Counterfeit Chips Raise New Terror, Hacking Fears

mattnyc99 writes "We've seen overtures by computer manufacturers to build in chip security before, but now Popular Mechanics takes a long look at growing worries over counterfeit chips, from the military and FAA to the Department of Energy and top universities. While there's still never been a fake-chip sabotage or info hack on America by foreign countries or rogue groups, this article suggests just how easy it would be for chips embedded with time-release cripple coding to steal data or bring down a critical network - and how that's got Homeland shaking in its boots (but not Bruce Schneier). While PopMech has an accompanying story on the possible end of cheap gadget manufacturing in China as inflation rates soar there, it's the global hardware business in general that has DoD officials freaking out over chips."

The Counterfeit Bolt Problem

[MichaelCrawford]

There's been a problem for many years, in which bolts whose heads are marked to indicate that they are high-strength, are actually made from cheaper low-grade steel, and are therefor counterfeit.

A construction worker was killed while torguing such a bolt while building the Saturn car factory. The head tore off and he fell to his death.

In the same article where I read this, a general complained that you could find broken bolts littering the ground in the path of tanks on training maneuvers.

There is a way to test bolts for strength, but it's expensive.

TFA

[The Living Fractal]

I didn't read TFA but is it suggesting that a highly advanced technology could be 'easily' counterfeited and delievered to US facilities? Assuming it would take another highly advanced country to do this... Doesn't this really mean war, not terror? If we find out a sovereign nation is attacking us through this channel I would call it war -- even if that means they are knowningly supplying terrorists with the chips instead of directly doing it themselves.

The US DoD depending on the global hardware business is the scariest implication to me.

And one more thing.. this almost sounds like it could be a back door for even stronger DRM technology, embedded in hardware, in our personal computers in the future. SO, how far off base am I this time?

Re:The Counterfeit Bolt Problem

[0100010001010011]

Expensive? We did this in lab in engineering. You pull on the bolt until it fails. If I was building something I'd test one out of every 100. Just grab a random one and test it. If it fails way early put the entire shipment into hold.

Re:TFA

[Arioch5]

Being that I work for an engineering company which almost exclusively works on DoD contracts (or sub contracts). I can tell you first hand that DoD material does depend on global hardware companies. Almost any type of chip out there has a military rated version available. Heck there's even a term Military COTS (Military Commercial Off The Shelf), for items that are specifically designed for military use using readily available off the shelf parts. What I would ask you is how could you possibly expect the US DOD to actually design and manufacture the vast array of chips that are currently available on the commercial market? Could you imagine the cost involved in re-designing every commercial chip and supplying it locally here in the US? In the end the only way anyone could afford to produce military grade products is to design with commercial and Industrial parts as much as possible supplementing with Military grade where necessary. In the end, everything has to be certified to meet very strict military standards. Of course, I'm speaking in generalizations here. There are I'm sure some products that are very custom to the level of having almost no commercial/industrial parts. But I dobut you could find anything that didn't at least contain commercial/industrial passive parts (ie. resistors).

It would be so easy to put a back door into AMT

[Animats]

The easy way to attack remote systems at the hardware level would be to preload a back-door key into Active Management Technology. [wikipedia.org] All the hardware is already there to remote control the computer, without any help from the operating system. By default, this feature is supposed to be disabled. But a minor firmware change, initializing the AMT unit with a second hidden key instead of leaving it disabled, would make it possible to take over any corrupted machine from a level below the OS.

AMT is the latest form of this, but there's also ASF (AMD's version), and RCMP (works over UDP, while AMT is a web service).

This is tough to detect, short of cutting open the network controller chip and tracing the wiring with a scanning electron microscope. That's quite possible and tools for it exist, but it's not cheap.

Re:TFA

[VValdo]

Doesn't this really mean war, not terror?

I think it would depend on the context. From TFA:

However, not all experts agree that the risk is severe. After all, there's never been a report of a foreign country or criminal outfit using such technology to steal information or commit sabotage. (The United States did successfully conduct such a mission against the Soviet Union during the Cold War.)

If I'm not mistaken, the mission they are referring to [msn.com] was in 1982, when the US let the Soviet Union "steal" software that helped run a natural gas pipeline. The Russians were in the habit of stealing US technology, so the US secretly embedded the software with code that would- when run- cause the pressure in the pipes and pumps to go sky-high.

The result:

"The result was the most monumental non-nuclear explosion and fire ever seen from space."

Was this an act of war? Not really, since the code was stolen. Maybe sabotage. Terrorism? No, but it probably sent a message to the Kremlin that stealing foreign technology may not be a good idea...

W

Already been done, but it's difficult

[smellsofbikes]

In the early 1980's, the US produced intermittently buggy chips which we sold to the USSR in full knowledge that they'd disrupt production facilities. It worked very well. [nytimes.com] Why, then, wouldn't China do the same thing?

As someone who works in chip verification, I can tell you it's very difficult with most chips to do this, as long as the chips are designed in the US -- which is still largely the case, that they're designed here and produced in fabs in China (because labor's cheap and they don't care if their workers are exposed to HF and silane as long as money's coming in.)
You know *exactly* what size your chip die is. If the silicon comes back from the fab with a different-sized die, it will be very obvious. So nobody can put extra stuff onto an existing die. Die size is the single most critical aspect of most designs, because of the cost, so existing designs are jammed just as tightly as they can possibly be. You can't put more functionality into an existing die size. The problem, then, is letting your design out. (And even then, a competent chip designer could probably spot strange material on a smaller die because they're familiar with how the layout is supposed to look.)
There are some amazing military-grade chips out there. I was reading about the Maxim DS3600 [maxim-ic.com] the other day -- on-chip encryption and tamper-sensing, including detecting temperature changes and reacting by blanking all the on-board memory and stored encryption keys in nanoseconds, far faster than dumping liquid helium onto the chip would be able to freeze the memory for decoding. (They use some whack process for continually load-levelling and rewriting the keys so you can't use stored oxide charge to read what was there before it got blanked, either.) That kind of stuff is on the common market, available for anyone to buy. I assume the military has better stuff yet, and espionage people even better.
At the end of the day you have to be able to trust someone or you'll just crouch in your basement. But there are ways to verify a chip's functionality and look for clearly bogus interactions. Our chip test systems make it easy to distinguish chips from different silicon lots, much less from different fabs. As always, if you buy the cheap stuff you don't know what you're getting, but if you spend the money to do some research, you'll have a much, much better idea of what you're getting. In this case, money in the millions of dollars, granted, but if you're designing military-grade stuff, well, that's why you buy from companies with a track record of producing trustworthy stuff.

Re:TFA

[omegashenron]

The NSA fabs its own processors at Fort Meade.

Most of these other chips are general purpose and used in a wide range of commercial applications. The idea in investing in the additional infrastructure to produce components locally will mean more foreign debt for US, increased taxes and would probably fail in the long run since licensing costs of all the various chips out there used in defence/aerospace would kill you if your only serving the military (commercial organisations wont buy if they can source it cheaper elsewhere).

Anyway, look at it this way, if there are security implications, the Government will dedicate resources to improving security and privacy which in turn may inhibit their ability to spy on citizens.

Re:The Counterfeit Bolt Problem

[ediron2]

seriously, since this sounds wrong (several ways), where do you say you read this and when?

I've spent ten minutes googling combinations of bolt, shear, torque, substandard, high-strength, fell, factory, saturn, construction, osha, death, died, fall-hazard, snopes, urban-legend and a dozen other word combinations... no sign of this in or out of snopes.

Testing precisely is expensive. Testing within an order of magnitude isn't: twist until the bolt-head shears. As for low-grade metal being substituted in, I know a few pipefitters that can do a so-so job identifying metal composition by looking at how the metal grinds and the color of the sparks coming off the grinder.

Re:The Counterfeit Bolt Problem

[whitehatlurker]

This [saftek.com] seems to corroborate the original story. I am sceptical as well, and would like to see more independent confirmation. Search [google.com]

24 years on...

[lazy_nihilist]

http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com] still holds true.

Re:So maybe there is a market...

[SlashWombat]

The only counterfeit chips I have seen came from the "grey" market. The original manufacturer had obsoleted the device (an operational amplifier) but the project had been so long in development it was impractical to re-engineer a fully qualified design to use more modern parts. (Medical equipment takes a long time to get through all the relevant testing to ensure compliance!)

So, the use of one of the many obsolete parts vendors (companies that specialise in the supply of older parts, often bought as excess stock from other companies clearing their warehouses).

It goes without saying that many of these companies are based in Asia/China/Taiwan/Hong Kong. Anyway, many of these companies will attempt to source particular chips on request. Some requests are farmed out to a multitude of different third parties. ... In this case, a vedor replied to the request, saying they could supply x thousand of the devices in question.

When the devices arrived, they were inserted into the required location on the pcb ... but boards would not pass final test. Chips had correct looking branding, but further checking showed that the faults were all due to these amps. Original manufacturer was supplied with samples and the result was it was a rebranded "generic" OpAmp.

This is really only made possible because many opamps have the same pin outs. However, specifications vary between different types (IE: offset voltage, noise, gain, CMRR, bandwidth, etc)