Backdoor Found In China-Made US Military Chip? 270
Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.
Steve Jobs (Score:3, Funny)
Re:Steve Jobs (Score:4, Insightful)
So where does the "offtopic" come from?
Probably from the fact it was offtopic.
Re: (Score:3, Funny)
"I have to complain about this moderation."
You're funny!
And I modded him Funny... Oh, Crap....
It's a scam !! (Score:5, Informative)
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html [blogspot.com]
Bogus story: no Chinese backdoor in military chip
"Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious.
Furthermore, the Actel ProAsic3 FPGA chip isn't fabricated in China at all !!
Fear mongering (Score:5, Insightful)
Particularly in a press release like that. (Score:5, Insightful)
That entire article reads more like a press release with FUD than anything with any facts.
Which chip?
Which manufacturer?
Which US customer?
No facts and LOTS of claims. It's pure FUD.
(Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)
Re:Particularly in a press release like that. (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Re:Particularly in a press release like that. (Score:5, Insightful)
Suing is easy, just file in the appropriate court. The hard part is winning, or even getting a judge to let you proceed.
Re:Particularly in a press release like that. (Score:4, Informative)
Re:Particularly in a press release like that. (Score:4, Informative)
It's the Actel ProAsic3, it fits the redacted portions that only show the first letters and in the scanned nda doc and some quotes about claims from the manufacturer exactly match it.
Re:Particularly in a press release like that. (Score:5, Informative)
Comment removed (Score:5, Interesting)
Re:Particularly in a press release like that. (Score:4, Interesting)
Besides, lets be honest folks....who didn't know this kinda shit has been going on damned nearly constantly?
It's been going on for decades, although mostly by US companies. In one widely-publicised incident in 1994 for example, Intel secretly modified its Pentium CPU so that a certain floating-point divide instruction would produce incorrect results under some circumstances, thus ensuring that if it was used for missile guidance the projectiles would fall harmlessly into the pacific ocean instead of hitting the US. Intel initially denied there was a problem, but then under public pressure and with the OK of its secret government handlers declared it a "bug" and replaced the booby-trapped chips. That's just one example, this sort of thing has happened again and again and again in US and European-made devices, so it's not surprising the Chinese are getting in on the act as well.
Most likely inserted by Microsemi/Actel not fab (Score:5, Informative)
1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
2) This is talking about FPGAs designed by Microsemi/Actel.
3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional anaylsis (differential power analysis) was not sensitive enough to reveal it.
This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.
Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.
Re:Most likely inserted by Microsemi/Actel not fab (Score:5, Interesting)
I don't think anyone fully understands JTAG, there are a lot of different versions of it mashed together on the typical hardware IC. Regardless if its a FPGA, microcontroller or otherwise. The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.
Something that can also be completely disabled by setting the right fuse inside the chip itself to disable all JTAG connections. Something that is considered standard practice on IC's with a JTAG port available once assembled into their final product and programmed.
Plus according to Microsemi's own website, all military and aerospace qualified versions of their parts are still made in the USA. So this "researcher" used commercial parts, which depending on the price point can be made in the plant in Shanghai or in the USA at Microsemi's own will.
The "researcher" and the person who wrote the article need to spend some time reading more before talking.
Re:Most likely inserted by Microsemi/Actel not fab (Score:4, Insightful)
The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.
With pin access to the FPGA it's trivial to hook it up, no bridges or transceivers needed. If it's a BGA then get a breakout/riser board that provides pin access. This is off-the-shelf stuff. This means if the Chinese military gets their hands on the hardware they can reverse engineer it. They won't have to lean very hard on the manufacturer for them to cough up every last detail. In China you just don't say no to such requests if you know what's good for you and your business.
Re:Most likely inserted by Microsemi/Actel not fab (Score:4, Interesting)
Not being readable even when someone has the device in hand is exactly what these secure FPGAs are meant to protect against!
It's not a non-issue. It's a complete failure of a product to provide any advantages over non-secure equivalents.
You clearly have NOT used a FPGA or similar. First the ProASIC3 the article focuses on is the CHEAPEST product in the product line (some of that model line reach down to below a dollar each). But beyond that ...
Devices are SECURED by processes, such as blowing the JTAG fuses in the device which makes them operation only, and unreadable. They are secureable, if you follow the proper processes and methods laid out by the manufacturer of the specific chip.
Just because a "research paper" claims there is other then standard methods of JTAG built into the JTAG doesn't mean that the device doesn't secure as it should, nor does it mean this researcher who is trying to peddle his own product is anything but biased in this situation.
Fear of shutdown is real ... (Score:2)
Fear mongering. It sells...
The fear of backdoors and data snooping are a bit hysterical.
However the fear of a chip being remotely shutdown, possible damaged, is quite plausible and a far more practical method of attack.
Re:Fear mongering (Score:4, Funny)
Just because they're really out to get you doesn't mean you're not paranoid.
Are you as think as I drunk you are?
Re:Fear mongering (Score:4, Funny)
I'm not as think as some drunkle peep I am.
What did the military expect? (Score:5, Insightful)
Re:What did the military expect? (Score:5, Insightful)
Seriously.
Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.
Re: (Score:3, Interesting)
So you think you're purchasing a "safe" or "known" device, but... oops, you aren't.
Re:What did the military expect? (Score:4, Informative)
Re: (Score:3)
Said person/company who misled you is answerable to the charge of treason.
Probably not in their country of operation.
Re: (Score:2)
Or something like this [sparkfun.com] happens.
Re: (Score:2)
Re: (Score:2)
Re:What did the military expect? (Score:5, Insightful)
Seriously.
Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.
Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.
Re: (Score:3)
A good capitalist will not, as they will see that the long term value of their life outweighs the profit from the rope.
Re: (Score:3)
Rational actors in economics are like Newtonian physics: as long as there's little substance and nothing is happening in a hurry it's a reasonable simplification to assume that every entity knows everything there is to know and can integrate it all to determine its own reactions, but when things start heating up you need more complex models to explain all the seemingly irrational stuff tha
Re: (Score:3, Insightful)
I can't help but think of the quote attributed to Lenin: "The capitalists will sell us the rope with which we will hang them."
Re: (Score:2)
In The Guns of August, Tuchman mentions that the heavy artillery for the Belgian fortress of Liege had been ordered from Krupps, who failed to deliver.
Re: (Score:3)
Regardless whether this is a false alarm or not, I'm 100% sure that US military technology has something similar, too. I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.
Re:What did the military expect? (Score:5, Insightful)
I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.
Its called the spare parts stream. How long did it take Iran's F-14s to completely break down, even with extensive conservation, cannibalization, and duct-tape fixes?
Also the training/support stream. There's a certain small size where you can afford internal low, maybe even mid level operational support, but can't afford to train new techs/mechanics... If you had the internal resources to run a high level training facility, you would be in the arms dealing business making your own aircraft, not buying someone elses airplane.
This is not limited to high tech aviation. Lets say I give you a M-16. Oh, you'd like ammo too, well we can make a separate yearly deal for that. Oh and you say you're not a gunsmith, well we can make a deal for that too. Oh you don't know how to use it, lets make a deal for some instructors. Your cam pin snapped and the highest tech metal working facility you have is a blacksmiths anvil, well we can make a deal for spare parts too. Suddenly that "free" M-16 is terribly expensive.
Re: (Score:2)
The kill switch for the aircraft we sell to other countries, is located right on our pilot's flight sticks and they can even select radar or heat seeking.
Re: (Score:2)
Re: (Score:2)
Re:What did the military expect? (Score:4, Interesting)
"Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic."
Not to mention the non-backdoor ones.
'Bogus electronic parts from China have infiltrated critical U.S. defense systems and equipment, including Navy helicopters and a commonly used Air Force cargo aircraft, a new report says.'
http://articles.dailypress.com/2012-05-23/news/dp-nws-counterfeit-chinese-parts-20120523_1_fake-chinese-parts-counterfeit-parts-air-force-c-130j [dailypress.com]
Re: (Score:3, Funny)
The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.
Didn't the US and UK governments sell crypto equipment they knew they could break to their 'allies' during the Cold War?
Re: (Score:2)
Re: (Score:2)
"Japan"
Your definition of "long history" seems a little... short.
Re:Crypto Gear (Score:2)
Up here in Canada we used crypto gear we got from the US, but that was for a very practical reason: we had to be compatible with US military communications if we were in the field. As far as I know the equipment we used was identical to that being used by the US military at the time. I have no doubt they had more secure gear they only used internally, but its not like the stuff we used was substandard AFAIK.
I was a Communications Specialist in the Canadian Army and trained to use this gear.
Re:Should only buy military components from allies (Score:5, Interesting)
Absolutely. The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.
And a preference should be given to American-made parts, since you need domestic factories to mobilise in times of war.
First problem..... they already have that policy. But the problem is that the components used for military and government applications have to be purchased from American companies. Then to save a buck, the companies sub-contract for components from places like China and "assemble" the equipment in friendly countries. That way, the product does not have a "made in China" sticker on them.
Second problem.... 20 years ago the DOD had their own processor manufacturing facilities, IC chips, etc. They were shut down in favor of commercial equipment because some idiot decided it was better to have an easier time buying replacement parts at Radioshack than buying quality military-grade components that could last in austere environments. (Yes, speaking from experience). Servers and workstations used to be built from the ground up at places like Tobyhanna Army Depot. Now, servers and workstations are bought from Dell.
Re:Should only buy military components from allies (Score:5, Insightful)
Fabs are expensive. The latest generation nodes cost billions of dollars to set up and billions more to run. If they aren't cranking chips out 24/7, they're literally costing money. Yes, I know it's hte military, but I'm sure people have a hard time justifying $10B every few years just to fab a few chips. One of the biggest developments in the 90s was the development of foundries that let anyone with a few tens of millions get in the game of producing chips rather than requiring billions in startup costs. Hence the startup of tons of fabless companies selling chips.
OK, another option is to buy a cheap obsolete fab and make chips that way - much cheaper to run, but we're also talking maybe 10+ year old technology, at which point the chips are going to be slower and take more power.
Also, building your own computer from the ground up is expensive - either you buy the designs of your servers from say, Intel, or design your own. If you buy it, it'll be expensive and probably require your fab to be upgraded (or you get stuck with an old design - e.g., Pentium (the original) - which Intel bought back from the DoD because the DoD had been debugging it over the decade). If you went with the older cheaper fab, the design has to be modified to support that technology (you cannot just take a design and run with it - you have to adapt your chip to the foundry you use).
If you roll your own, that becomes a support nightmare because now no one knows the system.
And on the taxpayer side - I'm sure everyone will question why youre spending billions running a fab that's only used at 10% capacity - unless you want the DoD getting into the foundry business with its own issues.
Or, why is the military spending so much money designing and running its own computer architecture and support services when they could buy much cheaper machines from Dell and run Linux on them?
Hell, even if the DoD had budget for that, some bean counter will probalby do the same so they can save money from one side and use it to buy more fighter jets or something.
30+ years ago, defense spending on electronics formed a huge part of the overall electronics spending. These days, defense spending is but a small fraction - it's far more lucrative to go after the consumer market than the military - they just don't have the economic clout they once had. End result is the miliary is forced to buy COTS ICs, or face stuff like a $0.50 chip costing easily $50 or more for same just because the military is a bit-player for semiconductors.
Re: (Score:3, Insightful)
These fabrication centers WERE running full time. Think about it, every radio, every o-scope, every computer that is not connected to the public internet, were all made right here in the U.S. At one of my duty stations, we had a server the size of 3 refrigerators that was fabricated in 1992. We used it as our backup server/router/gateway. All you had to do was turn on a switch and it did everything that we needed it to do. Plus we knew that there were no Chinese surprises in it.
They never ran their own
Re: (Score:3, Insightful)
In other news, voters clamor for an efficient government, but then are shocked when the government sources contracts to the lowest bidder.
*facepalm* Either pay for an expensive, inefficient government that props up corporations solely so that it has a national source for everything military, or shut the fuck up and pay China for its cheap crap.
Re: (Score:2)
Re: (Score:2, Funny)
...Once the Germans were warlike and mean,
But that couldn't happen again...
We taught them a lesson in 1918
And they've hardly bother us since then...
-- Tom Lerher, The MLF Lullaby
Re: (Score:2)
You do know that the Mossad has been caught stealing and collecting American Top Secrets. In fact most of the nations above save perhaps Canada have at one time or another been caught either spying on us, or performing dirty deeds cheap against America's best interest. I'd say for the really classified stuff, like the internal security devices that monitor everything else... homegrown only thanks, and add that any enterprising person who's looking to get paid twice by screwing with the hardware or selling s
Re:Should only buy military components from allies (Score:4, Funny)
Wow. I didn't realize the Canadians were so good at spying.
Oh Canada!
CONFIRMATION? (Score:4, Insightful)
"Extraordinary claims require extraordinary evidence..."
The actual article (Score:5, Informative)
It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.
Re:The actual article (Score:4, Insightful)
Re:The actual article (Score:5, Interesting)
From your much more useful link,
We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion.
we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products. This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.
emphasis mine. Key is retrieved using the backdoor.
Frankly, if this is true, Microsemi/Actel should get complete ban from all government contracts, including using their chips in any item build for use by the government.
Re: (Score:3)
With regard to reprogramming the chip remotely or by the FPGA itself via the JTAG port: A secure system is one that can't reprogram itself. When I was designing VMEbus computer boards for a military subcontractor many years ago, every board had a JTAG connector that required the use of another computer with a special cable plugged
Re: (Score:3, Informative)
It seems that People's Republic of China has been misidentified with Taiwan (Republic of China).
Re: (Score:2)
More importantly, the back door was clearly designed to be very difficult to find. That's not standard for a debugging option
Ever do FPGA work? Not thinking so. Sadly I can verify that in the FPGA world everything is all ultra-closed. Patents? Competitive advantage? IP laws? Hide evidence of patent infringement?
In the FPGA world everything from the VHDL text editor to the hardware is marketed and sold as a magic black box. Text that happens to be VHDL squirts in here, a giant mystery binary appears here, tada. No one really knows whats going on.
The micro controller world is much different, much more open. Commercial mass
Re: (Score:2)
From the article, the read-only registers may be configured to be written:
agreed 100%; as this bit of your quote says.
"At this point we went back to those JTAG registers which were non-updatable as well as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW was reprogrammable as a normal Flash memory.
However the following bit is saying that the data can also be read. That doesn't have to be. Write only registers are a standard hardware feature. It's also standard procedure that if you
Wait and see (Score:5, Informative)
Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.
Here's his publications list from his University home page, FWIW:
http://www.cl.cam.ac.uk/~sps32/#Publications [cam.ac.uk]
Re: (Score:2)
Re: (Score:2)
well, since the claims are pretty much that you can bypass some ip protection on the chip so you can clone it or reflash it.. if you have physical access.
yeah, it sounds feasible. it's a pretty loooooooong ways from "omg china is backdooring our fighter jets!" though. also it seems like the functionality is deliberately made into the chip by the company making the chip.
samzenpus will be looking for a new job soon (Score:3, Funny)
Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.
Hey hey HEY! You stop that right this INSTANT, samzenpus! This is Slashdot! We'll have none of your "actual investigative research" nonsense around here! Fear mongering to sell ad space, mister, and that's ALL! Now get back to work! We need more fluffy space-filling articles like that one about the minor holiday labeling bug Microsoft had in the UK! That's what we want to see more of!
No details. Nothing to see here. Move along... (Score:2)
researchers have discovered that a microprocessor used by the US military
What chip? What does it do? Is it important? There are lots of chips in use that in no way shape or form are sensitive or important and the presence of a back door would be meaningless. Just because the military uses it doesn't mean anything by itself. This "article" sounds like someone trying to justify a research grant or a company trying to generate fear to sell a competing product.
Re: (Score:2)
From the draft paper's conclusion:
We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fus
Physician, heal thyself. . . (Score:5, Insightful)
From TFA [cam.ac.uk]:
Today we released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit.
This is a security guy I would trust, yessir.
Need physical access (Score:5, Insightful)
Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.
Re: (Score:2)
Presumably if you knew this existed, then you might be able to predict the types of circuits it's tied into and figure out if the function could be activated remotely. After all, causing a microprocessor to lock up in debug mode, even if it would be watchdog-timer reset every few seconds, would be more then enough to effectively inactivate military hardware if you could do it continuously (or on demand).
Re: (Score:2)
Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.
We're obviously very short on information regarding this. One could argue that, with a ready-made back door, an enemy would only need a very short duration of physical access to the chip. If these chips are used in hardware that gets regularly maintained for some reason (not hard to imagine in a military setting), getting physical access to the chip may not be as difficult as one might think.
Also, to draw a bad analogy... remember when the first jpeg vulnerability came out? A lot of people said "big deal, i
Re: (Score:2)
well, it would be more likely that the entire chip would be replaced for that kind of attack.
and the attacker would need to make sure that the code they upload to it works with all the other devices the chip talks to in the plane.
basically if you had that level access you might just as well reflash the entire sw running on the friggin jet. probably under the same seals too. if you really want it to be write-once only, just seal the damn thing in epoxy and don't expose the debug/maintenance connectors...
Re: (Score:2)
Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.
If the EEPROM was reprogrammed/wiped wouldn't the backdoor in the hardware be closed (except for the physical access hole)? Call me crazy, but doesn't a backdoor need to be activated in order to work? Again, you might be able to tease it open with physical access, but I am not seeing how this could be a major deal for operational gear unless the EEPROM contained a trigger. Can anyone with an FPGA background elaborate?
Re: (Score:3)
They needed physical access to find the backdoor. To use the backdoor, they only need JTAG access. JTAG is typically used during development and not during operation, but there might be systems where the JTAG interface is still accessible during operation, either to allow easy debugging/patching in the field or because it was made available through some other interface during development and never removed afterward.
Another risk is that a stored AES key that is supposed to be unreadable was readable through
Brief description of what this crack entails (Score:5, Interesting)
FPGAs commonly protect user-code with encryption. An encryption engine is included in the silicon to which the user has limited access to crypto=keys with which to encrypt the code that is installed in ROM/Flash.
A number of attacks are known against microcontrollers/FPGAs that secure code with encryption - notably differential power analysis (DPA) which works by connecting a current probe to the chip, and collecting measurememnts of energy consumption as the device performs an authentication operation. By carefully, measuring power traces over thousands of authentication operations, statistical analysis can reveal clues about the internal secret keys; potentially allowing recovery of the key within useful periods of times (minutes to hours).
These secure FPGAs contain a heavily obfuscated hardware crypto-engine, with lots of techniques to obstruct DPA (deliberately unstable clocks, heavy on-chip RC power filtering, random delay stages in the pipeline, multiple "dummy" circuits so that an operation which would normally require fewer transistors than an alternative, has its transistor count increased, etc.). The idea being that these countermeasures reduce the DPA signal and increase the amount of noise, making recovery of useful statistics impractical. In their papers, this group admit that the PA3 FPGAs are completely impervious to DPA, with no statistical clues obtained even after weeks of testing.
This group have developed a new technique which they call PEA which is a much more sensitive technique. It involves extracting the FPGA die, and mapping the circuits on it - e.g. using high-resolution infra-red thermography during device operation to identify "interesting" parts of the die by heat production under certain tasks - e.g. caches, crypto pipelines, etc. Having identified interesting areas of the die, an infra-red microscope with photon counter is focused on the relevant circuit area. As it happens, transistors glow when switched, emitting approx 0.001 photons per switching operation. The signal from the photon counter is therefore analogous to the DPA signal, but with a much, much stronger signal-to-noise ratio, allowing statistical analysis with far fewer tries. The group claim the ability to extract the keys from such a secure FPGA in a few minutes of probing with authentication requests.
The researchers claim to have found the backdoor, by fuzzing the debug/programming interface, and finding an undocumented command that appeared to trigger a cryptographic authentication. By using their PEA technique against this command, they were able to extract the authentication key, and were able to open the backdoor, finding they were able to directly manipulate protected parameters of the chip.
Yup, not surprised. (Score:4, Insightful)
Why would a country not pay (or direct) a company to create products with particular subtle flaws ?
It would cost 1000x more to discover and leverage a known flaw, than to just get an engineer to insert one - with or without the blessing of his management.
The future is not bright.
Would anybody really be surprised? (Score:5, Interesting)
Re: (Score:2)
Chinese leaders are in a cold war with the west.
This is news to me. I'm not saying it's false, but I haven't seen any actions from China's government to indicate this. There are stories about hacking, and now about hardware corruption, but the details are so vague that it's hard to know what to believe. An the other hand, there is a flourishing and growing commerce between China and western countries. China is of course quite totalitarian, which is contrary to western values, but that's a political and not a diplomatic stance.
Re: (Score:3)
Or the massive amounts of spies here. I have dealt with 2 spies already. One was working hard to get access to equipment that was ITARed (we had massive issues sending it to UK). This guy went so far as to offer bribes for it.
How about th
Re: (Score:3)
Secondly, the US, in fact, the west, still produces loads of chips. It is not impossible to scale it back up.
From a security POV, the west SHOULD keep the manufacturing in-house. As it is, the Chinese gov. subsidized electronics, AE, etc. to get the tech from the west. It is in the west's best interest to simply walk away from this. At least where it concerns our military.
Ideally, we will use that to re-start the consumer side as well.
right as usual (Score:2)
Looks like my railing against the inherent weaknesses in FPGAs and the need to ditch the fabless model for the sake of quality control wasn't just hot air.
Re: (Score:2)
Assuming the feature was added at manufacturing time rather than designed into the chip, anyway.
Requires Physical Access (Score:5, Informative)
Missing the bigger picture (Score:2)
If they can backdoor this FPGA then they can backdoor the JTAG programmer and the BIOS chip inside the computer running it. The PC receives a command through its compromised ethernet controller which then sends appended code to the JTAG programmer.
Sun Tzu (Score:5, Insightful)
Sun Tzu said the greatest victory is one which doesn't require a shot. One won by subverting the enemy from within.
What greater subversion can there be than to convince the enemy to hire you to build their weapon's systems components?
Apparently the American Military (and probably that of the rest of the world) hasn't bothered reading any "classic" literature on warfare before signing on the dotted line...
Re: (Score:2)
Sun Tzu said the greatest victory is one which doesn't require a shot.
It may also be the best way of losing, especially if you ask those who haven't been shot then.
Buy... (Score:2)
...American.
This, of course, means the USA needs to produce too.
Why is this a surprise? (Score:2)
I don't know if this specific backdoor is real, but would you be horribly surprised if you found out that your router, etc. had chips in it that could be remotely disabled with the right information fed to the device (e.g., repeated processing of a certain string of bytes in an incoming packet)?
Of course, this stunt could only be pulled off once, and may not work in every device. But it's not inconceivable for a military-industrial power to figure out how certain common chips are used in certain devices, f
I never did trust ... (Score:5, Funny)
None of this would be a problem... if (Score:2)
We made our own chips. And the only reason we don't make our own chips is because people keep dicking around with the semiconductor companies when they want electricity and some regulation clarity about what they can and can't do.
That's why they left to asia. Think the price of labor matters at all in a semi conductor fab? Oh sure... it always matters but not so much that you'd leave the country. They're not paying people 2 dollars an hour in those fabs anywhere. You don a clean room suit and you're unlikel
Where was it designed in? (Score:3)
Where was this undocumented feature/bug designed in? I see plenty of "I hate China" posts, it would be quite hilarious if the fedgov talked the US mfgr into adding this backdoor, then the Chinese built it as designed. Perhaps the plan all along was to blame the Chinese if they're caught.
These are not military chips. They are FPGAs that happen to be used occasionally for military apps. Most of them are sold for other, more commercially exploitable purposes.
Big risk is to "secret sauce" for comms & cryp (Score:5, Informative)
That said, it's still pretty bad, because hardware does occasionally end up in the hands of unfriendlies (e.g., crashed drones). FPGAs like these are often used to run classified software radio algorithms with anti-jam and anti-interception goals, or to run classified cryptographic algorithms. If those algorithms can be extracted from otherwise-dead and disassembled equipment, that would be bad--the manufacturer's claim that the FPGA bitstream can't be extracted might be part of the system's security certification assumptions. If that claim is false, and no other counter-measures are place, that could be pretty bad.
Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing. Also, a backdoor inserted that way would have to co-exist peacefully with all the other functions of the FPGA, a significant challenge both from an intellectual standpoint and from a size/timing standpoint--the FPGA may just not have enough spare capacity or spare cycles. They tend to be packed pretty full, 'coz they're expensive and you want to use all the capacity you have available to do clever stuff.
Re:Big risk is to "secret sauce" for comms & c (Score:4, Insightful)
This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.
Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing.
As someone else mentioned in another post, physical access can be a bit of a misnomer. Technically all that is required is for a computer to be connected via the JTAG interface in order to exploit this. This might be a diagnostic computer for example. If that diagnostic computer were to be infected with a targeted payload, there is your physical access.
Is this the obvious consequence of outsourcing (Score:3)
Is this the most obvious consequence to outsourcing or what ? When you take seriously the notion that all that matters is the profitability of your largest campaign contributors, is not the inevitable result that Reality will teach you just how wrong you were?
For years some of us have been saying just this is exactly inevitable and before us, the previous generation were saying the same thing. All we got back was BS from the likes of Dan Griswold and the CATO Institute about what Luddites we were.
We don't make critical parts to our own weapon systems. We outsource to our most likely long term opponent. Why do we do that? So large campaign contributors can make obscene profits by advantaging themselves of cheap (but getting less cheap) labor.
Does this change anyone's mind about campaign finance reform? Is money still a form of speech? Anyone in Congress care to review Citizens United v FEC? Or do we have to wait until it's just too late?
To quote that military luminary, Gomer Pyle... (Score:3)
Well, surprise! Surprise! Surprise!
Of course, it's all about defense industry profits, not actual defense. As long as defense contractors are allowed to outsource components, or must purchase offshore components, this is going to happen, and with increasing frequency. The Chinese are not stupid and can spot an obvious attack vector. Even if they have no immediate plans to use these backdoors, they'd be foolish NOT to put them in. And since the government and industry are so intertwined in China, you have a near guarantee that this strategy will be used.
Not that this is a secret to the US military. It's just that nobody with decision making power in the USA actually gives a crap about the USA anymore. If you're wealthy enough, you can live anywhere. If a war breaks out, you can bet all the rich lobbyists, ex-military brass, subcontractors and subcontractors will rapidly relocate somewhere safe, leaving the poor and the stupid on both sides to slaughter each other.
Re: (Score:3)
But it does highlight the dangers in outsourcing production of something as sensitive as military hardware, when there's very few ways to actually verify on-chip silicon as being what you ordered, with no extraneous functionality.
Any particular chip can be reasonably expected to have it's application reverse engineered by an intelligence agency if you know the schematics and an idea of the intended use. If you can't make sure the chip won't do any more then you want it to, then how hard would be it be, real
Re: (Score:2)
I agree it most likely wasn't malicious, but its more than careless, its irresponsible, especially when dealing with military contracts.
Re: (Score:2)
There is no China link to the backdoor yet.
The page with a link to the final paper actually does mention China. However, it's an American design from a US company. I suspect we will find the backdoor was in the original plans. It will be interesting to see however.
Re: (Score:3)
You are over thinking this. Pack the toner cartridge with Semtex and FedEx it to your target.
It Is a Story! (Score:2)
If its in the Weekly World News* and it has an exclamation mark!
* Or Slashdot, lately!