Cambridge researchers uncover backdoor in military chip

Discovery raises questions about hardware assurance in the semiconductor industry
By Sophie Curtis | Techworld |

Researchers at the University of Cambridge have found evidence that Chinese manufacturers are putting backdoors in FPGA (field-programmable gate array) chips used by the US military.

The research was conducted in response to claims by intelligence agencies around the world that the silicon chips that run their defence systems are vulnerable to Trojans. Considerable investment has been made in software computer networks and system defences to detect and eradicate such threats, but similar technology for hardware is not currently available.

He added that it is remotely possible that the Chinese manufacturer added the functionality, but highly improbable, as it is prohibitively difficult to change a chip design to add functionality of this complexity. He suggested that the functionality could have been part of the design, but that Actel intended to disable it.

“The Chinese might subvert FPGAs so that they could later steal intellectual-property written to the chips, but the idea they went through all this to attack the US military is pretty fanciful,” he concluded.

To test the theory, the researchers carried out advanced code breaking on highly secure Actel/Microsemi ProASIC3 chips with sophisticated encryption, manufactured in China. While scanning the chip with their specially-developed Pipeline Emission Analysis (PEA) technology, the researchers discovered a previously unknown backdoor inserted by the manufacturer.

“This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key,” said security researcher Sergei Skorobogatov in a blog post.

“This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for national security and public infrastructure.”

The research paper also states that it is not possible to patch the backdoor in chips that have already been deployed, so those using this family of chips could be easily compromised, or will have to be physically replaced after a redesign of the silicon itself.

The discovery has inevitably led to concerns over whether Microsemi/Actel included the backdoor to give the Chinese control of US military information infrastructure. The report states that the discovery of a backdoor in a military-grade chip raises serious questions about hardware assurance in the semiconductor industry.

However, Robert David Graham writing on the Errata Security blog, said that there is no evidence the Chinese put the backdoor there deliberately, or even that it was intentionally malicious.

“Backdoors are a common problem in software. About 20% of home routers have a backdoor in them, and 50% of industrial control computers have a backdoor. The cause of these backdoors isn’t malicious, but a byproduct of software complexity,” said Graham.