A potentially serious vulnerability discovered by researchers in Field Programmable Gate Array (FPGA) chips can expose many mission- and safety-critical devices to attacks.
FPGAs are integrated circuits that can be programmed in the field after manufacturing. These chips are considered secure components and they are present in a wide range of systems, including industrial control systems (ICS), cloud data centers, cellular base stations, medical devices, and aviation systems.
A team of researchers from Germany’s Horst Görtz Institute for IT Security at Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy discovered that FPGA chips are affected by a critical vulnerability — they have named it Starbleed — that can be exploited to take complete control of the chips.
In order to exploit the weakness, an attacker would need to have access to the targeted device’s JTAG or SelectMAP interfaces, but the researchers warned that remote attacks may also be possible.
The research focused on FPGAs made by Xilinx, the US-based company that invented the FPGA and one of the world’s largest suppliers of such products. Impacted products include Xilinx’s 7-series devices — including Spartan, Kintex, Artix and Virtex families — as well as older Virtex-6 chips.
The vulnerability was reported to the vendor in September 2019 and its existence was quickly confirmed. However, the researchers say the flaw cannot be patched without replacing the silicon. On the other hand, they noted that Xilinx’s new UltraScale and UltraScale+ chips, which are slowly replacing older models, are not vulnerable to their attacks.
Xilinx has published a security advisory to inform customers about the vulnerability, but does not seem to fully agree with the researchers’ assessment.
“The only proven way to perform the so-called ‘Starbleed’ attack is to have close, physical access to the system. It is also important to recognize that when an adversary has close, physical access to the system there are many other threats to be concerned about,” a Xilinx spokesperson told SecurityWeek. “We advise all of our customers that they should design their systems with tamper protection such that close, physical access is difficult to achieve.”
The Starbleed attack targets the FPGA’s bitstream, which contains the programming information for a device. According to the researchers, if an attacker gains access to the bitstream, they can plant hardware backdoors, change its functionality, or cause physical damage to the system.
Vendors have introduced bitstream encryption in an effort to protect the FPGA design. However, the Germany-based researchers have managed to circumvent the bitstream encryption and decrypt supposedly secure bitstream. The attack results in full decryption against 7-series Xilinx devices and partial decryption against Virtex-6 devices.
The researchers said they uncovered two attack methods that they described as “low cost,” unlike previous attacks against bitstream encryption, which required “sophisticated equipment and considerable technical expertise.”
However, Xilinx noted in its advisory that “the complexity of this attack is similar to well known, and proven, DPA attacks against these devices and therefore do not weaken their security posture.”