Security Experts:

Chinese Chip Maker Comments on Backdoor Found on Chip Used by U.S. Military

Earlier this week, SecurityWeek reported on news that Cambridge University researchers discovered a backdoor on a field-programmable gate array (FPGA) chip used by the U.S military. The news originally spread like wildfire, but shortly after, some began to doubt that the story was worth the hype.

“Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key,” the research overview explained.

The overview, and the fact that China is where the world gets its silicon supply, quickly led to sensationalistic headlines charging the Communist nation with espionage. Yet, some became skeptical because no one else discovered the flaw, and because the researchers are looking to sell the fuzzing technology. They have been accepted to present their work at a peer-review conference later this fall.

Errata Security’s Robert Graham called the news false, adding that while the researchers did discover the backdoor on the FPGA chip, there is no evidence that the Chinese put it there or that it is malicious.

Microsemi, the company who produced the FPGA chip in question, has now responded to the report, and issued the following statement.

“According to these researchers, in order for the extraction of the security key to occur, the pins of the FPGA device involved needed to be physically connected to the researchers’ custom-designed attack hardware. Microsemi has not been able to confirm or deny the researchers’ claims since they have not contacted Microsemi with the necessary technical details of the set-up nor given Microsemi access to their custom-designed equipment for independent verification.”

Additionally, the statement goes on to note, “there is no designed feature that would enable the circumvention of the user security.”

Addressing the backdoor itself, the statement says that it “can only be entered in a customer-programmed device when the customer supplies their passcode, thus preventing unauthorized access by Microsemi or anyone else.”

Microsemi says that shipped devices are checked to ensure that the backdoor is disabled, begging the question as to what type of device the researchers themselves were working with. The Register highlighted the same question in their coverage of the Microsemi statement.

“Here in El Reg’s antipodean eyrie, we’re therefore keen to know if Skorobogatov and Woods worked with a brand new FPGA, because if we take Microsemi’s word for it there’s no reason a virgin ProASIC3 would have a passkey lurking within. But we can imagine a used ProASIC3’s passkey being extracted using the researchers’ cunning methods. How did the key get there?”

The full response from Microsemi with respect to the reported backdoor on its ProASIC 3 can be found here.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.