The US Navy, NATO, and NASA Are Using a Shady Chinese Company's Encryption Chips (wired.com) 45
New submitter ole_timer shares a report from Wired: TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans -- and the US government -- increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West. In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "Entity List," a vaguely named trade restrictions list that highlights companies "acting contrary to the foreign policy interests of the United States." Specifically, the bureau noted that Hualan had been added to the list for "acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army."
Yet nearly two years later, Hualan -- and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016 -- still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too. The disconnect between the Commerce Department's warnings and Western government customers means that chips sold by Hualan's subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor's Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China's government to stealthily decrypt Western agencies' secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.
"If a company is on the Entity List with a specific warning like this one, it's because the US government says this company is actively supporting another country's military development," says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. "It's saying you should not be purchasing from them, not just because the money you're spending is going to a company that will use those proceeds in the furtherance of another country's military objectives, but because you can't trust the product." [...] The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. "At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments," he says. "It seems very significant. And it's probably not a one-off mistake."
Yet nearly two years later, Hualan -- and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016 -- still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too. The disconnect between the Commerce Department's warnings and Western government customers means that chips sold by Hualan's subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor's Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China's government to stealthily decrypt Western agencies' secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.
"If a company is on the Entity List with a specific warning like this one, it's because the US government says this company is actively supporting another country's military development," says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. "It's saying you should not be purchasing from them, not just because the money you're spending is going to a company that will use those proceeds in the furtherance of another country's military objectives, but because you can't trust the product." [...] The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. "At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments," he says. "It seems very significant. And it's probably not a one-off mistake."
Re: (Score:2)
Not political correctness, but delusion and enabling of delusion.
Re: (Score:2)
I think San Francisco when I think empathy. /s
Governments should not have empathy. They should pass and enforce laws and policies beneficial to society. Feelsgoods are not a government role.
Economic plans for peace (Score:5, Insightful)
1) Integrate, and you get peace because nobody will want to harm their valuable partners
2) Specialize, so whoever can do the job for the least money will have you by the short and curlies
Well... Putin's gone and showed us just how naive that is. Nations can be run by regimes that are just as dumb as your average street thug, and will absolutely seek the short term advantage until they're cornered and can no longer see the long term even if they had a change of heart and wanted to.
The first two are still good targets, but we need a new entry on the list to ensure longer term stability:
3) Keep enough domestic capacity that if relationships change, you're not in any real danger.
Re: (Score:3)
On the other hand, Russia isn't a great advertisement for the benefits of autarky either.
It's easy to say that you're going to secure all your supply chains from the politics of hostile countries, as Russia found out after 2014 it's really hard to do. Basically only the EU and the US would have even a remote chance of succeeding.
Now say what you like about the Iron Curtain, but partioning the world into large blocs with common political values worked pretty well, except for the constant background fear of n
Re: (Score:1)
China is trying to take the world a step in that direction its belt and road thing.
What the fuck are you smoking to come up with that?
It was mostly just America trying to block belt and road. And only existed because America wouldn't let China have a say in the other global infrastructure banks.
Belt and road was open to everyone, guess who tried to discourage participation?
You have a really warped view of the world.
Re: (Score:1)
You have a really warped view of the world.
he has an us-centric view of the world, increasingly intoxicated with nonsensical propaganda like tfa, just like the vast majority of /.
are you new here?
Re: (Score:2)
If only social credits were as tasty as honey we'd be set.
If you don't have enough social credit, you'd be set for prison or, at the very least, house arrest
Re: (Score:1)
....and possibly not enough teepee to wipe your bunghole.
Re: (Score:2)
What the fuck are you smoking to come up with that?
History. Russia by all accounts did an excellent job sanction-proofing its economy, particularly the central bank. They still can't produce what they need for the war without foreign goods, and faces a critical need for foreign revenue and investment that is not going to materialize.
Belt and road was open to everyone, guess who tried to discourage participation?
Of course it was open to everyone. Why would China limit a program whose aim is to spread Chinese influence? I actually do think the intentions of the program were to create a win-win scenario that would raise China's interna
Re: (Score:1)
'except for the constant background fear of nuclear war' and except for the untold numbers of people screwed royally by their masters running the Iron Curtain. It's working out well for the Norks, isn't it.
China's road and belt thing is nothing more than a blatant grab for global power because Xi Jinping thinks it makes his cowboy hat look taller. And the rest of the world has those nasty tendencies of promoting the ideas that his people should be telling him what to do instead of the way it is now. So now
Re: (Score:2)
North Korea would be a worker's paradise if only they could tweak their form of communism a little bit. /s
Re: (Score:2)
except for the untold numbers of people screwed royally by their masters running the Iron Curtain.
Life wasn't any better under Stalin before the war. And remember the plan before the war was to divide up those Iron Curtain countries between Stalin and Hitler, who wanted to depopulate them.
I'm not saying the Cold War was ideal, far from it. I'm just saying having the great powers constrained to proxy wars, police actions, and keeping their "allies" under their thumb was better than what came before.
It really is not a risk (Score:5, Interesting)
Except for some specific function, primarily secure random number generation. But there you should not rely on hardware you do not control anyways, be it the backdoored Intel mechanism or some other intransparent "please trust me!" electronics. Fortunately, you can combine hardware that is not trustworthy with other mechanisms and you should do so anyways. For anything else, it is basically impossible to leak keys in modern encryption, at least if you do it right.
Re: (Score:2)
Even for RNG if you don't have the seed you're pretty much screwed
Re: (Score:2)
Yeah, it's just the standard US yellow-peril scaremongering. Firstly, every chip manufacturer in every country has ties to that country's military, because the military use a lot of chips and they're going to buy local if possible. Secondly, for disk encryption they're going to implement something like AES-XTS which is either -XTS or it isn't. There's no way to secretly make it rot13 without telling anyone, you either get -XTS or you don't. And since all it's doing is passthrough encryption of disk bloc
Re: (Score:2)
Secondly, for disk encryption they're going to implement something like AES-XTS which is either -XTS or it isn't. There's no way to secretly make it rot13 without telling anyone, you either get -XTS or you don't. And since all it's doing is passthrough encryption of disk blocks, unlike Intel's hidden-CPU-with-an-entire-secret-OS there's not much scope for shenanigans.
Yeah, it's probably yellow-peril scaremongering, but I can think of real attack vectors here, mostly along the lines of "if you see Block X written to disk, do something naughty," such as delete the keys rendering the disk useless, or "replace Block Y with Block Z upon read." All of which would be mitigated by using disk encryption at the OS level, but who really believes in defense in depth...?
Re: (Score:2)
Hardware vs software. Potato potatoe. Both can be crippled by whomever made them except software is a lot easier to cripple after deployment.
Re: (Score:2)
Forget about that. That would require a huge addition in in the hardware and would be blatantly obvious. You also need to be able to actually write that block to disk.
Re: (Score:2)
I made a custom TRNG using a microcontroller. I just read the internal temperature sensor with the ADC, and it turns out that the LSB is quantum noise. With a bit of whitening it passes all the NIST tests.
I can produce about 8Mbps of random bits, but on Windows there doesn't seem to be a documented way to add that to the OS entropy pool.
Re: (Score:2)
Indeed. Or just read the ADC input directly while open. Has brownian noise and quantum noise and environmental RF noise all put together. As long as your ADC has enough bits and you are conservative in using the results, you are good. Funnily, when I asked some EE students (I was teaching OS stuff to) about this, they all came up with something like this immediately. CS students struggle.
It is absolutely no surprise that the 3rd rated "Windows" OS does make it hard to use this though, when on Linux it is ju
Re: (Score:2)
I found an open ADC pin doesn't work as well. Not sure why.
The temperature sensor is linear over the operating range so it's not just a thermistor.
Re: (Score:2)
Hmmm. The temperature sensor will be the standard forward diode circuit with about 2mV/C signal. That does require amplification in most ADC use scenarios. That amplifier probably adds to the noise and does amplify the noise generated by the diode. On the other hand, that amplifier can be dog-slow and that does not match the rate you are getting.
For the open pin, it is possible that the signal is so large that it gets driven into the protection circuit and there the ADC will not work well. It may be that th
Re: (Score:2)
It's an XMEGA if you are interested. The ADCs are generally speaking really good, if you set them up properly. I can get a very stable 0.5mV resolution out of them. For this though I didn't even both having a separate supply for the analogue sections, and used the internal voltage reference. Ran the ADCs in 12 bit more as fast as they could go, out of spec.
I take each LSB and when I have 8 of them I feed a byte into the CRC32 peripheral, and pull one byte out of it. That whitens it, and the resulting entrop
Re: (Score:1)
I think you can boost the available entropy by heating the sensor, but I am having a hard time finding the source of this information again.
Re: (Score:2)
Not really. Most of the noise does not actually come from the sensor. It is mostly the amplifier and comparator in the A/D converter. For a very simple demonstration, use an OPAMP, set amplification to 1000 or so and short the input. A ruin-of-the-mill 741 gives you about 50mV in noise with that and it is a mix of brownian noise and some tunneling (i.e. quantum) noise.
=O (Score:1)
How could anybody have seen this coming? (Score:3)
When was the last time anybody heard the movers and shakers, the great captains of industry and their faithful acolytes in the business press, tell us all with utter confidence that, "The World is Flat"? Eliminating all trade barriers (except where a country like China tells them to fuck right off) will make us all rich! Giving China whatever they want will be just like a magic wand, and turn that monstrous Big Brother state into a model of open government democracy!
All those overpaid, lazy drones in the United States, Canada and elsewhere who insist on a living wage need to understand that we don't need them anymore. Why pay an American worker $20 or $30 an hour, when a Chinese or Bangladeshi slave child can do the job for $5 per month...and then go to their second job in a brothel catering to the same clientele Jeffrey Epstein served with such diligence?
So where are we now? All of North America's manufacturing capacity has been hollowed out, and all the companies that could have been developing and manufacturing computer equipment, solar cells, batteries, and a myriad of other high tech hardware are gone. Their pale imitations...the ones we used to laugh at in the 1970s for their pathetic attempts to manufacture a stereo that didn't sound like a car running without oil whenever you turned the volume past 7...are now leading the world in tech manufacturing. And they still suck at it...they just don't have any competition anymore. Why? Because we pissed our advantage away so skinny little bean counters with the ethics of a rabid weasel could line their pockets.
I want to be clear: ALL the parties in ALL the democracies have played a role...Liberals, Conservatives, Labour, Democrats, Republicans...they've all dropped to their knees and given service to people who would cheerfully drive over your children if it shaved two minutes off their travel time to the gym.
If we want our democracies, and our technological leadership, back, we all have a lot of work to do.
Re: (Score:1)
Why pay an American worker $20 or $30 an hour, when a Chinese or Bangladeshi slave child can do the job for $5 per month...and then go to their second job in a brothel catering to the same clientele Jeffrey Epstein served with such diligence?
Chinese students can do all that and still find time to study and get better grades than Americans.
No wonder you don't want to compete with them. You're lazy as fuck.
Re: (Score:3)
Chinese students can do all that and still find time to study and get better grades than Americans.
No wonder you don't want to compete with them. You're lazy as fuck.
That's right. We want to laze and fuck, not spend our whole lives sweating for a nickel.
Re: (Score:1)
You can fuck.
You can be lazy.
You can be lazy as fuck.
But don't be a lazy fuck. Your partner won't appreciate that.
Mostly irrelevant (Score:2)
Does bitlocker or linux encryption use these chips or dont they. Because if they dont then the only users are people who use, are the one who dont understand that while ~2005 it may have been practical to use a proprietary (cheap, shitty implemented, not upgradable) device do encryption for the sake of having to use your OS for it, that changed when windoes pushed bitlocker ans most linux distibution are easy to install using built-in FDE (and, if you like use TPM). Windows now has bitlocker on the go. So
all your base stations... (Score:2)
NASA has secrets? (Score:3)
Why is NASA on the list of military and intelligence agencies?
Re: (Score:2)
NASA works with the Air Force on cross use civilian/military tech. I'm guessing they have access to classified USAF information.
Detecting compromised encryption hard (Score:2)
A compromised chip could leak its internal state one bit at a time. Maybe through a subtle timing or maybe there are a couple of functions in the chip that aren't 100% deterministic based on inputs and the chip will slightly bias the results. Since the investigator d
Triage (Score:1)
Their fiat currencies pay the wages of those making bombs, guns, encryption chips...