Connect with us

Hi, what are you looking for?



China Wrongfully Accused Over Backdoor Found on Chip Used by U.S. Military?

Some Say China Falsely Accused Over Backdoor Discovered on FPGA Chip Used by U.S. Military

Over the holiday weekend, news that Cambridge University researchers discovered a backdoor on a field-programmable gate array (FPGA) chip used by the U.S military spread like wildfire, but there are some doubts that the story is worth the hype.

Some Say China Falsely Accused Over Backdoor Discovered on FPGA Chip Used by U.S. Military

Over the holiday weekend, news that Cambridge University researchers discovered a backdoor on a field-programmable gate array (FPGA) chip used by the U.S military spread like wildfire, but there are some doubts that the story is worth the hype.

Cambridge University researcher Sergei Skorobogatov and Quo Vadis Labs research Christopher Woods, conducted (for an easier to follow explanation) fuzzing on a chip that is highly secure and used by the U.S. military.

Did China Place a Backdoor on FPGA Chip?

“Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key,” the research overview explains. 

“This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.”

The overview, and the fact that China is where the world gets its silicon supply, quickly led to sensationalistic headlines charging the Communist nation with espionage. Yet, some became skeptical because no one else discovered the flaw, and because the researchers are looking to sell the fuzzing technology. They have been accepted to present their work at a peer-review conference later this fall.

Errata Security’s Robert Graham called the news false, adding that while the researchers did discover the backdoor on the FPGA chip, there is no evidence that the Chinese put it there or that it is malicious. 

Advertisement. Scroll to continue reading.

“This bug was found by fuzzing the JTAG port looking for undocumented functionality… Fuzzing has found backdoors in software before, but nobody claimed it was the work of the evil Chinese. We should keep this perspective,” Graham noted.

Another issue with the headlines and wording of the overview is that the chip itself isn’t really a military chip– at least not in the way that it is made out to be. “The military uses a lot of commercial, off-the-shelf products. That doesn’t mean there is anything special about it,” Graham added.

“In the meantime, it’s important to note that while the researchers did indeed discover a backdoor, they offer only speculation, but no evidence, as to the source of the backdoor. As somebody with a lot of experience with this sort of thing in software cybersecurity, I doubt there is anything malicious behind it… The Chinese might subvert FPGAs so that they could later steal intellectual-property written to the chips, but the idea they went through all this to attack the U.S. military is pretty fanciful.”

Earlier this year, a GAO report said that the Department of Energy, Department of Justice, and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues. According to the GAO, threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

Additionaly, according to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March 2012, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.

Related Reading: The Need to Secure the Cyber Supply Chain

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.