On his personal page, Sergei Skorobogatov, a researcher with the Computer Laboratory at Cambridge University, writes, “Our new paper ‘Breakthrough silicon scanning discovers backdoor in military chip’ will appear at CHES2012 in September. It will expose some serious security issues in the devices which are supposed to be unbreakable.”
The paper is “a short summary of the first real world detection of a backdoor in a military grade FPGA.” FPGAs, or field programmable gate arrays are integrated circuits (chips) that can be configured in the field by the customer as a way of keeping hardware costs to a minimum.
What Skorobogatov and his partner Chris Woods of Quo Vadis Labs have discovered, using a patented technique known as pipeline emission analysis (PEA), is that a physical backdoor is present in Actel’s ProASIC3 chips. Backdoors are simply a way of getting into a system, bypassing any security restrictions in place. In software, backdoors can be easily closed by patching. This, however, is a hardware backdoor that cannot be closed: it simply exists on all deployed chips.
The researchers specifically chose the Actel chip to investigate because it is marketed as a highly secure chip and is “widely used in military and industrial applications especially in critical systems.” It has medical, automotive, communications, military and consumer applications, and is used, for example, in the Boeing 787 Dreamliner. The discovery of the backdoor thus poses serious security questions that need to be answered.
One conspiracy theory was proposed and dismissed by Robert Graham of Errata Security: “Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false.” Of course, Skorobogatov provided no such proof, merely writing separately, “Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.” The words ‘China’ and ‘Chinese’ simply do not appear in the paper itself.
Graham does go on to provide one theory for the backdoor’s presence: it’s an improperly secured debugging facility. But whatever the origin, the fact remains that the backdoor does exist, and the researchers believe the threat to be real. “It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, is exploited,” they write. “By abusing the PEA technology to understand functionality and to extract keys, a new and inviting area of cyber warfare may be started.”
Andrew Mason, technical director and co-founder of RandomStorm, told Infosecurity, “The fact this reported threat on the ProASIC3 chip is hardware based makes exploiting the vulnerability a lot harder as some other device would require to interface with the chip in order to provide reliable end to end communications.” However, he adds, “a back door in a device that is used in such sensitive applications as aviation could have catastrophic consequences, which need following up with the chip manufacturer to ascertain the level of risk.”
Marta Janus, a security researcher at Kaspersky Lab, suspects that the backdoor’s presence is benign (for debugging or support purposes), but dangerous. “Leaving such concealed possibilities for unauthorized access,” she told Infosecurity, “is an unfair and extremely hazardous practice, as cybercriminals are only waiting for such ‘features’ to exploit. It becomes more dangerous when the hardware that is used is in a critical infrastructure, like military, medical and communication systems. Hardware designed for such purposes should be carefully tested against any security flaws before being released to the market.”
The Skorobogatov and Woods paper demonstrates a new and relatively quick and inexpensive way to do one part of that security testing.