Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Found In China-Made US Military Chip?

Posted by samzenpus on from the protect-ya-neck dept.

Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

12 of 270 comments (clear)

  1. Fear mongering by jhoegl · · Score: 5, Insightful

    It sells...

  2. What did the military expect? by runeghost · · Score: 5, Insightful

    Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic.

    1. Re:What did the military expect? by Electricity+Likes+Me · · Score: 5, Insightful

      Seriously.

      Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

    2. Re:What did the military expect? by Jawnn · · Score: 5, Insightful

      Seriously.

      Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

      Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.

    3. Re:What did the military expect? by vlm · · Score: 5, Insightful

      I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.

      Its called the spare parts stream. How long did it take Iran's F-14s to completely break down, even with extensive conservation, cannibalization, and duct-tape fixes?

      Also the training/support stream. There's a certain small size where you can afford internal low, maybe even mid level operational support, but can't afford to train new techs/mechanics... If you had the internal resources to run a high level training facility, you would be in the arms dealing business making your own aircraft, not buying someone elses airplane.

      This is not limited to high tech aviation. Lets say I give you a M-16. Oh, you'd like ammo too, well we can make a separate yearly deal for that. Oh and you say you're not a gunsmith, well we can make a deal for that too. Oh you don't know how to use it, lets make a deal for some instructors. Your cam pin snapped and the highest tech metal working facility you have is a blacksmiths anvil, well we can make a deal for spare parts too. Suddenly that "free" M-16 is terribly expensive.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  3. Physician, heal thyself. . . by dtmos · · Score: 4, Insightful

    From TFA:

    Today we released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit.

    This is a security guy I would trust, yessir.

  4. Need physical access by mveloso · · Score: 4, Insightful

    Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

  5. Particularly in a press release like that. by khasim · · Score: 5, Insightful

    That entire article reads more like a press release with FUD than anything with any facts.

    Which chip?
    Which manufacturer?
    Which US customer?

    No facts and LOTS of claims. It's pure FUD.

    (Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)

    1. Re:Particularly in a press release like that. by TheDarkMaster · · Score: 5, Insightful

      Take it easy. I assume if the researcher openly say exactly what chip and where exactly is the backdoor, then the military would be REALLY in trouble. So it may still be FUD, but caution never killed anyone.

      --
      Religion: The greatest weapon of mass destruction of all time
    2. Re:Particularly in a press release like that. by colinrichardday · · Score: 5, Insightful

      Suing is easy, just file in the appropriate court. The hard part is winning, or even getting a judge to let you proceed.

  6. Sun Tzu by msobkow · · Score: 4, Insightful

    Sun Tzu said the greatest victory is one which doesn't require a shot. One won by subverting the enemy from within.

    What greater subversion can there be than to convince the enemy to hire you to build their weapon's systems components?

    Apparently the American Military (and probably that of the rest of the world) hasn't bothered reading any "classic" literature on warfare before signing on the dotted line...

    --
    I do not fail; I succeed at finding out what does not work.
  7. Re:Should only buy military components from allies by tlhIngan · · Score: 4, Insightful

    Second problem.... 20 years ago the DOD had their own processor manufacturing facilities, IC chips, etc. They were shut down in favor of commercial equipment because some idiot decided it was better to have an easier time buying replacement parts at Radioshack than buying quality military-grade components that could last in austere environments. (Yes, speaking from experience). Servers and workstations used to be built from the ground up at places like Tobyhanna Army Depot. Now, servers and workstations are bought from Dell.

    Fabs are expensive. The latest generation nodes cost billions of dollars to set up and billions more to run. If they aren't cranking chips out 24/7, they're literally costing money. Yes, I know it's hte military, but I'm sure people have a hard time justifying $10B every few years just to fab a few chips. One of the biggest developments in the 90s was the development of foundries that let anyone with a few tens of millions get in the game of producing chips rather than requiring billions in startup costs. Hence the startup of tons of fabless companies selling chips.

    OK, another option is to buy a cheap obsolete fab and make chips that way - much cheaper to run, but we're also talking maybe 10+ year old technology, at which point the chips are going to be slower and take more power.

    Also, building your own computer from the ground up is expensive - either you buy the designs of your servers from say, Intel, or design your own. If you buy it, it'll be expensive and probably require your fab to be upgraded (or you get stuck with an old design - e.g., Pentium (the original) - which Intel bought back from the DoD because the DoD had been debugging it over the decade). If you went with the older cheaper fab, the design has to be modified to support that technology (you cannot just take a design and run with it - you have to adapt your chip to the foundry you use).

    If you roll your own, that becomes a support nightmare because now no one knows the system.

    And on the taxpayer side - I'm sure everyone will question why youre spending billions running a fab that's only used at 10% capacity - unless you want the DoD getting into the foundry business with its own issues.

    Or, why is the military spending so much money designing and running its own computer architecture and support services when they could buy much cheaper machines from Dell and run Linux on them?

    Hell, even if the DoD had budget for that, some bean counter will probalby do the same so they can save money from one side and use it to buy more fighter jets or something.

    30+ years ago, defense spending on electronics formed a huge part of the overall electronics spending. These days, defense spending is but a small fraction - it's far more lucrative to go after the consumer market than the military - they just don't have the economic clout they once had. End result is the miliary is forced to buy COTS ICs, or face stuff like a $0.50 chip costing easily $50 or more for same just because the military is a bit-player for semiconductors.