Some Say China Falsely Accused Over Backdoor Discovered on FPGA Chip Used by U.S. Military
Over the holiday weekend, news that Cambridge University researchers discovered a backdoor on a field-programmable gate array (FPGA) chip used by the U.S military spread like wildfire, but there are some doubts that the story is worth the hype.
Cambridge University researcher Sergei Skorobogatov and Quo Vadis Labs research Christopher Woods, conducted (for an easier to follow explanation) fuzzing on a chip that is highly secure and used by the U.S. military.
“Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key,” the research overview explains.
“This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.”
The overview, and the fact that China is where the world gets its silicon supply, quickly led to sensationalistic headlines charging the Communist nation with espionage. Yet, some became skeptical because no one else discovered the flaw, and because the researchers are looking to sell the fuzzing technology. They have been accepted to present their work at a peer-review conference later this fall.
Errata Security’s Robert Graham called the news false, adding that while the researchers did discover the backdoor on the FPGA chip, there is no evidence that the Chinese put it there or that it is malicious.
“This bug was found by fuzzing the JTAG port looking for undocumented functionality… Fuzzing has found backdoors in software before, but nobody claimed it was the work of the evil Chinese. We should keep this perspective,” Graham noted.
Another issue with the headlines and wording of the overview is that the chip itself isn’t really a military chip– at least not in the way that it is made out to be. “The military uses a lot of commercial, off-the-shelf products. That doesn’t mean there is anything special about it,” Graham added.
“In the meantime, it’s important to note that while the researchers did indeed discover a backdoor, they offer only speculation, but no evidence, as to the source of the backdoor. As somebody with a lot of experience with this sort of thing in software cybersecurity, I doubt there is anything malicious behind it… The Chinese might subvert FPGAs so that they could later steal intellectual-property written to the chips, but the idea they went through all this to attack the U.S. military is pretty fanciful.”
Earlier this year, a GAO report said that the Department of Energy, Department of Justice, and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues. According to the GAO, threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.
Additionaly, according to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March 2012, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.
Related Reading: The Need to Secure the Cyber Supply Chain
Related: Consortium Pushes Security Standards for Technology Supply Chain
Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain