Super Micro Computer says it will review its motherboards for any proof of malicious chips as alleged in a recent media report.
"Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article," the server and storage manufacturer said in a letter to its customers, dated Oct. 18.
A Bloomberg report on Oct. 4 cited 17 unidentified sources from intelligence agencies and businesses that claimed Chinese spies had placed computer chips inside equipment used by about 30 companies, including Apple Inc and Amazon.com Inc and multiple U.S. government agencies, which would give Beijing secret access to internal networks.
Super Micro denied the allegations made in the report.
The company said the design complexity makes it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by the checks in its manufacturing and assembly process.
It is entirely plausible that a malicious chip can be placed on a motherboard but it will be at a very high cost, and the risk of detection increases with every such chip in the field, said Jake Williams, a former National Security Agency analyst and founder of the cyber security firm Rendition Infosec.
"This technique would only be used for high value targets that couldn't be easily compromised via another attack vector," Williams said.
The Bloomberg report also said Apple in 2015 had found malicious chips on Super Micro motherboards and added that Amazon uncovered such chips the same year while examining servers made by Elemental Technologies, which Amazon eventually acquired.
Both Apple and Amazon have denied the allegations. Apple CEO Tim Cook told online news website BuzzFeed that Bloomberg should retract the story.
Amazon Web Services CEO Andy Jassy also joined Cook in asking Bloomberg to retract the report.
"Bloomberg story is wrong about Amazon, too ... Reporters got played or took liberties. Bloomberg should retract," Jassy said in a tweet.
Bloomberg had previously said it stood by its report and was confident of its reporting, which was conducted for more than a year.
Security experts as well as the U.S. and U.K. authorities have said they had no knowledge of the attacks.
(Reporting by Sonam Rai in Bengaluru; Editing by Arun Koyyur and Anil D'Silva)