Backdoor found in a China-made US military chip

Interesting discussion. Some denial, some tin hat, some contemplative. I think I've had all of those emotions with this sort of thing.<p>There are diagnostics in our network switches that allow for traffic to be replicated and sent to other ports with a different destination mac (this isn't port mirroring is more like port re-directing). Clearly in the hands of a bad guy they might set up a machine on the LAN to get a copy of all the traffic. Is it a cyberwar beach head? Probably not. Could it be exploited in an attack? Probably. Of course if someone tried to route all that traffic outside the network into the transit network it would be pretty obvious. So not a good scenario.<p>Like the controller back door article on Ars last month I suspect most of these things are diagnostic aids. You ask an engineer to test something and that something is buried inside a bunch of silicon and the only way to do that is to build some stuff in there that lets you look at things.<p>Of course you can do this in a 'smart' way, and in a 'stupid' way. When I started at Intel there were extra pads on the silicon that got to these extra functions, you ordered a 'bond-out' chip where bonding wires (between the chip pins and the silicon) would be attached. All of the in circuit emulators up to the 386 had a 'bond out' version in the emulator pod that gave you access to internal state of the chip. Others have pointed out the key for loading replacement microcode, another 'feature' to fix bugs in the field and do diagnostics.<p>So things which require either 'special' chips or attaching a JTAG probe directly to the part, are generally ok in my book. Once you have physical access nearly all bets are off.<p>Its an expensive way to compromise the enemy. Simpler to just build a piece of gear that looks and operates exactly like the original but is your own design. There was some counterfeit Cisco boxes like this in the channel for a bit. Of course they 'fail' when you update IOS and it fails. Still the cost to exploit is lower and more assured than back dooring silicon in a fab.<p>Its also pretty hard to add features to a chip without the designer of the chip in on the game. Every transistor is accounted for by long verification and analysis so 'extra' ones would show up. That limits the risk to a chip manufacturer being the 'bad guy' (and they are very traceable so unlikely to do that)<p>None of this though should take away from the excellent work Cambridge is doing. The silicon analysis is really cutting edge stuff, and I think it would be useful for chip designers in verifying their masks are accurate too. If you could effectively 'decompile' the resulting silicon and verify it against your netlist, that would catch mask errors. And <i>that</i> would save anywhere from $100,000 to $2,000,000 depending on size of the mask.

The bit that surprises the fuck out of me is that they're buying stuff in from China. I've never seen that - ever! They would buy expensive stuff fabbed specially in the US rather than import usually.<p>I did a lot of work for the UK Ministry of Defence and the US Department of Defence over the years on custom silicon and FPGA work and the paranoia factor is scary. We had the layouts of everything bought in - even 74-series logic which can pretty much be assumed to be inert. Samples were regularly decapped and scanned using an SEM to verify to make sure the vendors weren't screwing us or integrating backdoors.<p>Every part was asset managed to hell as well. Every part was traceable to the point that every finger that poked it was known (I moved from engineering to writing the asset management systems before leaving).<p>Crazy.

The chip in question seems to be an Actel Microsemi ProASIC3 (PA3) [1,2], given the hints in the screenshot of the paper.<p>[1] <a href="http://www.actel.com/products/pa3/" rel="nofollow">http://www.actel.com/products/pa3/</a> [2] <a href="http://www.actel.com/documents/pa3_faq.html" rel="nofollow">http://www.actel.com/documents/pa3_faq.html</a><p>(I guess there is no real advantage in keeping this obscured)

The language used in this article seems very much like the author has something to sell and is trying to create the impression that it is advanced and mysterious. The claims about improvements of many orders of magnitude in speed and cost as well as the unavailability of information and services to private individuals suggest to me that someone is trying to get a defense contract for some overhyped technology that won't really deliver what's promised.<p>Edit: they seem to have submitted a patent application for the process of sending test signals to a chip and monitoring it with an oscilloscope: <a href="http://www.sumobrain.com/patents/wipo/Integrated-circuit-investigation-method-apparatus/WO2012046029.html" rel="nofollow">http://www.sumobrain.com/patents/wipo/Integrated-circuit-inv...</a>

The Cambridge Security Lab is not fucking around. Assume this is not hype.<p>I'm less curious about whether overseas silicon is backdoored than I am in how exposed the attack/activation surface for those backdoors are.

As a former chip designer I question the idea that the manufacturer introduced this backdoor (if indeed there is one).<p><i>found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key...</i><p>It's hard to understand what this guy is talking about. Is he claiming that the manufacturer added additional hardware that the designers were unaware of? Or they made modifications to existing circuitry so it doesn't match the design? It would be very hard to do either without cooperation from the designers, especially given the paranoia of hardware engineers (and of <i>defense</i> hardware engineers, an entirely different level of paranoia). The question "are we manufacturing what we designed?" is one that is constantly asked throughout the lifetime of a part. In fact the answer, for individual parts, is often "no", because they can be defective. Still, the question is constantly asked with a variety of automated tools at all points of the manufacturing process.<p>Here's what I think he might have found: an additional fixed key introduced by the designers themselves into the chip, and having nothing special to do with the manufacturer. In other words, a deliberate backdoor.

"Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China),"<p>That claim about 99% of chips being manufactured in China is very easy to verify as being utterly false. I have to wonder about the trustworthiness of the rest.

To people complaining about the language - this reads more like a short briefing note for politicians or non-technical managers. That's why things like Stuxnet are mentioned; to give context and scale.<p>The author would probably like to stay involved with this tech, or at least to be able to hand it off to CESG.[1]<p>[1] I assume CESG. Perhaps QinetiQ[2] would do it?<p>[2] I have no idea what they do. All those Qs? You've seen 007? They're the real Q department. I doubt they do laser beam watches.

I'm skeptical. There are too many unsupported claims in this article. Off the top of my head:<p>- Assumes the Chinese put the backdoor in. There are plenty of others interested in backdoors. - Assumes the designing company doesn't do any detailed production product checks. Not likely since this is a many, many billion dollar business. - Claims a systemic problem but only notes one chip. That one FPGA could just have a design flaw. Need more details on the others. - At the end it claims an investigation over ten years but the fab world has greatly changed over ten years. Many micro controller companies actually own their Chinese fabs now.<p>As a side note, if you discover something like this, don't assume you found something you weren't meant to find. You're discovery may just have made you found.

Inquiry Into Counterfeit Electronic Parts in the DoD Supply Chain (PDF).<p><a href="http://www.armed-services.senate.gov/Publications/Counterfeit%20Electronic%20Parts.pdf" rel="nofollow">http://www.armed-services.senate.gov/Publications/Counterfei...</a>

The fact that he's pleading for money as he makes these claims makes me suspicious of them. He needs to provide more specific information and evidence.

Hardware trust is something I've been wondering about for a while now. It's easy to hide a software bug. (As evidenced by the occasional blue moon story about somebody stumbling over one.) But a hardware bug just seems like a constant paranoia that can never be investigated without expensive tooling.

TL; DR - No proof / source code / details on the backdoor - Outlandish claims of this being a "stuxnet" weapon<p>Show me some source, a schematic, or a technique that you're using, and then I might believe you, otherwise this is just FUD. They didn't even name the bloody chip.

<i>an American military chip that is highly secure with sophisticated encryption standard, manufactured in China</i><p>How could the authors know the backdoor design is not the intent of American military?

If it is from Actel, then it is CMMI certified :)<p>www.cl.cam.ac.uk/~sps32/SG_talk_BA.pdf

Dear Greeks, we Trojans can't make our own horse, so can we buy one from you, please? No worry, I'll blame you later.

Two thoughts:<p>1) Say what you will about the military-industrial complex, but they do buy a load of physical products. When those are sourced domestically it has a lot of good spillover effects on the rest of the industry (see Steve Blank's Secret History of Silicon Valley).<p>2) I'd be far more worried about Intel, AMD, nVidia, Texas Instruments, et al, especially if I was a foreign procurement officer. The logic in those chips is incredibly complex and almost impossible to verify in any detail by a third party. Coincidentally, they're all US companies.

This appears to be an improvement on Differential Power Analysis attack against a FPGA. Congrats to the guys who discovered it!<p>It's interesting to note that in the DPA/SPA world the standard model of operation is to develop a new attack and then patent the countermeasures ;)<p>It should be noted that this is "probably" not a backdoor in the traditional sense (intentionally planted by some nefarious government organisation), rather just bad, leaky design that has been identified by an improved attack methodology...

Can somebody explain exactly what they got access to? What is encrypted?

First reaction to this for most including myself is that the U.S. is really f--ked. But if the U.S. found this out, odds are they had chips manufactured that looked like the Chinese version but really weren't, with the exception of some small detail, perhaps not on the chip but on the board, that would indicate that the chip was the "fixed" version.<p>But, this Frienemy war is not about taking advantage of these backdoors. That is the nuclear option. The war is about who has the potential to pwn the other.<p>BTW- I'm typing this on a Chinese netbook.

Several months ago there was a report of similar nature that mainstream Intel CPUs include a concealed (hyper-)hypervisor that appears to exist in China-produced chips, but absent from pre-production samples made by Intel themselves. I don't know where this all went, but it was some Russian guy who found it by accident, and he was largely dismissed as a loon and generally laughed at (though from I could tell he did know a thing or two about hypervisors, system programming and what not).

I've been wondering about this for a while. Given the scale of chip architecture today, does anyone in the field have any input as to how hard something like this is to detect?

So China is doing the same thing to hardware that the U.S. is doing to software (and probably hardware too). Well, not really shocking. Karma is a bitch. :)

It is trivial for manufacturers to sneak backdoors into chips. It is improbable to keep backdoors a secret. People aren't good at keeping secrets.

I reacted the same way to this news as to the news that an electrical distribution system was compromised over the Internet. That is, "are you kidding me?!". Just as it's stupid to connect certain critical systems to the public Internet, it's really silly to so loosely control military electronics sourcing.

There is a reason that the NSA partnered with IBM to build the Trusted Foundry program. <a href="http://www.nsa.gov/business/programs/tapo.shtml" rel="nofollow">http://www.nsa.gov/business/programs/tapo.shtml</a>

We Brits buy an awful lot of equipment from America, I always took it for granted that the Americans had backdoors in this gear but now seems that so might the Chinese. Wonderful!

Well if the American government is dumb enough to outsource its production of military and national security grade chips to Communist China, it deserves whatever befalls it.

Hm. I wonder if these chips are used in consumer devices?

Are yout trying to tell me they produce those chips in China LOL ... Idiocy just reached new level.

That is really not good. We should develop those chips at home, obviously.

Evidently, the military prefers to cut cost rather than have complete control over the manufacturing of their computer chips. Spending hundreds of millions on jets that have to be American-made is fine, but it's on the computer chips powering those jets and pretty much all advanced military technology that they have to save money.