"While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious."<p>Nor did the original article specifically allege that it was "the Chinese", or that the backdoor was malicious. It did allege that it was inserted by the manufacturer (although technically anything on the chip is inserted by the manufacturer), presumably because it differed from a public spec, but the veracity of that statement is still unknown (at least to us). But I don't think that that's enough to call it "bogus".
As always, logical reasoning arrives just a tad too late to the party. The original story has already circulated the web and stirred anger and mistrust in a sufficient amount of people who will never read this common sense follow-up. Chalk up one more win for sensationalism and fear-mongering.
This <i>is</i> a military chip. It's used in military applications. I'm not saying that the original article didn't use this to sensationalise 'We JTAG-fuzzed a chip and found an AES key', but to deny that the chip is used in the military is inaccurate.<p>Good call on the Chinese front, we don't know who generated the key material to block the JTAG.<p>Incidentally on z/OS systems things that open the system up to external access are sometimes referred to as backdoors, which is what this is. It's a way of accessing the chip, nothing more.
The original article was censored so it's hard to tell if it's bogus or not. I believe it's still very interesting. Here <a href="http://bit.ly/JKatpV" rel="nofollow">http://bit.ly/JKatpV</a> it's an older paper from the same author detailing a technique about reading thermal signatures from individual transistors on the chip with a microscope and an astronomy camera. A little more advanced than jtag fuzzing.
However I agree that's very hard to insert a hardware backdoor on a mask, even a FPGA mask. Given the hundreds of variations and revisions that FPGAs normally have, it's about impossible to cover even a single familiy.
A more plausible explanation is: some big client got very angry in the past because they lost the password and the FPGA vendor didn't had a "master key" to unlock it. Still, very stupid move.
Are the critics basing their objections on the rough, generalist abstract for this paper or the paper itself?<p><a href="http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf</a>
The bigger issue here is if such a back door/debug mode was accidentally/intentionally left in any of the Actel FPGAs that use their anti-fuse technology. At present, anti-fuse seems to be the most robust technology for preventing read-out of configuration bit-stream as there is no serial data being pushed around each time the logic resets. ProASIC3 is a great platform for when you are on a very constrained power budget, however, I would not consider it one of their leading security-hardened chips. There is a lot of design reuse in complex semiconductor products so it is possible that this portion of the design was leaked to other devices.
This is some sensible response to the evil Chinese hype.<p>As Feynman put it, when a researcher over blow his findings, he's doing "Cargo Cult Science" (See the ending chapter of "Surely, you're joking, MR. Feynman").
For the record - Original discussion on HN: <a href="http://news.ycombinator.org/item?id=4030746" rel="nofollow">http://news.ycombinator.org/item?id=4030746</a>
Whoever wrote that article is a little sketchy with his facts:<p>Quote: """One of the most common building-blocks is the debugger, known as JTAG. This is a standard way of soldering some wires to the chip and connecting to the USB port,"""<p>JTAG is just the low-level interface to a debugger. "Soldering some wires" is not the building block and USB is nowhere related to it (for example, my work-horse JTAG interface connects to Ethernet).<p>Quote: """Whereas companies (should) disable the debug feature in the version they send to customers, that's not so easy with chips. It requires millions of dollars for every change to chip design. Therefore, chips always have the JTAG interface enabled."""<p>At least parts of JTAG need to be enabled (most notably the boundary scan that allows you to read/set individual pins) for proper testing of complex circuit boards, but also this is not the problem here: It seems that they left some instructions active to read back supposedly write-only values (e.g. the AES key in question). Designing one of these internal, protected bits to be the "disable JTAG debugging" would not be that hard. CPUs with integrated flash are doing that for years: A certain signature in the internal non-volatile memory will disable flash-readout and CPU debugging, but boundary scan will stay active.<p>Quote: """ As real silicon chips are becoming more expensive to manufacturer, FPGAs are becoming a more popular alternative. (...) Every change to a chip design requires millions of dollars in changes to the masks that print gates onto a chip."""<p>Actually looking at a fixed complexity ASICs are getting cheaper to manufacture over time, just as everything else in chip-making. Or as FPGAs. And again: High-end special-technology ASICs might cost "millions of dollars", but no one in their right mind would re-design a complete ASIC for such a simple change like disabling JTAG debugging:<p>Chips are built in layers, and it quite common to produce a whole batch of wafers with the "lower layers" that form the actual transistors. The metal layers on top of them (those that form the wires interconnecting the transistors) may be added to say one third of the chips.<p>Then when errors are found during testing, one could take another wafer from the lot, apply a corrected metal-mask and check if the error could be remedied by re-wiring (often a few spare gates are spread over the wafer "just in case" one has to splice in an inverter in a signal... or such things).<p>Such a relatively cheap (say: 10% of the complete ASIC production run) change would be the right thing to build a chip with JTAG completely disabled, it would be impossibly to re-enable the feature from the outside, but of course, by opening the chip and re-wiring the metal (this is possible by using focused ion beams on a bare die) one could do it. But this was not the message of the quoted article.
There are non-malicious reasons for designing in backdoors (debugging) but the manufacturer is based in the PRC, is subject to PRC laws and pressure, and the PRC government undoubtedly knows that the company supplies hardware to the US military. However benign the original motivation for creating the backdoor may have been, it's potentially bad news.
Even I who promised myself I would take all future stories about "cyber threats" with a huge grain of salt, because I know the US Government is very keen on expanding their (offensive) Cyber agencies, and would stop at nothing to spread propaganda about it, I still almost believed this story. Damn it.
Seems as though there is some truth and some doubt. Perhaps not "Bogus" but rather "Over-Hyped" --<p><a href="http://www.securityweek.com/china-wrongfully-accused-over-backdoor-found-chip-used-us-military" rel="nofollow">http://www.securityweek.com/china-wrongfully-accused-over-ba...</a>
While I find much of the author's argument relevant, "it would be expensive" is very unconvincing.<p>Military operations and espionage by state actors are rarely limited by commercial constraints. In other words, access to confidential data on a vast array of devices would be a bargain at several million dollars when it comes to a national intelligence agency (or Apple or Google or Microsoft for that matter).
<i>The cause of these backdoors isn't malicious, but a byproduct of software complexity. Systems need to be debugged before being shipped to customers. Therefore, the software contains debuggers.</i><p>I should think that embedded development environments would have a foolproof way of excluding debug code built into their environments. If they don't, then perhaps this is an opportunity?