Counterfeit Chips Raise New Terror, Hacking Fears

mattnyc99 writes "We've seen overtures by computer manufacturers to build in chip security before, but now Popular Mechanics takes a long look at growing worries over counterfeit chips, from the military and FAA to the Department of Energy and top universities. While there's still never been a fake-chip sabotage or info hack on America by foreign countries or rogue groups, this article suggests just how easy it would be for chips embedded with time-release cripple coding to steal data or bring down a critical network - and how that's got Homeland shaking in its boots (but not Bruce Schneier). While PopMech has an accompanying story on the possible end of cheap gadget manufacturing in China as inflation rates soar there, it's the global hardware business in general that has DoD officials freaking out over chips."

ARRRGH! TERROR!

[Jeremiah Cornelius]

EVERYTHING is now a "terror threat".

Do you suppose someone figured out that "terror" is a funding goldmine? That the way to ride this gravy-train was to pump up the volume on the "terror" megaphone?

It's pretty funny - 'til the unintended consequences land you "in internal exile", or "extraordinary rendition".

New terror is hacking fears

[Jeremi]

Counterfeit Chips Raise New Terror, Hacking Fears

Indeed... the "War on Terror" is nothing more than various groups of people trying use terror to "hack our fears". The terrorists try to hack our fears to gain power over us, and the governments fighting them do the same.

Five Words

[sharp-bang]

You get what you pay for.

If you don't want counterfeit parts, pay for the appropriate controls and enforce them. The government has been trying to build government-class security and reliability on COTS technology for far too long.

If that means domestic production, so be it.

Re:TFA

[zappepcs]

I think you are pretty much right on target. An errant USB stick with malicious firmware could easily wait until it is plugged into a machine on a network with the desired domain name before releasing a small virus. It is not implausible, nor hard to understand this attack vector. That USB stick might be in the form of a cheap MP3 player.

Without spraying details all over, there are many more ways to get a small piece of code inside a very secure facility, after which it's game on for the IDS system.

Even if nothing is found in the wild like this, fear of it might indeed push DRM et al into all manner of devices.

On the short list: Secure facilities should not be allowing electronic devices into their facilities. period. if they want to stay secure. No DRM should be trusted to fully do this job in such instances of security like are required for the Pentagon, military bases etc.

Adding DRM to commercial and personal use devices will NOT... repeat NOT increase security.

Keep manufacturing in the US

[alextheseal]

Maybe if these parts are so critical we should keep the manufacturing in the US?

Re:The Counterfeit Bolt Problem

[multisync]

A construction worker was killed while torguing such a bolt while building the Saturn car factory. The head tore off and he fell to his death.

Where the hell was this plant being built? That worker should have been wearing fall protection.

Trust Your Suppliers

[Anonymous Coward]

... if you can't do that, there is always the old adage:

"If you want something done right, you have to do it yourself."

At some point, there is a diminishing return on security. If Chinese sabotage chips report my high score at Super Mario Galaxy back to home base .. I don't really care.

For people who need to protect their secret identity, well, WTF are we paying billions upon billions of dollars to the DoD for anyway? Build a chip fabrication plant.

Re:ARRRGH! TERROR!

[corsec67]

Just like how "think of the children" is a useful phrase for fucking over the American people's rights.

"Free speech" - "Think of the children", by the FCC
"Marijuana/drugs" - "Think of the children", by the DOJ

So, combine "think of the children" and "terrorists", and the Constitution becomes irrelevant.

Re:The Counterfeit Bolt Problem

[Jeremiah Cornelius]

There is a way to test bolts for strength, but it's expensive.

More expensive than wrongful-death compensation? Someone must have amortized this.

Re:TFA

[Broken scope]

The government could also only buy components made in the untied states. Or at least the critical ones.

More Word Games

[joebob2000]

Define Counterfeit

Isn't this hashing over the same deal where the "counterfeit" parts were really just unauthorized copies of a good board? How is it "Anti-Terrorism" to terrify the crap out of unsuspecting people with far-fetched hypotheticals?

Articles like: "The danger of installing foreign designed, foreign made black boxes in our infrastructure" just sounds obvious, and the answer is obvious too: make your own boxes.

These so-called but not-exactly-counterfeits are a problem caused by a lot of short-sighted business fads. Aggressive offshoring of design and manufacturing means that you are not in control of the product anymore. It also means that you killed off your local design and manufacturing, making it that much harder to solve the problem. If the "Counterfeit" uses full-spec parts, then are they really counterfeit? If they use crap parts, they will just break early, costing someone money. As far as a cyber-bot-net conspiracy, there are more realistic problems to worry about.

Re:The Counterfeit Bolt Problem

[arivanov]

That is just for torque. This does not say anything about resistance to material fatigue and so on.

Anyway, the only reason why Homeland Security is sh*** its pants on this is that the biggest spook sabotage achievement on USSR was apparently done this way when a gas pipeline blew up due to malfunctioning of counterfeit gear. However, we do not live in the 80-es. The computers and control gear has grown much more sophisticated and frankly, if anyone wants to plant such a bomb today they will do it in software. Much cheaper and much higher probability of success.

Consensus of different implentations

[scorp1us]

Hardware is cheap, and there are always more than one way to skin a cat.

Just do the same algorithm on different hardware architenctures and at least one different virtual machine implementations. (Use a minimum of three implementations!) Take the answer that two agree on and forward that on to the next step in the pipeline. It would be difficult if not impossible to produce a counterfeit chip that could produce undetectable deviations in both software and hardware machines.

"Never set sail with only two compasses - use one or three."

the ongoing effort to make DRM mean security

[fpgaprogrammer]

the impetus for adding restrictions and obfuscations is most certainly NOT security in the DoD sense. methinks interested parties are trying to juxtapose priacy/DRM interests with security/terrorism concerns. there is no really good argument for increased in-silicon DRM as a means to end-to-end security except for the economic security of intellectuals and their property. the troubling aspect to any attempt at subverting counterfeit designs is that it encourages mechanism to obfuscate a digital design and decreases your freedom to know exactly what is happening to those electrons. such measures invariably decrease the overall security and reliability of the system by adding more complexity. an easily counterfeit-able design is also easy to verify. the converse is also true. truly safe systems must incorporate redundant standardized parts from multiple vendors to eliminate the effectiveness of malevolently embedded flaws.

Re:The Counterfeit Bolt Problem

[TubeSteak]

I would think this could be fixed by having an agreement with the manufacturer/provider that said they were financially liable if the material/product you received was not what you ordered.

Which means insurance, testing, paperwork (in triplicate at a minimum), inspections, etc etc etc.

That'll significantly add to the cost when your price per unit is measured in pennies.

Hackers are cheapskates too...

[Stochastism]

This kind of illicit technology is usually (not always) about making a buck. It's cheaper to exploit software than physical chips.

Fix the world's software and then those industrious rogues might decide the expense and lengthy process of counterfitting physical chips is worthwhile compared to a quick piece of spyware.

Counterfeit chips not required

[OTDR]

One can find genuine reason to be worried with the US military without ever worrying over a problem so clever as counterfeit chips. US DoD has routinely exhibited worrisome practices for years.

I work in the field of modeling & simulation supporting training and flight testing for the Army. Time and again when I've tried to find an ICD (interface control document) or spec on a low-level protocol for some box on an Apache Longbow in the end it discovered that the Government never bought said document from the manufacturer (McDonnell-Douglas, or now, Boeing). Each thing is simply an LRU (line-replaceable unit) black box whose innards are irrelevant -- the I/O is documented but when they fail the box goes back to the vendor for repair. And if you want the specs, call Boeing and they'll be happy to talk sales. US DoD acts this way in the name of "cutting costs" and the up-front bottom line probably is lower. For US companies, such as Boeing, this is no big deal since we're more or less all on the same team.

Now, flash forward -- DoD is increasingly awarding aircraft contracts to non-US companies. Take the recent US Army LUH (Light Utility Helicopter) that went to EADS North America (or the Airforce tanker contract that went likewise to EADS). This same cost-cutting "don't need this spec or that spec" mentality is still used. Now you have entire military aircraft being delivered with large-scale black boxes (easier to build than counterfeiting chips) which are potentially just as rogue. Who's to say there's no malicious firmware in there? No one seems to be looking or caring. Can anyone prove that any given system isn't poised to intentionally upon receipt of some pre-planned stimuli?

There's a lot more to worry about than "terrorists" -- mindless bureaucrats can be just as dangerous. The funny thing here is the opposition I've run into pushing for the adoption of Open Source tools. Despite a few agencies here and there employing Open Source with great success, a few memos of "endorsement," and a few official studies touting value, most DoD bureaucrats can't get past the "source is open to 'hackers' therefore must be a security threat" mentality.

Department of Dumbasses, your US tax dollars at work.

Re:Already been done, but it's difficult

[LM741N]

Well said. It is also extremely difficult to test microprocessors with millions of transistors. Same with memory. For consumer applications you can only afford small test coverage, otherwise the chip would cost $10,000. But like said above the military spends quite a bit of money for a lot of test coverage, but even they can't test everything.

Re:The Counterfeit Bolt Problem

[sincewhen]

There is a Chinese saying "The fish rots from the head."

When corruption benefits those in power, why would they make any effort to stop it?

You mean to tell me...

[hesaigo999ca]

Only now do they see (the American government) the folly at sending out everything to be outsourced in china??? Come on guys, you pay yourselves big salaries at our expense then you realize your mistake by sending everything overseas to have the "cheaper price" but don't even realize that now the Chinese can control all pcs with the click of a button....should they so choose to?

"Sad but true"