Forgot your password?
typodupeerror
China Security IT

Backdoor Found In China-Made US Military Chip? 270

Posted by samzenpus
from the protect-ya-neck dept.
Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.
This discussion has been archived. No new comments can be posted.

Backdoor Found In China-Made US Military Chip?

Comments Filter:
  • Steve Jobs (Score:3, Funny)

    by busyqth (2566075) on Monday May 28, 2012 @01:26PM (#40135991)
    This is all Steve Jobs' fault. I blame him.
  • Fear mongering (Score:5, Insightful)

    by jhoegl (638955) on Monday May 28, 2012 @01:30PM (#40136003)
    It sells...
    • by khasim (1285) <brandioch.conner@gmail.com> on Monday May 28, 2012 @01:48PM (#40136097)

      That entire article reads more like a press release with FUD than anything with any facts.

      Which chip?
      Which manufacturer?
      Which US customer?

      No facts and LOTS of claims. It's pure FUD.

      (Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)

      • by TheDarkMaster (1292526) on Monday May 28, 2012 @01:56PM (#40136149)
        Take it easy. I assume if the researcher openly say exactly what chip and where exactly is the backdoor, then the military would be REALLY in trouble. So it may still be FUD, but caution never killed anyone.
      • Riiiight, because if the guy went out and just named the chip the military would say 'oh that's okay, no harm no foul". Shit his ass would be in custody so fast it would make his head swim!

        Besides, lets be honest folks....who didn't know this kinda shit has been going on damned nearly constantly? To steal a line from an old movie "The Chinese fucking steal, they steal every idea that ain't nailed down!" and who can blame them? they've saved billions in R&D that way. hell look at their stealth fighter, the rumor is they paid dirt farmers to dig up the F117 that crashed in Kosovo and between that and the stealth drone that landed in Iran they saved years worth of work. Its just how the game is played.

        So the moral of the story here folks is simple, if you want it done right you do it yourself and you sure as hell don't trust a country known for snatching every idea that ain't nailed down and who is famous for copying other's stuff to do it for you! When you think about how many billions it costs to build a weapon nowadays frankly any country would be retarded not to just steal the tech if it were possible so this only shows the Chinese? NOT stupid. Again this isn't the first time, the Russians were shooting sidewinders at us all through the 60s because a dud one got lodged in a Chinese MiG over Taiwan and they managed to land the bird with it intact. the Russians saved themselves years of work on short range missiles by simply copying sidewinder. Supposedly you could mix and match parts between the Atoll 1 and the mid 60s sidewinder and no matter which combo you made it shot perfectly, they ripped off the design THAT well.

        If you don't like it you really only have two choices, either sell the tech the Chinese want, or DIY, that's really it. Because if you won't sell it to them then they WILL get it some other way and who can blame them? If it turns out the Chinese stealth stomps the F35 and can be made for less than $80 mil flyaway you don't think we'll steal from them? Please.

        • by arglebargle_xiv (2212710) on Monday May 28, 2012 @09:05PM (#40138501)

          Besides, lets be honest folks....who didn't know this kinda shit has been going on damned nearly constantly?

          It's been going on for decades, although mostly by US companies. In one widely-publicised incident in 1994 for example, Intel secretly modified its Pentium CPU so that a certain floating-point divide instruction would produce incorrect results under some circumstances, thus ensuring that if it was used for missile guidance the projectiles would fall harmlessly into the pacific ocean instead of hitting the US. Intel initially denied there was a problem, but then under public pressure and with the OK of its secret government handlers declared it a "bug" and replaced the booby-trapped chips. That's just one example, this sort of thing has happened again and again and again in US and European-made devices, so it's not surprising the Chinese are getting in on the act as well.

    • by Anonymous Coward on Monday May 28, 2012 @02:14PM (#40136273)

      1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
      2) This is talking about FPGAs designed by Microsemi/Actel.
      3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
      4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
      5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
      6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
      7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional anaylsis (differential power analysis) was not sensitive enough to reveal it.

      This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.

      Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.

      • by JimCanuck (2474366) on Monday May 28, 2012 @04:45PM (#40137217)

        I don't think anyone fully understands JTAG, there are a lot of different versions of it mashed together on the typical hardware IC. Regardless if its a FPGA, microcontroller or otherwise. The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.

        Something that can also be completely disabled by setting the right fuse inside the chip itself to disable all JTAG connections. Something that is considered standard practice on IC's with a JTAG port available once assembled into their final product and programmed.

        Plus according to Microsemi's own website, all military and aerospace qualified versions of their parts are still made in the USA. So this "researcher" used commercial parts, which depending on the price point can be made in the plant in Shanghai or in the USA at Microsemi's own will.

        The "researcher" and the person who wrote the article need to spend some time reading more before talking.
        • by emt377 (610337) on Monday May 28, 2012 @07:02PM (#40137873)

          The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.

          With pin access to the FPGA it's trivial to hook it up, no bridges or transceivers needed. If it's a BGA then get a breakout/riser board that provides pin access. This is off-the-shelf stuff. This means if the Chinese military gets their hands on the hardware they can reverse engineer it. They won't have to lean very hard on the manufacturer for them to cough up every last detail. In China you just don't say no to such requests if you know what's good for you and your business.

    • Fear mongering. It sells...

      The fear of backdoors and data snooping are a bit hysterical.

      However the fear of a chip being remotely shutdown, possible damaged, is quite plausible and a far more practical method of attack.

  • by runeghost (2509522) on Monday May 28, 2012 @01:32PM (#40136015)
    Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic.
    • by Electricity Likes Me (1098643) on Monday May 28, 2012 @01:48PM (#40136103)

      Seriously.

      Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

      • Re: (Score:3, Interesting)

        by busyqth (2566075)
        Part of the problem is chinese-produced counterfeit devices flooding the market.
        So you think you're purchasing a "safe" or "known" device, but... oops, you aren't.
      • Say this to the CEOs :-)
      • by Jawnn (445279) on Monday May 28, 2012 @02:36PM (#40136413)

        Seriously.

        Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

        Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        I can't help but think of the quote attributed to Lenin: "The capitalists will sell us the rope with which we will hang them."

      • In The Guns of August, Tuchman mentions that the heavy artillery for the Belgian fortress of Liege had been ordered from Krupps, who failed to deliver.

    • by Mojo66 (1131579)

      Regardless whether this is a false alarm or not, I'm 100% sure that US military technology has something similar, too. I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.

      • by vlm (69642) on Monday May 28, 2012 @03:20PM (#40136737)

        I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.

        Its called the spare parts stream. How long did it take Iran's F-14s to completely break down, even with extensive conservation, cannibalization, and duct-tape fixes?

        Also the training/support stream. There's a certain small size where you can afford internal low, maybe even mid level operational support, but can't afford to train new techs/mechanics... If you had the internal resources to run a high level training facility, you would be in the arms dealing business making your own aircraft, not buying someone elses airplane.

        This is not limited to high tech aviation. Lets say I give you a M-16. Oh, you'd like ammo too, well we can make a separate yearly deal for that. Oh and you say you're not a gunsmith, well we can make a deal for that too. Oh you don't know how to use it, lets make a deal for some instructors. Your cam pin snapped and the highest tech metal working facility you have is a blacksmiths anvil, well we can make a deal for spare parts too. Suddenly that "free" M-16 is terribly expensive.

      • by Genda (560240)

        The kill switch for the aircraft we sell to other countries, is located right on our pilot's flight sticks and they can even select radar or heat seeking.

    • But cost-efficient.
    • by Shavano (2541114)
      By near peer, they mean that America aspires to being serious competition to China in semiconductor manufacturing.
    • by nospam007 (722110) * on Monday May 28, 2012 @02:39PM (#40136445)

      "Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic."

      Not to mention the non-backdoor ones.

      'Bogus electronic parts from China have infiltrated critical U.S. defense systems and equipment, including Navy helicopters and a commonly used Air Force cargo aircraft, a new report says.'

      http://articles.dailypress.com/2012-05-23/news/dp-nws-counterfeit-chinese-parts-20120523_1_fake-chinese-parts-counterfeit-parts-air-force-c-130j [dailypress.com]

  • CONFIRMATION? (Score:4, Insightful)

    by Bananatree3 (872975) on Monday May 28, 2012 @01:33PM (#40136021)
    Would somebody please tease out something a little more credible?

    "Extraordinary claims require extraordinary evidence..."
  • The actual article (Score:5, Informative)

    by NixieBunny (859050) on Monday May 28, 2012 @01:34PM (#40136025) Homepage
    The original article is here. [cam.ac.uk]
    It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.
    • by Nkwe (604125) on Monday May 28, 2012 @01:59PM (#40136179)
      Good read. The bottom line apparently hasn't changed: If you allow physical access, security can be compromised.
    • by Anonymous Coward on Monday May 28, 2012 @02:09PM (#40136249)

      From your much more useful link,

      We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion.

      we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products. This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.

      emphasis mine. Key is retrieved using the backdoor.

      Frankly, if this is true, Microsemi/Actel should get complete ban from all government contracts, including using their chips in any item build for use by the government.

      • I would not be surprised if it's a factory backdoor that's included in all their products, but is not documented and is assumed to not be a problem because it's not documented.

        With regard to reprogramming the chip remotely or by the FPGA itself via the JTAG port: A secure system is one that can't reprogram itself. When I was designing VMEbus computer boards for a military subcontractor many years ago, every board had a JTAG connector that required the use of another computer with a special cable plugged
    • Re: (Score:3, Informative)

      No source approved [dla.mil] for Microsemi (Actel) qualified chips in China. If you use non-approved sources then, well, shit happens (although how this HW backdoor would be exploited is kind of unclear).

      It seems that People's Republic of China has been misidentified with Taiwan (Republic of China).
  • Wait and see (Score:5, Informative)

    by 6031769 (829845) on Monday May 28, 2012 @01:35PM (#40136031) Homepage Journal

    Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.

    Here's his publications list from his University home page, FWIW:
    http://www.cl.cam.ac.uk/~sps32/#Publications [cam.ac.uk]

    • Ah, the quintessential terrible academic homepage. Love that black/blue on mint green theme going on. Burned into my retina in 3 seconds flat!
    • by gl4ss (559668)

      well, since the claims are pretty much that you can bypass some ip protection on the chip so you can clone it or reflash it.. if you have physical access.

      yeah, it sounds feasible. it's a pretty loooooooong ways from "omg china is backdooring our fighter jets!" though. also it seems like the functionality is deliberately made into the chip by the company making the chip.

  • by Anonymous Coward on Monday May 28, 2012 @01:36PM (#40136039)

    Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

    Hey hey HEY! You stop that right this INSTANT, samzenpus! This is Slashdot! We'll have none of your "actual investigative research" nonsense around here! Fear mongering to sell ad space, mister, and that's ALL! Now get back to work! We need more fluffy space-filling articles like that one about the minor holiday labeling bug Microsoft had in the UK! That's what we want to see more of!

  • researchers have discovered that a microprocessor used by the US military

    What chip? What does it do? Is it important? There are lots of chips in use that in no way shape or form are sensitive or important and the presence of a back door would be meaningless. Just because the military uses it doesn't mean anything by itself. This "article" sounds like someone trying to justify a research grant or a company trying to generate fear to sell a competing product.

    • From the draft paper's conclusion:
      We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fus

  • by dtmos (447842) * on Monday May 28, 2012 @01:41PM (#40136061)

    From TFA [cam.ac.uk]:

    Today we released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit.

    This is a security guy I would trust, yessir.

  • by mveloso (325617) on Monday May 28, 2012 @01:41PM (#40136063)

    Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

    • Presumably if you knew this existed, then you might be able to predict the types of circuits it's tied into and figure out if the function could be activated remotely. After all, causing a microprocessor to lock up in debug mode, even if it would be watchdog-timer reset every few seconds, would be more then enough to effectively inactivate military hardware if you could do it continuously (or on demand).

    • Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

      We're obviously very short on information regarding this. One could argue that, with a ready-made back door, an enemy would only need a very short duration of physical access to the chip. If these chips are used in hardware that gets regularly maintained for some reason (not hard to imagine in a military setting), getting physical access to the chip may not be as difficult as one might think.

      Also, to draw a bad analogy... remember when the first jpeg vulnerability came out? A lot of people said "big deal, i

      • by gl4ss (559668)

        well, it would be more likely that the entire chip would be replaced for that kind of attack.

        and the attacker would need to make sure that the code they upload to it works with all the other devices the chip talks to in the plane.

        basically if you had that level access you might just as well reflash the entire sw running on the friggin jet. probably under the same seals too. if you really want it to be write-once only, just seal the damn thing in epoxy and don't expose the debug/maintenance connectors...

    • Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

      If the EEPROM was reprogrammed/wiped wouldn't the backdoor in the hardware be closed (except for the physical access hole)? Call me crazy, but doesn't a backdoor need to be activated in order to work? Again, you might be able to tease it open with physical access, but I am not seeing how this could be a major deal for operational gear unless the EEPROM contained a trigger. Can anyone with an FPGA background elaborate?

    • by MtHuurne (602934)

      They needed physical access to find the backdoor. To use the backdoor, they only need JTAG access. JTAG is typically used during development and not during operation, but there might be systems where the JTAG interface is still accessible during operation, either to allow easy debugging/patching in the field or because it was made available through some other interface during development and never removed afterward.

      Another risk is that a stored AES key that is supposed to be unreadable was readable through

    • by ChumpusRex2003 (726306) on Monday May 28, 2012 @05:13PM (#40137395)

      FPGAs commonly protect user-code with encryption. An encryption engine is included in the silicon to which the user has limited access to crypto=keys with which to encrypt the code that is installed in ROM/Flash.

      A number of attacks are known against microcontrollers/FPGAs that secure code with encryption - notably differential power analysis (DPA) which works by connecting a current probe to the chip, and collecting measurememnts of energy consumption as the device performs an authentication operation. By carefully, measuring power traces over thousands of authentication operations, statistical analysis can reveal clues about the internal secret keys; potentially allowing recovery of the key within useful periods of times (minutes to hours).

      These secure FPGAs contain a heavily obfuscated hardware crypto-engine, with lots of techniques to obstruct DPA (deliberately unstable clocks, heavy on-chip RC power filtering, random delay stages in the pipeline, multiple "dummy" circuits so that an operation which would normally require fewer transistors than an alternative, has its transistor count increased, etc.). The idea being that these countermeasures reduce the DPA signal and increase the amount of noise, making recovery of useful statistics impractical. In their papers, this group admit that the PA3 FPGAs are completely impervious to DPA, with no statistical clues obtained even after weeks of testing.

      This group have developed a new technique which they call PEA which is a much more sensitive technique. It involves extracting the FPGA die, and mapping the circuits on it - e.g. using high-resolution infra-red thermography during device operation to identify "interesting" parts of the die by heat production under certain tasks - e.g. caches, crypto pipelines, etc. Having identified interesting areas of the die, an infra-red microscope with photon counter is focused on the relevant circuit area. As it happens, transistors glow when switched, emitting approx 0.001 photons per switching operation. The signal from the photon counter is therefore analogous to the DPA signal, but with a much, much stronger signal-to-noise ratio, allowing statistical analysis with far fewer tries. The group claim the ability to extract the keys from such a secure FPGA in a few minutes of probing with authentication requests.

      The researchers claim to have found the backdoor, by fuzzing the debug/programming interface, and finding an undocumented command that appeared to trigger a cryptographic authentication. By using their PEA technique against this command, they were able to extract the authentication key, and were able to open the backdoor, finding they were able to directly manipulate protected parameters of the chip.

  • by devitto (230479) on Monday May 28, 2012 @01:47PM (#40136087) Homepage Journal

    Why would a country not pay (or direct) a company to create products with particular subtle flaws ?

    It would cost 1000x more to discover and leverage a known flaw, than to just get an engineer to insert one - with or without the blessing of his management.

    The future is not bright.

  • by WindBourne (631190) on Monday May 28, 2012 @01:58PM (#40136169) Journal
    Chinese leaders are in a cold war with the west. As such, it is far cheaper and easier to be able to shut down an adversaries equipment if you are manufacturing it for them. If the west would quit being foolish, they would insist on equipment made in secured companies. And Google has already proved that nothing in China is secured from the gov.
    • by fa2k (881632)

      Chinese leaders are in a cold war with the west.

      This is news to me. I'm not saying it's false, but I haven't seen any actions from China's government to indicate this. There are stories about hacking, and now about hardware corruption, but the details are so vague that it's hard to know what to believe. An the other hand, there is a flourishing and growing commerce between China and western countries. China is of course quite totalitarian, which is contrary to western values, but that's a political and not a diplomatic stance.

      • So, you mean fixing their money against western money by 50% or moer, even though it is against WTO, IMF, and even the Clinton-China Agreement is not enough? How about massive dumping on the western market? Or subsidizing what is sent here? All illegal per the agreements.
        Or the massive amounts of spies here. I have dealt with 2 spies already. One was working hard to get access to equipment that was ITARed (we had massive issues sending it to UK). This guy went so far as to offer bribes for it.
        How about th
  • Looks like my railing against the inherent weaknesses in FPGAs and the need to ditch the fabless model for the sake of quality control wasn't just hot air.

    • by russotto (537200)

      Looks like my railing against the inherent weaknesses in FPGAs and the need to ditch the fabless model for the sake of quality control wasn't just hot air.

      Assuming the feature was added at manufacturing time rather than designed into the chip, anyway.

  • by laing (303349) on Monday May 28, 2012 @02:08PM (#40136243)
    The back-door described in the white paper requires access to the JTAG (1149.1) interface to exploit. Most deployed systems do not provide an active external interface for JTAG. With physical access to a "secure" system based upon these parts, the techniques described in the white paper allow for a total compromise of all IP within. Without physical access, very little can be done to compromise systems based upon these parts.
    • If they can backdoor this FPGA then they can backdoor the JTAG programmer and the BIOS chip inside the computer running it. The PC receives a command through its compromised ethernet controller which then sends appended code to the JTAG programmer.

  • Sun Tzu (Score:5, Insightful)

    by msobkow (48369) on Monday May 28, 2012 @02:11PM (#40136259) Homepage Journal

    Sun Tzu said the greatest victory is one which doesn't require a shot. One won by subverting the enemy from within.

    What greater subversion can there be than to convince the enemy to hire you to build their weapon's systems components?

    Apparently the American Military (and probably that of the rest of the world) hasn't bothered reading any "classic" literature on warfare before signing on the dotted line...

    • by joh (27088)

      Sun Tzu said the greatest victory is one which doesn't require a shot.

      It may also be the best way of losing, especially if you ask those who haven't been shot then.

  • ...American.

    This, of course, means the USA needs to produce too.

  • I don't know if this specific backdoor is real, but would you be horribly surprised if you found out that your router, etc. had chips in it that could be remotely disabled with the right information fed to the device (e.g., repeated processing of a certain string of bytes in an incoming packet)?

    Of course, this stunt could only be pulled off once, and may not work in every device. But it's not inconceivable for a military-industrial power to figure out how certain common chips are used in certain devices, f

  • by PPH (736903) on Monday May 28, 2012 @03:30PM (#40136775)

    ... those 555s.

  • We made our own chips. And the only reason we don't make our own chips is because people keep dicking around with the semiconductor companies when they want electricity and some regulation clarity about what they can and can't do.

    That's why they left to asia. Think the price of labor matters at all in a semi conductor fab? Oh sure... it always matters but not so much that you'd leave the country. They're not paying people 2 dollars an hour in those fabs anywhere. You don a clean room suit and you're unlikel

  • by vlm (69642) on Monday May 28, 2012 @03:34PM (#40136807)

    Where was this undocumented feature/bug designed in? I see plenty of "I hate China" posts, it would be quite hilarious if the fedgov talked the US mfgr into adding this backdoor, then the Chinese built it as designed. Perhaps the plan all along was to blame the Chinese if they're caught.

    These are not military chips. They are FPGAs that happen to be used occasionally for military apps. Most of them are sold for other, more commercially exploitable purposes.

  • by time961 (618278) on Monday May 28, 2012 @03:51PM (#40136887)
    This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.

    That said, it's still pretty bad, because hardware does occasionally end up in the hands of unfriendlies (e.g., crashed drones). FPGAs like these are often used to run classified software radio algorithms with anti-jam and anti-interception goals, or to run classified cryptographic algorithms. If those algorithms can be extracted from otherwise-dead and disassembled equipment, that would be bad--the manufacturer's claim that the FPGA bitstream can't be extracted might be part of the system's security certification assumptions. If that claim is false, and no other counter-measures are place, that could be pretty bad.

    Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing. Also, a backdoor inserted that way would have to co-exist peacefully with all the other functions of the FPGA, a significant challenge both from an intellectual standpoint and from a size/timing standpoint--the FPGA may just not have enough spare capacity or spare cycles. They tend to be packed pretty full, 'coz they're expensive and you want to use all the capacity you have available to do clever stuff.
    • by Fnord666 (889225) on Monday May 28, 2012 @09:16PM (#40138557) Journal

      This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.

      Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing.

      As someone else mentioned in another post, physical access can be a bit of a misnomer. Technically all that is required is for a computer to be connected via the JTAG interface in order to exploit this. This might be a diagnostic computer for example. If that diagnostic computer were to be infected with a targeted payload, there is your physical access.

  • Is this the most obvious consequence to outsourcing or what ? When you take seriously the notion that all that matters is the profitability of your largest campaign contributors, is not the inevitable result that Reality will teach you just how wrong you were?

    For years some of us have been saying just this is exactly inevitable and before us, the previous generation were saying the same thing. All we got back was BS from the likes of Dan Griswold and the CATO Institute about what Luddites we were.

    We don't make critical parts to our own weapon systems. We outsource to our most likely long term opponent. Why do we do that? So large campaign contributors can make obscene profits by advantaging themselves of cheap (but getting less cheap) labor.

    Does this change anyone's mind about campaign finance reform? Is money still a form of speech? Anyone in Congress care to review Citizens United v FEC? Or do we have to wait until it's just too late?

  • Well, surprise! Surprise! Surprise!

    Of course, it's all about defense industry profits, not actual defense. As long as defense contractors are allowed to outsource components, or must purchase offshore components, this is going to happen, and with increasing frequency. The Chinese are not stupid and can spot an obvious attack vector. Even if they have no immediate plans to use these backdoors, they'd be foolish NOT to put them in. And since the government and industry are so intertwined in China, you have a near guarantee that this strategy will be used.

    Not that this is a secret to the US military. It's just that nobody with decision making power in the USA actually gives a crap about the USA anymore. If you're wealthy enough, you can live anywhere. If a war breaks out, you can bet all the rich lobbyists, ex-military brass, subcontractors and subcontractors will rapidly relocate somewhere safe, leaving the poor and the stupid on both sides to slaughter each other.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...