A major US telecom company found manipulated hardware on its network and removed it in August, according at report by Bloomberg on Tuesday.
An “implant” built into the Ethernet connector on a Supermicro server was discovered during an inspection of the telecommunications company’s data centers, according to the report. The report said the manipulated hardware was discovered after “unusual communications” from the Supermicro server prompted a physical inspection.
The chip was reportedly uncovered by security expert Yossi Appleboum, who was hired by the telecommunications company. Appleboum provided documents, analysis and other evidence of the manipulated hardware, according to Bloomberg, which didn’t publish the documents with the article.
The Bloomberg story doesn’t identify the telecommunications company “due to Appleboum’s nondisclosure agreement with the client.”
Appleboum didn’t immediately respond to a request for comment.
Techhnews reached out to major US telecommunications companies for comment on the report. T-Mobile, Sprint, AT&T said they weren’t the company described in the Bloomberg story. Verizon didn’t respond to a request for comment but is quoted by Bloomberg as saying, “We’re not affected.”
The report of the compromised server follows a Bloomberg investigation last week that said Chinese surveillance microchips had been inserted into Supermicro hardware used at Apple and Amazon data centers in order to gather intellectual property and trade secrets. Both Apple and Amazon strongly disputed the report, which cited anonymous government and corporate sources.
On Monday, Apple sent a letter to Congress reiterating its denial of Bloomberg’s report, saying it “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
The hacked hardware found on the telecom company’s server is further evidence of “tampering in China of critical technology components bound for the US,” according to Bloomberg.
Supermicro, which denied the earlier report, said it’s seen no evidence of unauthorized components in its products. The company’s full name is Super Micro Computer, but it is commonly referred to as Supermicro.
“The security of our customers and the integrity of our products are core to our business and our company values,” said a representative for Supermicro in an emailed statement. “We take care to secure the integrity of our products throughout the manufacturing process and follow rigorous industry quality and security standards. With respect to the recent media reports, we have seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components.”
Yossi told Bloomberg he’s seen similar manipulations in other vendors’ hardware made by contractors in China. He also told Bloomberg there are countless points in the supply chain in China where hacked hardware can be introduced.
Techhnews’s Alfred Ng and Gordon Gottsegen contributed to this report.
First published Oct. 9, 9:11 a.m. PT.
Update, 1:24 p.m.: Adds comment from Supermicro.