Engineers at Apple have told Congress they have found no evidence of tampering with their servers purchased from Super Micro that would allow China to intercept data.
It follows the company's strong denial last week in response to a Bloomberg BusinessWeek story that circuit boards in the servers, obtained through a Chinese subcontractor, contained a tiny microchip giving the Chinese government access to data residing on the servers.
Reuters reports it obtained copies of letters Apple Vice President for Information Security George Stathakopoulos wrote to the House and Senate committees on commerce. Both panels have said they planned to investigate the claims in the Bloomberg reports.
In the letter, Stathakopoulos said the claim had been thoroughly investigated, both before and after the article appeared. Reuters quotes the Apple executive as telling the committees that “Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.”
Offers to brief committees
Stathakopoulos said he would be in Washington this week and offered to brief the staff of the committees on Apple's findings. At the time Bloomberg published its claims, Apple and Amazon both vigorously denied their servers had been compromised.
Apple said it was "deeply disappointed" that the Bloomberg reporters working on the story did not appear to consider the possibility their sources were wrong.
"Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs," the company said in the statement. "That one-time event was determined to be accidental and not a targeted attack against Apple."
Amazon was also adamant in its denial. In a statement, the company said that it had “found no evidence to support claims of malicious chips or hardware modifications."
At the end of last week, Bloomberg said it stood by the substance of its story. It said the claim that a Chinese government entity had inserted a "bug" into a component widely used in servers was based on interviews with 17 anonymous sources.