicro conducted an investigation of its supply chain at that time, and if so, what was discovered. Supermicro’s compliance with U.S. Law enforcement over the reports is also questioned, along with whether screening measures and supply chain audits have been put in place.
More directly, it is also asked if the Chinese government has “ever requested access to Supermicro’s confidential security information or sought to restrict information regarding the security of Supermicro’s products?”
The Bloomberg report’s allegations have received considerable scrutiny regarding how genuine the report really is. Shortly after its release, companies such as Apple and Amazon named in the report issued strong denials about its content, including one from Apple characterizing the story as “wrong and misinformed.”
Apple has also performed a “massive, granular, and siloed investigation” into claims raised in the report, but did not discover any evidence of hardware tampering, or any unrelated incidents that could have contributed to the report’s claims. Apple has already contacted the U.S. Congress, insisting there is a lack of evidence.
Security agencies the UK National Cyber Security Centre and the Department of Homeland Security have both cast doubt on the report. Other U.S. officials are also uncertain of its accuracy, with one official changing their stance following their initial assertion the “thrust of the article” was true.
One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report’s authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.
Bloomberg has since doubled down on its reporting, referencing comments made by a security researcher that similar tampering occurred with Supermicro hardware located at a data center owned by a major U.S. telecommunications company.