TAIPEI/PALO ALTO, U.S. -- The data center industry was on high alert on Friday over vulnerabilities in a supply chain spanning the Pacific Ocean after allegations that Chinese spies had placed malicious microchips in equipment used by about 30 companies and U.S. government agencies.
Apple and Amazon.com on Friday strongly rejected claims, reported by Bloomberg Businessweek on Thursday, that their data center equipment had been compromised by spy chips placed in the motherboards of servers provided by California-based Super Micro Computer, the world's leading server maker. Supermicro also denied the allegations.
Nevertheless, industry executives warned that the report had revealed grave vulnerabilities in server equipment building processes, triggering concern over information security at Chinese manufacturing sites.
The accusation that the Chinese military had infiltrated Supermicro's supply chain to spy on companies and government agencies comes as tensions escalate between Washington and Beijing over trade and technology. The report raises the possibility that compromised servers have been supplied to sensitive areas of the U.S. government like the Department of Defense and the Central Intelligence Agency.
U.S. Vice President Mike Pence on Thursday accused China of meddling in American elections and claimed the Chinese Communist Party was using a variety of tactics to spread its influence inside the U.S. and around the world.
The contract manufacturers behind the Supermicro's server motherboards are Universal Scientific Industrial -- a unit of ASE Industrial Holding, the world's biggest chip-packaging company -- Wistron, and Orient Semiconductor Electronics. They are all Taiwanese but have extensive manufacturing sites in mainland China.
An ASE spokesperson said his company was still looking into whether any of its shipped products was involved. Wistron declined to comment but confirmed that Supermicro is one of its key customers. Orient was not immediately available for comment. Suppliers of Apple and Supermicro across Asia saw a broad decline in their shares on Friday. Shares of Wistron fell more than 4%, while ASE Industrial Holding declined more than 3%.
Shares in Apple were down in U.S. trading on Friday, while Amazon was little changed.
One executive from Taiwan's Quanta Computer, a data center server builder for Google, Facebook, Amazon, warned that the complexity of the manufacturing process for motherboards posed a potential risk.
"The motherboards for servers are so complicated and have so many layers," he told the Nikkei Asian Review. "They need thousands of components to be mounted. It could go wrong if the management is not well-supervised."
"Research engineers, project managers, quality assurance staff, and production engineers could issue so many engineering change notices during the manufacturing processes" that malicious changes might go undetected. These changes could be any tiny tweak to the design and layout of the motherboard, he added. But the executive said that Quanta has standard procedures to make sure all the changes are monitored by supervisors and auditors from its clients.
Given the complexity, it would be challenging to trace all the subcontractors to find out whether anyone had attempted to implant an extra malicious chip component on the motherboard, said another expert.
One executive familiar with the server building process told Nikkei that the most vulnerable part of the whole manufacturing process was the exchange between makers of the printed circuit board -- the panel on which all the electronic components including various chips are mounted -- and providers of surface mount technology.
It is also possible that a malicious chip could be hidden in the inner layer of printed circuit boards during their manufacture as some advanced boards already come with embedded capacitors, resistors and even antenna before other components are mounted, another supply chain management engineer said.
Some contract manufacturers outsource and send motherboard layouts and design to printed circuit board makers. These then ask surface mount technology providers to mount chips and all the electronic components onto the board. The board is then sent back to contract manufacturers for final assembly. "It's possible that someone could add one tiny component onto the printed circuit board without being noticed or detected," the person said.
Bob Hung, general manager of information security company Trend Micro in Taiwan and Hong Kong, said a growing number of industry executives have become alert to potential vulnerabilities and hardware hacks, in addition to the risks of software, which has so far been the main target of hackers. Unlike software hacking, which can be countered by updates, hardware components cannot be easily replaced and can be difficult to detect, market watchers say.
According to the Bloomberg Business report, some of the American companies reported the discovery of the malicious chips to U.S. intelligence authorities and are cooperating with the investigation. Bloomberg said the story is based on extensive interviews with government and corporate sources.
The Bloomberg report alleges that tiny microchips, about the size of a pencil tip, were found embedded in server motherboards manufactured by Supermicro, headquartered in San Jose, California.
The allegations could spur companies, already under pressure from the escalating Washington-Beijing trade war, to consider moving production out of China. Many manufacturers are already initiating contingency plans. Networking equipment, servers, and motherboards have been hit by U.S. President Donald Trump's 10% tariffs on $200 billion worth of Chinese goods that took effect on Sept. 24.
Wistron earlier this month said it was assessing whether it would move server motherboard production to the Philippines. Quanta Computer, whose cloud-computing business competes against Supermicro, said it had started to allocate more production at its existing facilities in the U.S. and Europe. Quanta Computer has server production lines in Nashville, Tennessee, and Fremont, California, and Germany.
Inventec, a supplier to PC makers Dell and HP, also expanded its capacity for motherboards used in servers in its Taiwan facility to counter the additional tariffs risks.