Amazon Emphatically Denies Reports of Alleged Chinese Hardware Hacking

In a bombshell report published this morning by Bloomberg, reporters Jordan Robertson and Michael Riley tell the story of hacked motherboards making their way into servers used by Amazon, Apple, and hundreds of other customers of motherboard supplier Supermicro.

Essentially, the report claims that agents of the Chinese government bribed and threatened managers of factories of Supermicro subcontractors in China into allowing the agents to insert malicious chips onto the motherboards that would then provide a beachhead for the infiltration of networks of Supermicro customers.

From Bloomberg:

In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video… In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China…which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs.

Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

Today, Amazon published the following emphatic denial:

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here…

Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.

Security will always be our top priority. AWS is trusted by many of the world’s most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.

Apple has issued its own denial as well.

The Bloomberg article goes on:

The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.

How believable is this story? Some possible scenarios:

  1. If it is false, one possibility from a political perspective is that this story was manufactured by someone in the Trump administration or whom is otherwise motivated to advance US protectionist trade policies. This story increases FUD regarding essentially all modern technology infrastructure. However, such an effort would seemingly have required at least somewhat coordinated work of the “17” sources Bloomberg cited.
  2. If it is true, then why/how could Amazon and Apple plainly deny it? Unless there are logical exemptions in their denials due to intentionally specific choices of language, one possibility is that the PR staff responsible for issuing these denials are not in the loop on what happened. How could that be the case? I don’t know, unless this response is somehow being coordinated at very high levels due to overriding national security concerns.

It seems, at least, unusual to have such a seemingly deeply-reported story from a reputable publication be so flatly denied by Amazon and Apple. There are surely many questions unanswered by the public statements of those involved. Because this is a potential matter of national security, the completeness of information available to the public is likely to be low.

We will follow up if/as additional information comes forth.

Amazon Raises Minimum Wage for all US Employees to $15/Hour, UK as Well

In a move that will affect over 350,000 employees, Amazon announced today that it is increasing its minimum wage to $15 per hour for all US employees, effective November 1. The new rate applies to full-time, part-time, temporary, and seasonal employees.

Amazon says the change “will benefit more than 250,000 Amazon employees, as well as over 100,000 seasonal employees who will be hired at Amazon sites across the country this holiday.” It will also apply to Whole Foods employees.

“We listened to our critics, thought hard about what we wanted to do, and decided we want to lead,” said Jeff Bezos, Amazon Founder and CEO. “We’re excited about this change and encourage our competitors and other large employers to join us.”

Amazon also said it would also, “Begin advocating for an increase in the federal minimum wage.”

“We will be working to gain Congressional support for an increase in the federal minimum wage. The current rate of $7.25 was set nearly a decade ago,” said Jay Carney, SVP of Amazon Global Corporate Affairs and former press secretary for President Obama.

Amazon said in its most recent annual report that its median employee compensation was $28,446 in 2017. Walmart announced in January that it was raising its minimum wage for US employees to $11 per hour.

Amazon also said it will phase out Restricted Stock Unit (RSU) compensation for hourly fulfillment and customer service employees. “They prefer the predictability and immediacy of cash to RSUs,” Amazon says. “The net effect of this change and the new higher cash compensation is significantly more total compensation for employees, without any vesting requirements, and with more predictability.”

Amazon has come under increased criticism for its pay disparity this year. Last month, Senator Bernie Sanders of Vermont introduced legislation called the Stop BEZOS Act that would tax corporations commensurate to the amount of government benefits low-wage employees receive in government benefits. Today, Sanders commended Amazon on their move.

“What Mr. Bezos has done today is not only enormously important for Amazon’s hundreds of thousands of employees, it could well be a shot heard around the world. I urge corporate leaders around the country to follow Mr. Bezos’ lead,” Sanders tweeted.

President Trump has also criticized Amazon on a number of fronts this year. In March, he accused Amazon of “putting many thousands of retailers out of business” and of receiving unfair tax treatment. In July 2017, he called Amazon a “monopoly.” However, Trump’s Amazon criticisms have not included commentary on the company’s hourly wages.

Amazon also announced today that it is increasing minimum wages paid to its UK employees. Starting November 1, minimum wages will increase to £10.50 ($13.59) per hour for all employees in the London area and £9.50/hour for staff in all other parts of the country.

Amazon has over 17,000 employees in Britain and plans to hire more than 20,000 seasonal employees for the holiday.

Amazon said the impact of the higher compensation on its financial reports will be reflected in its quarterly guidance.

EU Announces It Is Researching Amazon’s Relationship with Its Merchants

One growing narrative of an area of potentially increased regulatory oversight for Amazon is that of how it relates to merchants. In particular, what insights it gleans from how customers interact with merchants on its platform, how it applies those insights to its own strategy (private label and otherwise), and how it does or does not share back data with merchants.

Along those lines, EU Competition Commissioner Margrethe Vestager, who was recently responsible for imposing a USD $5 billion fine on Google for Android violations, yesterday announced that she is researching Amazon’s practices in these areas. Per Quartz:

On Wednesday (Sept. 19), Vestager announced that she had started sending questionnaires to merchants who sell on Amazon, a first step toward ascertaining how the company uses the data it collects from those merchants. Specifically, she will be trying to find out if Amazon uses data from its third-party sellers to give itself an unfair advantage when competing against them in selling its own products.

“These are very early days and we haven’t formally opened a case,” Vestager said. “We are trying to make sure that we get the full picture… because this is also what a lot of people are talking about right now.” Amazon’s dual role as the world’s biggest online platform for third-party sellers and a retailer itself merits examination, according to the antitrust chief.

Vestager and the EU have the authority to levy substantial fines (up to 10% of revenue) on companies that they deem in violation of anti-trust behavior. In the case of Amazon, that would mean a substantial amount. We’ll keep tracking the EU’s investigation here on TJI.

Image credit: EU

One Reason Why Amazon’s HQ2 Announcement Could Come After November 6

There has been much speculation about when exactly Amazon will announce its HQ2 location before the end of the year. There’s one good reason that that announcement won’t happen until after November 6: Amazon’s lobbying efforts.

With Amazon lobbying various state and federal officials on various fronts – from the DoD AWS contract to the number of pharmacists it will need to employ, as this BizJournals note mentions – the company may not want to tip its hand too early and risk alienating certain politicians prior to election day.

Amazon Storefronts is a Sign of the Political Times

This morning, Amazon announced Amazon Storefronts, which Amazon describes as “a curated collection of over one million products, and deals from nearly 20,000 U.S. small and medium-sized businesses.” Amazon adds, “To support the launch of the new store, Amazon is unveiling its first-ever national TV commercial featuring real businesses that sell on Amazon.”

What Amazon has built:

  • A hub page on Amazon.com featuring curated items from American SMBs
  • A TV commercial

What’s unclear:

  • How much traffic Amazon will drive to the Storefronts hub page, and thus how much American SMBs will directly benefit from this effort
  • How much awareness Amazon will buy/create with its TV spot (and if Amazon will target certain states/markets with their media buys)

Context:

  • In the US, President Trump has espoused protectionist trade policies since taking office.
  • President Trump has also accused Amazon of “putting many thousands of retailers out of business” and of receiving unfair tax treatment. Trump has also called Amazon a “monopoly.”
  • Amazon says today, “Half the items sold on Amazon are from small and medium-sized businesses” (though Amazon does not say how many of those SMBs are US-based).
  • Earlier this year, Amazon released a “Small Business Impact Report” claiming that 1 million US SMBs sell on Amazon.

Bottom line:

  • Amazon wants to remind US politicians how many American SMBs benefit from the Amazon marketplace, while also attracting more SMBs to its platform and providing customers looking to buy American products a curated hub. However, it remains to be seen how much traffic Amazon will drive to the Storefronts hub.