Backdoor Found In China-Made US Military Chip? 270
Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.
Fear mongering (Score:5, Insightful)
What did the military expect? (Score:5, Insightful)
CONFIRMATION? (Score:4, Insightful)
"Extraordinary claims require extraordinary evidence..."
Physician, heal thyself. . . (Score:5, Insightful)
From TFA [cam.ac.uk]:
Today we released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit.
This is a security guy I would trust, yessir.
Need physical access (Score:5, Insightful)
Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.
Yup, not surprised. (Score:4, Insightful)
Why would a country not pay (or direct) a company to create products with particular subtle flaws ?
It would cost 1000x more to discover and leverage a known flaw, than to just get an engineer to insert one - with or without the blessing of his management.
The future is not bright.
Particularly in a press release like that. (Score:5, Insightful)
That entire article reads more like a press release with FUD than anything with any facts.
Which chip?
Which manufacturer?
Which US customer?
No facts and LOTS of claims. It's pure FUD.
(Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)
Re:What did the military expect? (Score:5, Insightful)
Seriously.
Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.
Re:Particularly in a press release like that. (Score:5, Insightful)
Re:The actual article (Score:4, Insightful)
Sun Tzu (Score:5, Insightful)
Sun Tzu said the greatest victory is one which doesn't require a shot. One won by subverting the enemy from within.
What greater subversion can there be than to convince the enemy to hire you to build their weapon's systems components?
Apparently the American Military (and probably that of the rest of the world) hasn't bothered reading any "classic" literature on warfare before signing on the dotted line...
Re:What did the military expect? (Score:5, Insightful)
Seriously.
Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.
Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.
Re:Steve Jobs (Score:4, Insightful)
So where does the "offtopic" come from?
Probably from the fact it was offtopic.
Re:Particularly in a press release like that. (Score:5, Insightful)
Suing is easy, just file in the appropriate court. The hard part is winning, or even getting a judge to let you proceed.
Re:What did the military expect? (Score:3, Insightful)
I can't help but think of the quote attributed to Lenin: "The capitalists will sell us the rope with which we will hang them."
Re:What did the military expect? (Score:5, Insightful)
I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.
Its called the spare parts stream. How long did it take Iran's F-14s to completely break down, even with extensive conservation, cannibalization, and duct-tape fixes?
Also the training/support stream. There's a certain small size where you can afford internal low, maybe even mid level operational support, but can't afford to train new techs/mechanics... If you had the internal resources to run a high level training facility, you would be in the arms dealing business making your own aircraft, not buying someone elses airplane.
This is not limited to high tech aviation. Lets say I give you a M-16. Oh, you'd like ammo too, well we can make a separate yearly deal for that. Oh and you say you're not a gunsmith, well we can make a deal for that too. Oh you don't know how to use it, lets make a deal for some instructors. Your cam pin snapped and the highest tech metal working facility you have is a blacksmiths anvil, well we can make a deal for spare parts too. Suddenly that "free" M-16 is terribly expensive.
Re:Should only buy military components from allies (Score:5, Insightful)
Fabs are expensive. The latest generation nodes cost billions of dollars to set up and billions more to run. If they aren't cranking chips out 24/7, they're literally costing money. Yes, I know it's hte military, but I'm sure people have a hard time justifying $10B every few years just to fab a few chips. One of the biggest developments in the 90s was the development of foundries that let anyone with a few tens of millions get in the game of producing chips rather than requiring billions in startup costs. Hence the startup of tons of fabless companies selling chips.
OK, another option is to buy a cheap obsolete fab and make chips that way - much cheaper to run, but we're also talking maybe 10+ year old technology, at which point the chips are going to be slower and take more power.
Also, building your own computer from the ground up is expensive - either you buy the designs of your servers from say, Intel, or design your own. If you buy it, it'll be expensive and probably require your fab to be upgraded (or you get stuck with an old design - e.g., Pentium (the original) - which Intel bought back from the DoD because the DoD had been debugging it over the decade). If you went with the older cheaper fab, the design has to be modified to support that technology (you cannot just take a design and run with it - you have to adapt your chip to the foundry you use).
If you roll your own, that becomes a support nightmare because now no one knows the system.
And on the taxpayer side - I'm sure everyone will question why youre spending billions running a fab that's only used at 10% capacity - unless you want the DoD getting into the foundry business with its own issues.
Or, why is the military spending so much money designing and running its own computer architecture and support services when they could buy much cheaper machines from Dell and run Linux on them?
Hell, even if the DoD had budget for that, some bean counter will probalby do the same so they can save money from one side and use it to buy more fighter jets or something.
30+ years ago, defense spending on electronics formed a huge part of the overall electronics spending. These days, defense spending is but a small fraction - it's far more lucrative to go after the consumer market than the military - they just don't have the economic clout they once had. End result is the miliary is forced to buy COTS ICs, or face stuff like a $0.50 chip costing easily $50 or more for same just because the military is a bit-player for semiconductors.
Re:Should only buy military components from allies (Score:3, Insightful)
In other news, voters clamor for an efficient government, but then are shocked when the government sources contracts to the lowest bidder.
*facepalm* Either pay for an expensive, inefficient government that props up corporations solely so that it has a national source for everything military, or shut the fuck up and pay China for its cheap crap.
Re:Should only buy military components from allies (Score:3, Insightful)
These fabrication centers WERE running full time. Think about it, every radio, every o-scope, every computer that is not connected to the public internet, were all made right here in the U.S. At one of my duty stations, we had a server the size of 3 refrigerators that was fabricated in 1992. We used it as our backup server/router/gateway. All you had to do was turn on a switch and it did everything that we needed it to do. Plus we knew that there were no Chinese surprises in it.
They never ran their own computer architecture, in the late 80's and early 90's they were all SPARC-style computers with Solaris loaded on them (I believe they paid licensing fees, but don't quote me on that). Yes, some of those computers are still in use because they have been running for 15+ years. I know of a few that haven't even been rebooted since they were turned on in 1995. Most field systems (shelters on the back of a vehicle) still use these computers.
Also to consider, for performing the tasks a tactical field system needs to, they do not need a 8-core processor with 64GB of RAM and 4 GB of video memory. They need something that is rugged and can operate in 100+ degree environments while covered in sand (Air conditioners break all the time when it is hot as hell).
When I was in Iraq, the only things that broke were our Dell POS computers. I remember one time we had the SPARC machines running in a shelter with no air conditioning (except for the table fan I grabbed from my room). It was 130+ in that shelter and they ran just fine for the 3 hours it took to find a working AC. That's the kind of computers they need, and if it takes a few billion to put those in essential systems, I have no problem with it. Better than the other BS the government spends their money on.
Re:Most likely inserted by Microsemi/Actel not fab (Score:4, Insightful)
The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.
With pin access to the FPGA it's trivial to hook it up, no bridges or transceivers needed. If it's a BGA then get a breakout/riser board that provides pin access. This is off-the-shelf stuff. This means if the Chinese military gets their hands on the hardware they can reverse engineer it. They won't have to lean very hard on the manufacturer for them to cough up every last detail. In China you just don't say no to such requests if you know what's good for you and your business.
Re:Big risk is to "secret sauce" for comms & c (Score:4, Insightful)
This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.
Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing.
As someone else mentioned in another post, physical access can be a bit of a misnomer. Technically all that is required is for a computer to be connected via the JTAG interface in order to exploit this. This might be a diagnostic computer for example. If that diagnostic computer were to be infected with a targeted payload, there is your physical access.