Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Found In China-Made US Military Chip?

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

China 270

Hugh Pickens writes "Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'" Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

cancel ×

270 comments

Sorry! There are no comments related to the filter you selected.

Steve Jobs (3, Funny)

busyqth (2566075) | more than 2 years ago | (#40135991)

This is all Steve Jobs' fault. I blame him.

Re:Steve Jobs (-1)

Anonymous Coward | more than 2 years ago | (#40136017)

Yeah! I hope he dies.

Re:Steve Jobs (0, Flamebait)

busyqth (2566075) | more than 2 years ago | (#40136193)

I have to complain about this moderation.
No fanboy in his right mind would require more than a few seconds of meditation in front of his home or office shrine to the ascended Jobs before modding my comment "flamebait".

So where does the "offtopic" come from?

Re:Steve Jobs (0)

Anonymous Coward | more than 2 years ago | (#40136405)

"I have to complain about this moderation."

You're funny!

Re:Steve Jobs (3, Insightful)

Dahamma (304068) | more than 2 years ago | (#40136525)

So where does the "offtopic" come from?

Probably from the fact it was offtopic.

Fear mongering (5, Insightful)

jhoegl (638955) | more than 2 years ago | (#40136003)

It sells...

Re:Fear mongering (0)

Anonymous Coward | more than 2 years ago | (#40136051)

Just because they're really out to get you doesn't mean you're not paranoid. This has been an open secret for a while. That it's been confirmed independently is valuable.

Re:Fear mongering (3, Funny)

arisvega (1414195) | more than 2 years ago | (#40136389)

Just because they're really out to get you doesn't mean you're not paranoid.

Are you as think as I drunk you are?

Particularly in a press release like that. (5, Insightful)

khasim (1285) | more than 2 years ago | (#40136097)

That entire article reads more like a press release with FUD than anything with any facts.

Which chip?
Which manufacturer?
Which US customer?

No facts and LOTS of claims. It's pure FUD.

(Not that this might not be a real concern. But the first step is getting past the FUD and marketing materials and getting to the real facts.)

Re:Particularly in a press release like that. (5, Insightful)

TheDarkMaster (1292526) | more than 2 years ago | (#40136149)

Take it easy. I assume if the researcher openly say exactly what chip and where exactly is the backdoor, then the military would be REALLY in trouble. So it may still be FUD, but caution never killed anyone.

Re:Particularly in a press release like that. (1)

Zorpheus (857617) | more than 2 years ago | (#40136263)

Maybe not the military, but surely the companies using this chip in their weapons, and the manufacturer of it. And if it is a false alert, they will all probably sue someone for pretty big compensations ...

Re:Particularly in a press release like that. (2)

Shavano (2541114) | more than 2 years ago | (#40136335)

If the military publishes it, let 'em try and sue. How do you sue the Pentagon?

Sergei Skorobogatov (-1)

Anonymous Coward | more than 2 years ago | (#40136253)

Could somebody shove the said chip up this fucker's ass.
I'm frankly sick and tire of every Tom's Hairy Dick crying wolf to advance their own financial agenda (I'm not saying this Tom's Hairy Dick is bullshitting but he's certainly not releasing his results in a manner befitting an academic in the employ of Cambridge U).

Most likely inserted by Microsemi/Actel not fab (5, Informative)

Anonymous Coward | more than 2 years ago | (#40136273)

1) Read the paper http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
2) This is talking about FPGAs designed by Microsemi/Actel.
3) The article focuses on the ProAsic3 chips but says all the Microsemi/Actel chips tested had the same backdoor including but not limited to Igloo, Fusion and Smartfusion.
4) FPGAs give JTAG access to their internals for programming and debugging but many of the access methods are proprietary and undocumented. (security through obscurity)
5) Most FPGAs have features that attempt to prevent reverse engineering by disabling the ability to read out critical stuff.
6) These chips have a secret passphrase (security through obscurity again) that allows you to read out the stuff that was supposed to be protected.
7) These researchers came up with a new way of analyzing the chip (pipeline emission analysis) to discover the secret passphrase. More conventional anaylsis (differential power analysis) was not sensitive enough to reveal it.

This sounds a lot (speculation on my part) like a deliberate backdoor put in for debug purposes, security through obscurity at it's best. It doesn't sound like something secret added by the chip fab company, although time will tell. Just as embedded controller companies have gotten into trouble putting hidden logins into their code thinking they're making the right tradeoff between convenience and security, this hardware company seems to have done the same.

Someone forgot to tell the marketing droids though and they made up a bunch of stuff about how the h/w was super secure.

Fear of shutdown is real ... (1)

perpenso (1613749) | more than 2 years ago | (#40136455)

Fear mongering. It sells...

The fear of backdoors and data snooping are a bit hysterical.

However the fear of a chip being remotely shutdown, possible damaged, is quite plausible and a far more practical method of attack.

What did the military expect? (5, Insightful)

runeghost (2509522) | more than 2 years ago | (#40136015)

Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic.

Re:What did the military expect? (5, Insightful)

Electricity Likes Me (1098643) | more than 2 years ago | (#40136103)

Seriously.

Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

Re:What did the military expect? (3, Interesting)

busyqth (2566075) | more than 2 years ago | (#40136131)

Part of the problem is chinese-produced counterfeit devices flooding the market.
So you think you're purchasing a "safe" or "known" device, but... oops, you aren't.

Re:What did the military expect? (3, Informative)

Dunbal (464142) | more than 2 years ago | (#40136279)

Said person/company who misled you is answerable to the charge of treason. That will get them to make sure of what they are providing.

Re:What did the military expect? (2)

digitig (1056110) | more than 2 years ago | (#40136425)

Said person/company who misled you is answerable to the charge of treason.

Probably not in their country of operation.

Re:What did the military expect? (0)

Anonymous Coward | more than 2 years ago | (#40136465)

You can't charge a foreigner with treason.

Re:What did the military expect? (1)

Yvan256 (722131) | more than 2 years ago | (#40136287)

Or something like this [sparkfun.com] happens.

Re:What did the military expect? (1)

Shavano (2541114) | more than 2 years ago | (#40136351)

If you care, you only buy either directly from the manufacturer or from their authorized distributors.

Re:What did the military expect? (1)

TheDarkMaster (1292526) | more than 2 years ago | (#40136167)

Say this to the CEOs :-)

Re:What did the military expect? (5, Insightful)

Jawnn (445279) | more than 2 years ago | (#40136413)

Seriously.

Isn't military production capability the one thing you specifically never ever want to outsource, especially when it's to the people you keep simulating wars with.

Well..., no. Not if your primary aim is profit. Fuck national security. If your corporation can make a buck selling "defense technology", and it can make 1.5 bucks selling defense technology using cheap offshore parts, you use the cheap offshore parts. Dealing with bad PR like this is what lobbyists are for.

Should only buy military components from allies (1)

JOrgePeixoto (853808) | more than 2 years ago | (#40136143)

Absolutely.
The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

And a preference should be given to American-made parts, since you need domestic factories to mobilise in times of war.

Re:Should only buy military components from allies (2, Funny)

0123456 (636235) | more than 2 years ago | (#40136219)

The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

Didn't the US and UK governments sell crypto equipment they knew they could break to their 'allies' during the Cold War?

Re:Should only buy military components from allies (1)

History's Coming To (1059484) | more than 2 years ago | (#40136409)

Yup. Both nations have also intentionally withheld information from the other to disguise their own capabilities too. There's still a lot of espionage on the go even between "bestest buddy" countries.

Re:Should only buy military components from allies (0)

Anonymous Coward | more than 2 years ago | (#40136433)

The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

Didn't the US and UK governments sell crypto equipment they knew they could break to their 'allies' during the Cold War?

I highly doubt that what changed hands was some already known-to-be-breakable crypto system. I'm sure money was exchanged, but people like you and I will never get to know what the deal was really about.
But I guess it could be classical political idiocy. i.e. We had a contract to buy a system, but we spied and found it was breakable, they spied and found out we spied, we spied and found out that they spied on us and discovered us spying on them, etc. but in the interests of being Gentlemen about things, called it a deal and got some hookers.

Re:Should only buy military components from allies (1)

JOrgePeixoto (853808) | more than 2 years ago | (#40136515)

Didn't the US and UK governments sell crypto equipment they knew they could break to their 'allies' during the Cold War?

Do you have sources for that?

Re:Should only buy military components from allies (5, Interesting)

Sparticus789 (2625955) | more than 2 years ago | (#40136329)

Absolutely. The US military should have a strict policy of only buying military parts from sovereign, free, democratic countries with a long history of friendship, such as Israel, Canada, Europe, Japan and South Korea.

And a preference should be given to American-made parts, since you need domestic factories to mobilise in times of war.

First problem..... they already have that policy. But the problem is that the components used for military and government applications have to be purchased from American companies. Then to save a buck, the companies sub-contract for components from places like China and "assemble" the equipment in friendly countries. That way, the product does not have a "made in China" sticker on them.

Second problem.... 20 years ago the DOD had their own processor manufacturing facilities, IC chips, etc. They were shut down in favor of commercial equipment because some idiot decided it was better to have an easier time buying replacement parts at Radioshack than buying quality military-grade components that could last in austere environments. (Yes, speaking from experience). Servers and workstations used to be built from the ground up at places like Tobyhanna Army Depot. Now, servers and workstations are bought from Dell.

Re:Should only buy military components from allies (1)

JOrgePeixoto (853808) | more than 2 years ago | (#40136563)

First problem..... they already have that policy. But the problem is that the components used for military and government applications have to be purchased from American companies. Then to save a buck, the companies sub-contract for components from places like China and "assemble" the equipment in friendly countries. That way, the product does not have a "made in China" sticker on them.

I wasn't clear, but I meant that there should be a strict policy that military parts have to be
completely manufactured (including subparts) in friendly countries.

Re:Should only buy military components from allies (1)

Shavano (2541114) | more than 2 years ago | (#40136361)

Anybody remember Jonathan Pollard?

Re:What did the military expect? (2)

Mojo66 (1131579) | more than 2 years ago | (#40136181)

Regardless whether this is a false alarm or not, I'm 100% sure that US military technology has something similar, too. I can't imagine them selling fighter planes to Saudi Arabia and not putting in a kill switch.

Re:What did the military expect? (0)

Anonymous Coward | more than 2 years ago | (#40136375)

[citation needed] Yeah, didn't think you had one.

Re:What did the military expect? (1)

SuricouRaven (1897204) | more than 2 years ago | (#40136235)

But cost-efficient.

Re:What did the military expect? (1)

Shavano (2541114) | more than 2 years ago | (#40136341)

By near peer, they mean that America aspires to being serious competition to China in semiconductor manufacturing.

Re:What did the military expect? (3, Interesting)

nospam007 (722110) | more than 2 years ago | (#40136445)

"Even if this case turns out to be a false alarm, allowing a nation that you repeatedly refer to as a 'near-peer competitor' to build parts of your high-tech weaponry is idiotic."

Not to mention the non-backdoor ones.

'Bogus electronic parts from China have infiltrated critical U.S. defense systems and equipment, including Navy helicopters and a commonly used Air Force cargo aircraft, a new report says.'

http://articles.dailypress.com/2012-05-23/news/dp-nws-counterfeit-chinese-parts-20120523_1_fake-chinese-parts-counterfeit-parts-air-force-c-130j [dailypress.com]

CONFIRMATION? (3, Insightful)

Bananatree3 (872975) | more than 2 years ago | (#40136021)

Would somebody please tease out something a little more credible?

"Extraordinary claims require extraordinary evidence..."

The actual article (5, Informative)

NixieBunny (859050) | more than 2 years ago | (#40136025)

The original article is here. [cam.ac.uk]
It refers to an Actel ProAsic3 chip, which is an FPGA with internal EEPROM to store the configuration.

Re:The actual article (3, Insightful)

Nkwe (604125) | more than 2 years ago | (#40136179)

Good read. The bottom line apparently hasn't changed: If you allow physical access, security can be compromised.

Re:The actual article (1)

HWguy (147772) | more than 2 years ago | (#40136189)

After reading the article, I'd bet that this "feature" of the FPGA is either for some manufacturing reason or was requested by customers (e.g. the US government) so that they can access/reprogram certain supposed read-only parts of the FPGA. I see nothing about any correlation with the Chinese using it as a backdoor.

Re:The actual article (0)

Anonymous Coward | more than 2 years ago | (#40136215)

Obviously the FPGA manufacturer put in a backdoor for some debugging purpose and this guy found it.

Re:The actual article (5, Interesting)

Anonymous Coward | more than 2 years ago | (#40136249)

From your much more useful link,

We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion.

we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products. This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.

emphasis mine. Key is retrieved using the backdoor.

Frankly, if this is true, Microsemi/Actel should get complete ban from all government contracts, including using their chips in any item build for use by the government.

Re:The actual article (2)

NixieBunny (859050) | more than 2 years ago | (#40136487)

I would not be surprised if it's a factory backdoor that's included in all their products, but is not documented and is assumed to not be a problem because it's not documented.

With regard to reprogramming the chip remotely or by the FPGA itself via the JTAG port: A secure system is one that can't reprogram itself. When I was designing VMEbus computer boards for a military subcontractor many years ago, every board had a JTAG connector that required the use of another computer with a special cable plugged into the board to perform reprogramming of the FPGAs. None of this update-by-remote-control crap.

Re:The actual article (4, Informative)

Blackman-Turkey (1115185) | more than 2 years ago | (#40136305)

No source approved [dla.mil] for Microsemi (Actel) qualified chips in China. If you use non-approved sources then, well, shit happens (although how this HW backdoor would be exploited is kind of unclear).

It seems that People's Republic of China has been misidentified with Taiwan (Republic of China).

Wait and see (5, Informative)

6031769 (829845) | more than 2 years ago | (#40136031)

Either the claims will be backed up by independently reproduced tests or they won't. But, given his apparent track record in this area and the obvious scrutiny this would bring, Skorobogatov must have been sure of his results before announcing this.

Here's his publications list from his University home page, FWIW:
http://www.cl.cam.ac.uk/~sps32/#Publications [cam.ac.uk]

Re:Wait and see (1)

Missing.Matter (1845576) | more than 2 years ago | (#40136089)

Ah, the quintessential terrible academic homepage. Love that black/blue on mint green theme going on. Burned into my retina in 3 seconds flat!

Re:Wait and see (-1)

Anonymous Coward | more than 2 years ago | (#40136317)

Yes, everything must be flashy and shit.
I prefer sites like that. You can keep your Web2.0 faggotry.

Re:Wait and see (1)

gl4ss (559668) | more than 2 years ago | (#40136165)

well, since the claims are pretty much that you can bypass some ip protection on the chip so you can clone it or reflash it.. if you have physical access.

yeah, it sounds feasible. it's a pretty loooooooong ways from "omg china is backdooring our fighter jets!" though. also it seems like the functionality is deliberately made into the chip by the company making the chip.

Researcher's name (1)

Anonymous Coward | more than 2 years ago | (#40136035)

I note that the researcher's name is Russian for "soon [to be] rich."

Feel free to draw your own conclusions.

--T

Re:Researcher's name (1)

Anonymous Coward | more than 2 years ago | (#40136067)

(That said, his CV looks pretty solid. As someone above pointed out, it would be a pretty glaring error if someone with this much experience in this particular area turned out to be way off the mark.)

--T

samzenpus will be looking for a new job soon (3, Funny)

Anonymous Coward | more than 2 years ago | (#40136039)

Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.

Hey hey HEY! You stop that right this INSTANT, samzenpus! This is Slashdot! We'll have none of your "actual investigative research" nonsense around here! Fear mongering to sell ad space, mister, and that's ALL! Now get back to work! We need more fluffy space-filling articles like that one about the minor holiday labeling bug Microsoft had in the UK! That's what we want to see more of!

Is it called JTAG? (0)

Anonymous Coward | more than 2 years ago | (#40136041)

This makes me think of undocumented test/debug interfaces. It might not have been included as a deliberate backdoor - it's possible that it's a debug interface used by the chip designer/manufacturer that's not intended to be used by the end user.

Before everyone starts freaking out about espionage/cyber warfare, just consider that this could just as easily been a careless oversight. Yes, this kind of interface should generally be disabled before shipping, but even so - failure to do so is still not necessarily malicious.

Re:Is it called JTAG? (2)

Electricity Likes Me (1098643) | more than 2 years ago | (#40136135)

But it does highlight the dangers in outsourcing production of something as sensitive as military hardware, when there's very few ways to actually verify on-chip silicon as being what you ordered, with no extraneous functionality.

Any particular chip can be reasonably expected to have it's application reverse engineered by an intelligence agency if you know the schematics and an idea of the intended use. If you can't make sure the chip won't do any more then you want it to, then how hard would be it be, really, to slip in backdoor code which reacts to certain inputs? i.e. if you're manufacturing a microwave amplifier IC to be used in a radar system, then something as simple as allowing a certain key of radar pulses to cause the thing to fuzz it's output for a second, or mimic a failure condition, would be disastrous if the chip was ultimately used in a radar guided missile or an F-22. China just issues the appropriate pulse-codes and suddenly there's a mysteriously high failure rate, or greatly reduced combat effectiveness because no one can get a missile lock.

Re:Is it called JTAG? (1)

nurb432 (527695) | more than 2 years ago | (#40136477)

I agree it most likely wasn't malicious, but its more than careless, its irresponsible, especially when dealing with military contracts.

why do they buy chips from China? (0)

Anonymous Coward | more than 2 years ago | (#40136043)

I thought the US military tried to make sure all its chips were made in the US (or NATO countries?) for this exact reason. I'm pretty sure there are still some chip plants in the US.

Also what makes you think that this hasn't happened the other way round, many times already? How many iOS, Microsoft or Android powered devices are in use by the Chinese military?

design flaw (0)

Anonymous Coward | more than 2 years ago | (#40136047)

major design flaw not the fault of an american engineer....

Re:design flaw (1)

busyqth (2566075) | more than 2 years ago | (#40136069)

major design flaw not the fault of an american engineer....

"American engineer" Lol! Heh heh... What an oxymoron! It's almost as bad as "Chinese electronics!" Ha ha ha...

Waitaminute...

No details. Nothing to see here. Move along... (1)

sjbe (173966) | more than 2 years ago | (#40136053)

researchers have discovered that a microprocessor used by the US military

What chip? What does it do? Is it important? There are lots of chips in use that in no way shape or form are sensitive or important and the presence of a back door would be meaningless. Just because the military uses it doesn't mean anything by itself. This "article" sounds like someone trying to justify a research grant or a company trying to generate fear to sell a competing product.

Re:No details. Nothing to see here. Move along... (2)

CreamyG31337 (1084693) | more than 2 years ago | (#40136399)

From the draft paper's conclusion:
We investigated the PA3 backdoor problem through Internet searches, software and hardware analysis and found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system. We analysed other Microsemi/Actel products and found they all have the same deliberate backdoor. Those products include, but are not limited to: Igloo, Fusion and Smartfusion. The PA3 is heavily marketed to the military and industry and resides in some very sensitive and critical products. From Google searches alone we have found that the PA3 is used in military products such as weapons, guidance, flight control, networking and communications. In industry it is used in nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products.

Physician, heal thyself. . . (4, Insightful)

dtmos (447842) | more than 2 years ago | (#40136061)

From TFA [cam.ac.uk] :

Today we released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit.

This is a security guy I would trust, yessir.

Need physical access (4, Insightful)

mveloso (325617) | more than 2 years ago | (#40136063)

Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

Re:Need physical access (0)

Anonymous Coward | more than 2 years ago | (#40136127)

I guess the question then, in this particular case, isn't a military one so much as a commercial one.

Is it likely this exists for some lazy troubleshooting purpose or for some kind of IP espionage?

Re:Need physical access (1)

Electricity Likes Me (1098643) | more than 2 years ago | (#40136153)

Presumably if you knew this existed, then you might be able to predict the types of circuits it's tied into and figure out if the function could be activated remotely. After all, causing a microprocessor to lock up in debug mode, even if it would be watchdog-timer reset every few seconds, would be more then enough to effectively inactivate military hardware if you could do it continuously (or on demand).

Re:Need physical access (1)

93 Escort Wagon (326346) | more than 2 years ago | (#40136175)

Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

We're obviously very short on information regarding this. One could argue that, with a ready-made back door, an enemy would only need a very short duration of physical access to the chip. If these chips are used in hardware that gets regularly maintained for some reason (not hard to imagine in a military setting), getting physical access to the chip may not be as difficult as one might think.

Also, to draw a bad analogy... remember when the first jpeg vulnerability came out? A lot of people said "big deal, it's just a graphic file format - it's unlikely it can be practically exploited." I've gotten past the point of being surprised when somebody figures out how to actually exploit something like this.

Re:Need physical access (1)

gl4ss (559668) | more than 2 years ago | (#40136291)

well, it would be more likely that the entire chip would be replaced for that kind of attack.

and the attacker would need to make sure that the code they upload to it works with all the other devices the chip talks to in the plane.

basically if you had that level access you might just as well reflash the entire sw running on the friggin jet. probably under the same seals too. if you really want it to be write-once only, just seal the damn thing in epoxy and don't expose the debug/maintenance connectors...

Re:Need physical access (1)

multimediavt (965608) | more than 2 years ago | (#40136267)

Not sure how exciting this is, as they needed physical access to the chip to get anything out of it.

If the EEPROM was reprogrammed/wiped wouldn't the backdoor in the hardware be closed (except for the physical access hole)? Call me crazy, but doesn't a backdoor need to be activated in order to work? Again, you might be able to tease it open with physical access, but I am not seeing how this could be a major deal for operational gear unless the EEPROM contained a trigger. Can anyone with an FPGA background elaborate?

Re:Need physical access (2)

MtHuurne (602934) | more than 2 years ago | (#40136307)

They needed physical access to find the backdoor. To use the backdoor, they only need JTAG access. JTAG is typically used during development and not during operation, but there might be systems where the JTAG interface is still accessible during operation, either to allow easy debugging/patching in the field or because it was made available through some other interface during development and never removed afterward.

Another risk is that a stored AES key that is supposed to be unreadable was readable through the backdoor. So if the same key is used for multiple units, an attacker getting his hands on one unit can extract the key and do nasty things to other units.

Yup, not surprised. (3, Insightful)

devitto (230479) | more than 2 years ago | (#40136087)

Why would a country not pay (or direct) a company to create products with particular subtle flaws ?

It would cost 1000x more to discover and leverage a known flaw, than to just get an engineer to insert one - with or without the blessing of his management.

The future is not bright.

.......Surprice!!! (1)

Anonymous Coward | more than 2 years ago | (#40136095)

In case anyone is wondering if the US could ever do something similar. Well, why not?

The US might even consider leaving such "features" in for their co-partners on the Joint Strike Fighter program to not know about. http://www.reuters.com/article/2009/11/24/us-lockheed-fighter-exclusive-idUSTRE5AN4JX20091124 [reuters.com] Is that a good thing? Well, not when others have the source code too. Then it become a liability. http://online.wsj.com/article/SB124027491029837401.html [wsj.com]

Re:.......Surprice!!! (1)

Anonymous Coward | more than 2 years ago | (#40136191)

Apparently Jet Fighters the US has sold to Saudi Arabia do not have guidance maps of Israel built in. When the Saudis tried to put in the maps, the planes were made unusable because any atempt to change the plane's default software completley killed the aircraft.

Not the first time (1)

craigminah (1885846) | more than 2 years ago | (#40136133)

I've seen this is other products made in China and sold globally. The government has a list of electronics and manufacturers they cannot buy and cannot let into government facilities.

Remember the Printers Sold to Iraq (0)

Anonymous Coward | more than 2 years ago | (#40136141)

It's been alleged that printers were sold to Iraq that had devices that guided cruise missiles or guided bombs to their targets in one of the Iraq wars. Most computers, printers and other office accessories are now made in the far east (China?) and who knows what's in them.

Surprised (1)

fluffythedestroyer (2586259) | more than 2 years ago | (#40136145)

Call me an idiot or naive but I thought, especially because of security issues, the us military would make their own chips instead of asking another country or corporation to do it.

Is it a story if you stick on a question mark? (0)

Anonymous Coward | more than 2 years ago | (#40136159)

Paranoid libertarians don't notice that headline isn't statement? Slashdot a cesspool of idiots? We will never see real stories again?

As bad as the "clipper" chip? (1)

Yoik (955095) | more than 2 years ago | (#40136163)

A couple decades ago, the US security agencies pushed hard for the industry to standardize on a encryption chip that allowed legal wiretaps. Unfortunately, it wasn't as secure as they thought and actually allowed rather easy decryption.

Of course, that was due to stupidity, not malice.

Would anybody really be surprised? (5, Interesting)

WindBourne (631190) | more than 2 years ago | (#40136169)

Chinese leaders are in a cold war with the west. As such, it is far cheaper and easier to be able to shut down an adversaries equipment if you are manufacturing it for them. If the west would quit being foolish, they would insist on equipment made in secured companies. And Google has already proved that nothing in China is secured from the gov.

Re:Would anybody really be surprised? (-1)

Anonymous Coward | more than 2 years ago | (#40136233)

Fuck the chinks. Between them being hell bent on destroying the planet (in ways that make us seem like environmentalists) and their bizarre pride of 'bettering' the west, they are the biggest threat to the world as a whole. Destroy each and every one of them.

Re:Would anybody really be surprised? (0)

Anonymous Coward | more than 2 years ago | (#40136337)

Destroy each and every one of them.

Patton already thought of this and fully intended to do it, but Truman stopped him. Truman had the forsight to realize that even if you do this... they just keep coming. Its better to let them destroy themselves, which is what they are fiendishly doing to us as well.

Let us assume for a minute that you want (0)

Anonymous Coward | more than 2 years ago | (#40136283)

to buy only from your country's manufacturers. You are the government and you buy, lets say, 20% of a product. But 80% is consumed by the commercial market which buys on price. You either have to subsidize in-your-country manufacturing or accept the fact that manufacturing of the product you want to buy is fleeing to the low cost provider countries (which isn't always China). And the supply chain for that product has moved too. Welcome to practical economics.

Think of buying a computer made today in the US...you choose the boards, chips made by the in-country supplier but most of the boards, chips in your computer come from a second, third or forth country. And with R&D shops being set up in multiple low labor cost countries, by the third generation you have lost any assurance you might have had...not to mention that a second/third/etc country loyalist could have been making, designing, or altering the chips characteristics even though the chip was designed in your country and made in your country.

An almost impossible situation.

Re:Let us assume for a minute that you want (2)

WindBourne (631190) | more than 2 years ago | (#40136331)

First off, military != economics. They are totally different issues.
Secondly, the US, in fact, the west, still produces loads of chips. It is not impossible to scale it back up.

From a security POV, the west SHOULD keep the manufacturing in-house. As it is, the Chinese gov. subsidized electronics, AE, etc. to get the tech from the west. It is in the west's best interest to simply walk away from this. At least where it concerns our military.

Ideally, we will use that to re-start the consumer side as well.

right as usual (1)

eyenot (102141) | more than 2 years ago | (#40136173)

Looks like my railing against the inherent weaknesses in FPGAs and the need to ditch the fabless model for the sake of quality control wasn't just hot air.

Re:right as usual (1)

russotto (537200) | more than 2 years ago | (#40136301)

Looks like my railing against the inherent weaknesses in FPGAs and the need to ditch the fabless model for the sake of quality control wasn't just hot air.

Assuming the feature was added at manufacturing time rather than designed into the chip, anyway.

Re:right as usual (0)

Anonymous Coward | more than 2 years ago | (#40136333)

Yet another brilliant insight, eyenot. We distinctly remember you were the only one trying to bring focus to this issue many times in the past, yet no one would listen.

Oh wait, no we don't.

The lesson of piracy (1)

Anonymous Coward | more than 2 years ago | (#40136183)

This is more a lesson of piracy and picking the lowest-bidder than anything else.

When China undercuts other nations manufacturing by pirating their IP, without any clue what some bits do, it introduces bugs, backdoors and quality issues. I don't know why on earth the US Military would ever buy IC's from China for use in domestic military, but such is the folly of outsourcing to the lowest bidder.

If the US wants to avoid this blunder again, they'll only purchase semiconductor parts made in the US. Things like the A5 chip in the iPhone doesn't matter a whole lot when it's in consumer devices because a 500$ iphone isn't going to be part of a 500 million dollar stealth jet.

As everyone should have learned from the Iranian Nuclear centrifuges, if it's of critical military or infrastructure value, you make it yourself and don't steal foreigners designs, because those designs may have backdoors in them.

Yes, it's not possible to do this all the time, but the US Military should just bankroll a chipfab and design house and have all US Military chips produced in-house and checked against public sources to see if there are backdoors before purchasing additional supply from the public.

No China link yet, probably a US backdoor (0)

Anonymous Coward | more than 2 years ago | (#40136203)

There is no China link to the backdoor yet. The only reference to China is in the Slashdot article title.

made in where?? (1)

ncohafmuta (577957) | more than 2 years ago | (#40136223)

i actually think i saw a "Made in China" bumper sticker on our drones.

The Chinese are... (1)

charlieo88 (658362) | more than 2 years ago | (#40136241)

CYLONS! Wait, where is #6?

Requires Physical Access (4, Informative)

laing (303349) | more than 2 years ago | (#40136243)

The back-door described in the white paper requires access to the JTAG (1149.1) interface to exploit. Most deployed systems do not provide an active external interface for JTAG. With physical access to a "secure" system based upon these parts, the techniques described in the white paper allow for a total compromise of all IP within. Without physical access, very little can be done to compromise systems based upon these parts.

Re:Requires Physical Access (1)

NuclearCat (899738) | more than 2 years ago | (#40136269)

Technician (chinese spy), while servicing something not important - will access fighter jet "computer" that store secure codes, by this password he can retrieve codes, that are supposed to be secure. Send them to homeland. That's even worse in result.

Re:Requires Physical Access (1)

Anonymous Coward | more than 2 years ago | (#40136435)

Remember that US UAV that went down in Iran?
There is a lot of IP tied up in that, and now maybe they can just attach a JTAG device to read it all!

Re:Requires Physical Access (1)

CreamyG31337 (1084693) | more than 2 years ago | (#40136499)

That's why they write a worm to look for that JTAG interface, and hope it arrives at the computer they are programming the firmware on the chips from. Or just find or steal a 'deployed device', it's not like drones and missles aren't launched into enemy territory. Apparently this bug/feature is in ALL Microsemi/Actel hardware, so there's plenty of targets.

Sun Tzu (4, Insightful)

msobkow (48369) | more than 2 years ago | (#40136259)

Sun Tzu said the greatest victory is one which doesn't require a shot. One won by subverting the enemy from within.

What greater subversion can there be than to convince the enemy to hire you to build their weapon's systems components?

Apparently the American Military (and probably that of the rest of the world) hasn't bothered reading any "classic" literature on warfare before signing on the dotted line...

Re:Sun Tzu (0)

Anonymous Coward | more than 2 years ago | (#40136475)

Sorry, he's part of pre education t Levenworth.

Buy... (2)

pubwvj (1045960) | more than 2 years ago | (#40136277)

...American.

This, of course, means the USA needs to produce too.

Well... (1)

Zamphatta (1760346) | more than 2 years ago | (#40136437)

If this turns out to be true or not, I think the fact the US military is having its secrets "made in China" while the US is actively trying to convince its populous that they're under cyber attacks, really contradicts itself but should at least raise some good questions in public & congress.

Ohhh, that's extra (1)

Nov8tr (2007392) | more than 2 years ago | (#40136513)

Memo from China: "Sir this memo is to inform you that you were undercharged for your military chips. The inclosed invoice is for $5 per chip for the "extra" backdoor "feature". Please enclose a certified check in the enclosed envelope along with a copy of the invoice. Please mail to: Norinko Beijing, China Thank you for your cooperation in this unfortunate error. If we need any further info we will use our new "feature" to get it. Sincerely, General (name redacted)

It's called JTAG baby (1)

IQGQNAU (643228) | more than 2 years ago | (#40136547)

Try and find a modern digital IC of any size without a backdoor! It's called JTAG. Everyone has to design them in, they've not secrets. That's how the manufacturer tests each chip to see if it works or not. Often used in system development as well.

oh! (1)

dogganos (901230) | more than 2 years ago | (#40136551)

who would have thought!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?