Entries Tagged "military"

Page 4 of 16

Backdoor Found (Maybe) in Chinese-Made Military Silicon Chips

We all knew this was possible, but researchers have found the exploit in the wild:

Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

Here’s the draft paper:

Abstract. This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips. The backdoor was found to exist on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique pioneered by our sponsor, we were able to extract the secret key to activate the backdoor. This way an attacker can disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact it can be easily compromised or it will have to be physically replaced after a redesign of the silicon itself.

The chip in question was designed in the U.S. by a U.S. company, but manufactured in China. News stories. Comment threads.

One researcher maintains that this is not malicious:

Backdoors are a common problem in software. About 20% of home routers have a backdoor in them, and 50% of industrial control computers have a backdoor. The cause of these backdoors isn’t malicious, but a byproduct of software complexity. Systems need to be debugged before being shipped to customers. Therefore, the software contains debuggers. Often, programmers forget to disable the debugger backdoors before shipping. This problem is notoriously bad for all embedded operating systems (VxWorks, QNX, WinCE, etc.).


It could just be part of the original JTAG building-block. Actel didn’t design their own, but instead purchased the JTAG design and placed it on their chips. They are not aware of precisely all the functionality in that JTAG block, or how it might interact with the rest of the system.

But I’m betting that Microsemi/Actel know about the functionality, but thought of it as a debug feature, rather than a backdoor.

It’s remotely possible that the Chinese manufacturer added the functionality, but highly improbable. It’s prohibitively difficult to change a chip design to add functionality of this complexity. On the other hand, it’s easy for a manufacturer to flip bits. Consider that the functionality is part of the design, but that Actel intended to disable it by flipping a bit turning it off. A manufacturer could easily flip a bit and turn it back on again. In other words, it’s extraordinarily difficult to add complex new functionality, but they may get lucky and be able to make small tweaks to accomplish their goals.

EDITED TO ADD (5/29): Two more articles.

EDITED TO ADD (6/8): Three more articles.

EDITED TO ADD (6/10): A response from the chip manufacturer.

The researchers assertion is that with the discovery of a security key, a hacker can gain access to a privileged internal test facility typically reserved for initial factory testing and failure analysis. Microsemi verifies that the internal test facility is disabled for all shipped devices. The internal test mode can only be entered in a customer-programmed device when the customer supplies their passcode, thus preventing unauthorized access by Microsemi or anyone else. In addition, Microsemi’s customers who are concerned about the possibility of a hacker using DPA have the ability to program their FPGAs with its highest level of security settings. This security setting will disable the use of any type of passcode to gain access to all device configuration, including the internal test facility.

A response from the researchers.

In order to gain access to the backdoor and other features a special key is required. This key has very robust DPA protection, in fact, one of the best silicon-level protections we have ever encountered. With our breakthrough PEA technique we extracted the key in one day and we found that the key is the same in all ProASIC3, Igloo, Fusion and SmartFusion FPGAs. Customers have an option to program their chosen passcode to increase the security; however, Actel/Microsemi does not tell its customers that a special fuse must be programmed in order to get the backdoor protected with both the passcode and backdoor keys. At the same time, the passcode key can be extracted with our PEA technique which is public and covered in our patent so everyone can independently verify our claims. That means that given physical access to the device an attacker can extract all the embedded IP within hours.

There is an option for the highest level of security settings – Permanent Lock. However, if the AES reprogramming option is left it still exposes the device to IP stealing. If not, the Permanent Lock itself is vulnerable to fault attacks and can be disabled opening up the path to the backdoor access as before, but without the need for any passcode.

Posted on May 29, 2012 at 2:07 PMView Comments

Naval Drones

With all the talk about airborne drones like the Predator, it’s easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV):

The boat — painted in Navy gray and with a striking resemblance to a PT boat — is 39 feet long and can reach a top speed of 28 knots. Using a modified version of the unmanned Shadow surveillance aircraft technology that logged 700,000 hours of duty in the Middle East, the boat can be controlled remotely from 10 to 12 miles away from a command station on land, at sea or in the air, Haslett said.

Farther out, it can be switched to a satellite control system, which Textron said could expand its range to 1,200 miles. The boat could be launched from virtually any large Navy vessel.


Using diesel fuel, the boat could operate for up to 72 hours without refueling, depending upon its traveling speed and the weight of equipment being carried, said Stanley DeGeus, senior business development director for AAI’s advanced systems. The fuel supply could be extended for up to a week on slow-moving reconnaissance missions, he said.

Posted on May 7, 2012 at 6:52 AMView Comments

U.S. Drones Have a Computer Virus

You’d think we would be more careful than this:

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.


“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

EDITED TO ADD (10/13): No one told the IT department for two weeks.

Posted on October 10, 2011 at 6:38 AMView Comments

Insurgent Groups Exhibit Learning Curve

Interesting research:

After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that “insurgents pretty much seemed to be following a progress curve—or a learning curve—that’s very common in the manufacturing literature,” says physicist Neil Johnson of the University of Miami in Florida and lead author of the study.

Paper here.

Posted on July 12, 2011 at 7:13 AMView Comments

Chinese Army Developed Online Wargame

This is a really weird story:

After setting up its own cyber-warfare team, China’s military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said Wednesday.

“Glorious Mission” is a first-person shooter game that sends players on solo or team missions armed with high-tech weapons, the China Daily reported.

How is this different from any of the dozens of other first-person shooter games with realistic weapons?

And does “training” on these games really translate into the real world?

EDITED TO ADD (7/13): The original story by China Daily is more detailed and easier to follow.

Posted on June 30, 2011 at 8:15 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.