Backdoor Found In China-Made US Military Chip?

Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

Fear mongering

[jhoegl]

It sells...

What did the military expect?

[runeghost]

Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic.

Re:What did the military expect?

[Electricity+Likes+Me]

Seriously.

Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

Re:What did the military expect?

[Jawnn]

Seriously.

Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.

Re:What did the military expect?

[vlm]

I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.

Its called the spare parts stream. How long did it take Iran's F-14s to completely break down, even with extensive conservation, cannibalization, and duct-tape fixes?

Also the training/support stream. There's a certain small size where you can afford internal low, maybe even mid level operational support, but can't afford to train new techs/mechanics... If you had the internal resources to run a high level training facility, you would be in the arms dealing business making your own aircraft, not buying someone elses airplane.

This is not limited to high tech aviation. Lets say I give you a M-16. Oh, you'd like ammo too, well we can make a separate yearly deal for that. Oh and you say you're not a gunsmith, well we can make a deal for that too. Oh you don't know how to use it, lets make a deal for some instructors. Your cam pin snapped and the highest tech metal working facility you have is a blacksmiths anvil, well we can make a deal for spare parts too. Suddenly that "free" M-16 is terribly expensive.

The actual article

[NixieBunny]

The original article is here.
It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.

Re:The actual article

From your much more useful link,

We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion.

we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products. This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.

emphasis mine. Key is retrieved using the backdoor.

Frankly, if this is true, Microsemi/Actel should get complete ban from all government contracts, including using their chips in any item build for use by the government.

Wait and see

[6031769]

Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.

Here's his publications list from his University home page, FWIW:
http://www.cl.cam.ac.uk/~sps32/#Publications

Particularly in a press release like that.

[khasim]

That entire article reads more like a press release with FUD than anything with any facts.

Which chip?
Which manufacturer?
Which US customer?

No facts and LOTS of claims. It's pure FUD.

(Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)

Re:Particularly in a press release like that.

[TheDarkMaster]

Take it easy. I assume if the researcher openly say exactly what chip and where exactly is the backdoor, then the military would be REALLY in trouble. So it may still be FUD, but caution never killed anyone.

Re:Particularly in a press release like that.

[colinrichardday]

Suing is easy, just file in the appropriate court. The hard part is winning, or even getting a judge to let you proceed.

Re:Particularly in a press release like that.

[hairyfeet]

Riiiight, because if the guy went out and just named the chip the military would say 'oh that's okay, no harm no foul". Shit his ass would be in custody so fast it would make his head swim!

Besides, lets be honest folks....who didn't know this kinda shit has been going on damned nearly constantly? To steal a line from an old movie "The Chinese fucking steal, they steal every idea that ain't nailed down!" and who can blame them? they've saved billions in R&D that way. hell look at their stealth fighter, the rumor is they paid dirt farmers to dig up the F117 that crashed in Kosovo and between that and the stealth drone that landed in Iran they saved years worth of work. Its just how the game is played.

So the moral of the story here folks is simple, if you want it done right you do it yourself and you sure as hell don't trust a country known for snatching every idea that ain't nailed down and who is famous for copying other's stuff to do it for you! When you think about how many billions it costs to build a weapon nowadays frankly any country would be retarded not to just steal the tech if it were possible so this only shows the Chinese? NOT stupid. Again this isn't the first time, the Russians were shooting sidewinders at us all through the 60s because a dud one got lodged in a Chinese MiG over Taiwan and they managed to land the bird with it intact. the Russians saved themselves years of work on short range missiles by simply copying sidewinder. Supposedly you could mix and match parts between the Atoll 1 and the mid 60s sidewinder and no matter which combo you made it shot perfectly, they ripped off the design THAT well.

If you don't like it you really only have two choices, either sell the tech the Chinese want, or DIY, that's really it. Because if you won't sell it to them then they WILL get it some other way and who can blame them? If it turns out the Chinese stealth stomps the F35 and can be made for less than $80 mil flyaway you don't think we'll steal from them? Please.

Would anybody really be surprised?

[WindBourne]

Chinese leaders are in a cold war with the west. As such, it is far cheaper and easier to be able to shut down an adversaries equipment if you are manufacturing it for them. If the west would quit being foolish, they would insist on equipment made in secured companies. And Google has already proved that nothing in China is secured from the gov.

Most likely inserted by Microsemi/Actel not fab

1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
2) This is talking about FPGAs designed by Microsemi/Actel.
3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional anaylsis (differential power analysis) was not sensitive enough to reveal it.

This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.

Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.

Re:Most likely inserted by Microsemi/Actel not fab

[JimCanuck]

I don't think anyone fully understands JTAG, there are a lot of different versions of it mashed together on the typical hardware IC. Regardless if its a FPGA, microcontroller or otherwise. The so called "back door" can only be accessed through the JTAG port as well, so unless the military installed a JTAG bridge to communicate to the outside world and left it there, well then the "backdoor" is rather useless.

Something that can also be completely disabled by setting the right fuse inside the chip itself to disable all JTAG connections. Something that is considered standard practice on IC's with a JTAG port available once assembled into their final product and programmed.

Plus according to Microsemi's own website, all military and aerospace qualified versions of their parts are still made in the USA. So this "researcher" used commercial parts, which depending on the price point can be made in the plant in Shanghai or in the USA at Microsemi's own will.

The "researcher" and the person who wrote the article need to spend some time reading more before talking.

Re:Should only buy military components from allies

[Sparticus789]

Absolutely. The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

And a preference should be given to American-made parts, since you need domestic factories to mobilise in times of war.

First problem..... they already have that policy. But the problem is that the components used for military and government applications have to be purchased from American companies. Then to save a buck, the companies sub-contract for components from places like China and "assemble" the equipment in friendly countries. That way, the product does not have a "made in China" sticker on them.

Second problem.... 20 years ago the DOD had their own processor manufacturing facilities, IC chips, etc. They were shut down in favor of commercial equipment because some idiot decided it was better to have an easier time buying replacement parts at Radioshack than buying quality military-grade components that could last in austere environments. (Yes, speaking from experience). Servers and workstations used to be built from the ground up at places like Tobyhanna Army Depot. Now, servers and workstations are bought from Dell.

Big risk is to "secret sauce" for comms & cryp

[time961]

This is a physical-access backdoor. You have to have your hands on the hardware to be able to use JTAG. It's not a "remote kill switch" driven by a magic data trigger, it's a mechanism that requires use of a special connector on the circuit board to connect to a dedicated JTAG port that is simply neither used nor accessible in anything resembling normal operation.

That said, it's still pretty bad, because hardware does occasionally end up in the hands of unfriendlies (e.g., crashed drones). FPGAs like these are often used to run classified software radio algorithms with anti-jam and anti-interception goals, or to run classified cryptographic algorithms. If those algorithms can be extracted from otherwise-dead and disassembled equipment, that would be bad--the manufacturer's claim that the FPGA bitstream can't be extracted might be part of the system's security certification assumptions. If that claim is false, and no other counter-measures are place, that could be pretty bad.

Surreptitiously modifying a system in place through the JTAG port is possible, but less of a threat: the adversary would have to get access to the system and then return it without anyone noticing. Also, a backdoor inserted that way would have to co-exist peacefully with all the other functions of the FPGA, a significant challenge both from an intellectual standpoint and from a size/timing standpoint--the FPGA may just not have enough spare capacity or spare cycles. They tend to be packed pretty full, 'coz they're expensive and you want to use all the capacity you have available to do clever stuff.

Brief description of what this crack entails

[ChumpusRex2003]

FPGAs commonly protect user-code with encryption. An encryption engine is included in the silicon to which the user has limited access to crypto=keys with which to encrypt the code that is installed in ROM/Flash.

A number of attacks are known against microcontrollers/FPGAs that secure code with encryption - notably differential power analysis (DPA) which works by connecting a current probe to the chip, and collecting measurememnts of energy consumption as the device performs an authentication operation. By carefully, measuring power traces over thousands of authentication operations, statistical analysis can reveal clues about the internal secret keys; potentially allowing recovery of the key within useful periods of times (minutes to hours).

These secure FPGAs contain a heavily obfuscated hardware crypto-engine, with lots of techniques to obstruct DPA (deliberately unstable clocks, heavy on-chip RC power filtering, random delay stages in the pipeline, multiple "dummy" circuits so that an operation which would normally require fewer transistors than an alternative, has its transistor count increased, etc.). The idea being that these countermeasures reduce the DPA signal and increase the amount of noise, making recovery of useful statistics impractical. In their papers, this group admit that the PA3 FPGAs are completely impervious to DPA, with no statistical clues obtained even after weeks of testing.

This group have developed a new technique which they call PEA which is a much more sensitive technique. It involves extracting the FPGA die, and mapping the circuits on it - e.g. using high-resolution infra-red thermography during device operation to identify "interesting" parts of the die by heat production under certain tasks - e.g. caches, crypto pipelines, etc. Having identified interesting areas of the die, an infra-red microscope with photon counter is focused on the relevant circuit area. As it happens, transistors glow when switched, emitting approx 0.001 photons per switching operation. The signal from the photon counter is therefore analogous to the DPA signal, but with a much, much stronger signal-to-noise ratio, allowing statistical analysis with far fewer tries. The group claim the ability to extract the keys from such a secure FPGA in a few minutes of probing with authentication requests.

The researchers claim to have found the backdoor, by fuzzing the debug/programming interface, and finding an undocumented command that appeared to trigger a cryptographic authentication. By using their PEA technique against this command, they were able to extract the authentication key, and were able to open the backdoor, finding they were able to directly manipulate protected parameters of the chip.