UK researchers discover backdoor in American military chip

Point out news stories, on the net or in mainstream media, related to polywell fusion.

Moderators: tonybarry, MSimon

DeltaV
Posts: 2245
Joined: Mon Oct 12, 2009 5:05 am

UK researchers discover backdoor in American military chip

Post by DeltaV »

UK researchers discover backdoor in American military chip

Breakthrough silicon scanning discovers backdoor in military chip (DRAFT of 05 March 2012)
Abstract. This paper is a short summary of the first real world detection of a
backdoor in a military grade FPGA. Using an innovative patented technique we
were able to detect and analyse in the first documented case of its kind, a
backdoor inserted into the Actel/Microsemi ProASIC3 chips. The backdoor
was found to exist on the silicon itself, it was not present in any firmware
loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique
pioneered by our sponsor, we were able to extract the secret key to activate the
backdoor. This way an attacker can disable all the security on the chip,
reprogram crypto and access keys, modify low-level silicon features, access
unencrypted configuration bitstream or permanently damage the device.
Clearly this means the device is wide open to intellectual property theft, fraud,
re-programming as well as reverse engineering of the design which allows the
introduction of a new backdoor or Trojan. Most concerning, it is not possible to
patch the backdoor in chips already deployed, meaning those using this family
of chips have to accept the fact it can be easily compromised or it will have to
be physically replaced after a redesign of the silicon itself.

DeltaV
Posts: 2245
Joined: Mon Oct 12, 2009 5:05 am

Post by DeltaV »


krenshala
Posts: 914
Joined: Wed Jul 16, 2008 4:20 pm
Location: Austin, TX, NorAm, Sol III

Post by krenshala »

Even if the backdoor doesn't exist (and from a technical standpoint, it could, though I do not know if it actually does), this could be enough to spur US chip production for such things. And that, of course, would have an impact on more than the US economy.

ScottL
Posts: 1122
Joined: Thu Jun 02, 2011 11:26 pm

Post by ScottL »

krenshala wrote:Even if the backdoor doesn't exist (and from a technical standpoint, it could, though I do not know if it actually does), this could be enough to spur US chip production for such things. And that, of course, would have an impact on more than the US economy.
It's not an intentional backdoor. It's the equivalent of the reset button on the back of your wireless router. Most devices simply don't link up those pins, however; if you have physical access you could potentially get in or if the device does link up to those pins you could get access.

DeltaV
Posts: 2245
Joined: Mon Oct 12, 2009 5:05 am

Post by DeltaV »

This way an attacker can disable all the security on the chip,
reprogram crypto and access keys...
If even one of these FPGAs was used in, say, a nuclear weapon, someone's butt needs kicking.

palladin9479
Posts: 388
Joined: Mon Jan 31, 2011 5:22 am

Post by palladin9479 »

Its the JTAG port, big deal. You can't remotely hack a JTAG, you have to be physically touching the PCB and soldiering wires to the proper pins to make the RS-232 connection work.

JTAG is just a regular serial port that is connected to a debug sub-processor inside a IC. Nearly every single IC in the world has one, their used for debugging and engineering at the factory. Production IC's typically have their JTAG's cut such that there is no physical ports you can just "plug" into. Crafty hobbyists have figured how how to soldier the ports so that they can plug into it and get debug access for various modifications. Look no further then "mod chips" for gaming consoles for an example.

It's a non-story created by people wanting media attention and hyping up the story. The US Military primarily use's Cisco and Foundry network devices for their network infrastructure. Every one of those devices has a physical console port and a known debug boot command for on-site resetting. Does that mean every single Cisco / Foundry device in the world has a "backdoor" and that every Cisco / Foundry device is "military grade"? Hells no.

krenshala
Posts: 914
Joined: Wed Jul 16, 2008 4:20 pm
Location: Austin, TX, NorAm, Sol III

Post by krenshala »

D'oh. Didn't even think of those pins. That makes a hell of a lot more sense that was (little) I've heard about the story.

DeltaV
Posts: 2245
Joined: Mon Oct 12, 2009 5:05 am

Post by DeltaV »

palladin9479 wrote:Its the JTAG port, big deal. You can't remotely hack a JTAG, you have to be physically touching the PCB and soldiering wires to the proper pins to make the RS-232 connection work.
Nanites.
Tin whiskers.
Bribed assemblers/inspectors.

hanelyp
Posts: 2261
Joined: Fri Oct 26, 2007 8:50 pm

Post by hanelyp »

Assuming you had that level of physical access, you don't need a back door on a chip to do serious damage.

MSimon
Posts: 14335
Joined: Mon Jul 16, 2007 7:37 pm
Location: Rockford, Illinois
Contact:

Post by MSimon »

You can't remotely hack a JTAG, you have to be physically touching the PCB and soldiering wires to the proper pins to make the RS-232 connection work.


JTAG does not use RS-232 levels or UART coding.

Roughly it is a clock, data in, data out, power, ground, and a reset. Levels are what ever levels the chip operates at. ie 1.8, 2.5, 3.3, 5 volts.
Engineering is the art of making what you want from what you can get at a profit.

MSimon
Posts: 14335
Joined: Mon Jul 16, 2007 7:37 pm
Location: Rockford, Illinois
Contact:

Post by MSimon »

Bribed assemblers/inspectors.
Useful under any circumstances.
Engineering is the art of making what you want from what you can get at a profit.

WizWom
Posts: 371
Joined: Fri May 07, 2010 1:00 pm
Location: St Joseph, MO
Contact:

Post by WizWom »

JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode. That sort of thing is fairly common. The programming and configuration level available indicates this is a deliberate function; the fact that it was not in the documentation for the chip points to the security risk.
Wandering Kernel of Happiness

MSimon
Posts: 14335
Joined: Mon Jul 16, 2007 7:37 pm
Location: Rockford, Illinois
Contact:

Post by MSimon »

WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode. That sort of thing is fairly common. The programming and configuration level available indicates this is a deliberate function; the fact that it was not in the documentation for the chip points to the security risk.
I buy that.
Engineering is the art of making what you want from what you can get at a profit.

JLawson
Posts: 424
Joined: Tue Jul 08, 2008 6:31 pm
Location: Georgia
Contact:

Post by JLawson »

WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode.
G=C800:5, anyone?
When opinion and reality conflict - guess which one is going to win in the long run.

MSimon
Posts: 14335
Joined: Mon Jul 16, 2007 7:37 pm
Location: Rockford, Illinois
Contact:

Post by MSimon »

JLawson wrote:
WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode.
G=C800:5, anyone?
http://www.computing.net/answers/hardwa ... 37249.html
Engineering is the art of making what you want from what you can get at a profit.

Post Reply