Backdoor Found In China-Made US Military Chip? 270
Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.
The actual article (Score:5, Informative)
It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.
Wait and see (Score:5, Informative)
Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.
Here's his publications list from his University home page, FWIW:
http://www.cl.cam.ac.uk/~sps32/#Publications [cam.ac.uk]
Requires Physical Access (Score:5, Informative)
Most likely inserted by Microsemi/Actel not fab (Score:5, Informative)
1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
2) This is talking about FPGAs designed by Microsemi/Actel.
3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional anaylsis (differential power analysis) was not sensitive enough to reveal it.
This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.
Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.
Re:What did the military expect? (Score:4, Informative)
Re:The actual article (Score:3, Informative)
It seems that People's Republic of China has been misidentified with Taiwan (Republic of China).
Big risk is to "secret sauce" for comms & cryp (Score:5, Informative)
That said, it's still pretty bad, because hardware does occasionally end up in the hands of unfriendlies (e.g., crashed drones). FPGAs like these are often used to run classified software radio algorithms with anti-jam and anti-interception goals, or to run classified cryptographic algorithms. If those algorithms can be extracted from otherwise-dead and disassembled equipment, that would be bad--the manufacturer's claim that the FPGA bitstream can't be extracted might be part of the system's security certification assumptions. If that claim is false, and no other counter-measures are place, that could be pretty bad.
Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing. Also, a backdoor inserted that way would have to co-exist peacefully with all the other functions of the FPGA, a significant challenge both from an intellectual standpoint and from a size/timing standpoint--the FPGA may just not have enough spare capacity or spare cycles. They tend to be packed pretty full, 'coz they're expensive and you want to use all the capacity you have available to do clever stuff.
Re:Particularly in a press release like that. (Score:4, Informative)
Re:Is this the obvious consequence of outsourcing (Score:2, Informative)
No, the most obvious consequence of outsourcing is lower employment, depressed wages, attacks on unions and labor in general, a shrinking middle class, the cost of basic necessities eating into what's left of disposable income. This is just a secondary symptom.
Then in this race to the bottom come the corporate apologists trying to blame the victims of these failed economic policies that have never, ever worked anywhere, plus increasingly shrill calls to "lower regulations", which is code talk for allowing corporations to internalize profits and externalize costs.
This was entirely predictable and was in fact predicted by a great many people, but the well funded conservative noise machine conned too many into voting against their own economic self interests.
Re:Particularly in a press release like that. (Score:4, Informative)
It's the Actel ProAsic3, it fits the redacted portions that only show the first letters and in the scanned nda doc and some quotes about claims from the manufacturer exactly match it.
It's a scam !! (Score:5, Informative)
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html [blogspot.com]
Bogus story: no Chinese backdoor in military chip
"Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious.
Furthermore, the Actel ProAsic3 FPGA chip isn't fabricated in China at all !!
Re:Particularly in a press release like that. (Score:5, Informative)