Abstract. This paper is a short summary of the first real world detection of a
backdoor in a military grade FPGA. Using an innovative patented technique we
were able to detect and analyse in the first documented case of its kind, a
backdoor inserted into the Actel/Microsemi ProASIC3 chips. The backdoor
was found to exist on the silicon itself, it was not present in any firmware
loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique
pioneered by our sponsor, we were able to extract the secret key to activate the
backdoor. This way an attacker can disable all the security on the chip,
reprogram crypto and access keys, modify low-level silicon features, access
unencrypted configuration bitstream or permanently damage the device.
Clearly this means the device is wide open to intellectual property theft, fraud,
re-programming as well as reverse engineering of the design which allows the
introduction of a new backdoor or Trojan. Most concerning, it is not possible to
patch the backdoor in chips already deployed, meaning those using this family
of chips have to accept the fact it can be easily compromised or it will have to
be physically replaced after a redesign of the silicon itself.
Even if the backdoor doesn't exist (and from a technical standpoint, it could, though I do not know if it actually does), this could be enough to spur US chip production for such things. And that, of course, would have an impact on more than the US economy.
krenshala wrote:Even if the backdoor doesn't exist (and from a technical standpoint, it could, though I do not know if it actually does), this could be enough to spur US chip production for such things. And that, of course, would have an impact on more than the US economy.
It's not an intentional backdoor. It's the equivalent of the reset button on the back of your wireless router. Most devices simply don't link up those pins, however; if you have physical access you could potentially get in or if the device does link up to those pins you could get access.
Its the JTAG port, big deal. You can't remotely hack a JTAG, you have to be physically touching the PCB and soldiering wires to the proper pins to make the RS-232 connection work.
JTAG is just a regular serial port that is connected to a debug sub-processor inside a IC. Nearly every single IC in the world has one, their used for debugging and engineering at the factory. Production IC's typically have their JTAG's cut such that there is no physical ports you can just "plug" into. Crafty hobbyists have figured how how to soldier the ports so that they can plug into it and get debug access for various modifications. Look no further then "mod chips" for gaming consoles for an example.
It's a non-story created by people wanting media attention and hyping up the story. The US Military primarily use's Cisco and Foundry network devices for their network infrastructure. Every one of those devices has a physical console port and a known debug boot command for on-site resetting. Does that mean every single Cisco / Foundry device in the world has a "backdoor" and that every Cisco / Foundry device is "military grade"? Hells no.
palladin9479 wrote:Its the JTAG port, big deal. You can't remotely hack a JTAG, you have to be physically touching the PCB and soldiering wires to the proper pins to make the RS-232 connection work.
Nanites.
Tin whiskers.
Bribed assemblers/inspectors.
JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode. That sort of thing is fairly common. The programming and configuration level available indicates this is a deliberate function; the fact that it was not in the documentation for the chip points to the security risk.
WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode. That sort of thing is fairly common. The programming and configuration level available indicates this is a deliberate function; the fact that it was not in the documentation for the chip points to the security risk.
I buy that.
Engineering is the art of making what you want from what you can get at a profit.
WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode.
G=C800:5, anyone?
When opinion and reality conflict - guess which one is going to win in the long run.
WizWom wrote:JTAG is not "obscured with robust countermeasures" - I have seen chips designed to operate as memory normally, but when a specific sequence of addresses was accessed, to enter a special mode.