Supermicro: We told you the tampering claims were false

Computer manufacturer Supermicro is still trying to lay to rest reports that the Chinese government tampered with its equipment to spy on Western cloud users. The San Jose-based company published a letter this week claiming that independent tests had cleared its equipment of any compromise.

Supermicro sells data centre computers to Western customers using components made by contractors in China. It has spent the last two months denying that Chinese subcontractors have been secretly embedding microscopic chips onto its motherboards that enable it to remotely control the computers’ operating systems and watch what they’re doing.

In the letter, posted on the company’s website, president and CEO Charles Liang along with two senior vice presidents said that the company had completed an independent audit to look for malicious hardware on its motherboards. It found nothing, it said:

Because the security and integrity of our products is our highest priority, we undertook a thorough investigation with the assistance of a leading, third-party investigations firm. A representative sample of our motherboards was tested, including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards.

This latest missive follows a letter to customers issued on 18 October 2018 that condemned a story published by Bloomberg on 4 October 2018. The story claimed that the Chinese government had coerced contractors to implant tiny monitoring devices on motherboards sold to Supermicro.

Apple and Amazon, which Bloomberg said knew about the compromised motherboards, both denied the tampering claims along with the manufacturer shortly after the story was published. Bloomberg didn’t back down, though. The company claimed in a story on 9 October 2018 that a security expert, Yossi Applebaum, had discovered embedded monitoring devices in the ethernet connectors on Supermicro motherboards sold to a major US telco. However, in neither story did it publish hard evidence such as photos or analysis data to support its claims.

Mind you, Supermicro didn’t publish the evidence in this latest report either, which Reuters says was conducted by investigations and cybersecurity forensics firm Nardello & Co. Supermicro said:

Today, we want to share with you the results of this testing: After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.

Why would Supermicro keep flogging this horse rather than letting the story silently die? Its share price might have something to do with it. It dropped from $21.40 to $12.60 on the day that the Bloomberg story broke, and has only just broken $16. The question is whether this new report will do anything to boost its fortunes or whether it will spark controversy all over again.