China not behind US military chip backdoor

China was not involved in a backdoor that was allegedly installed in chips used by the US military, according to the researcher who originally made the discovery.
Written by Michael Lee, Contributor

China was not involved in a backdoor that was allegedly installed in chips used by the US military, according to the researcher who originally made the discovery.


(The door is not obvious image by DaveBleasdale, CC BY 2.0)

Earlier this month, Sergei Skorobogatov, a PhD candidate at the University of Cambridge, released draft papers for his hardware security research. Notably, his most recent work looked at an "American military chip [the Actel/Microsemi ProASIC3] that is highly secure, with sophisticated encryption standard [and] manufactured in China". Upon examination, he found a previously unknown backdoor, which had been inserted by the manufacturer.

"This backdoor has a key, which we were able to extract. If you use this key, you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems, from weapons [and] nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems," Skorobogatov wrote at the time.

After Skorobogatov's work was picked up by Reddit, many jumped to the conclusion that China was behind the backdoor.

"The claims about [the] Chinese being involved, was made up by someone who originally made the post at Reddit," Skorobogatov told ZDNet Australia.

"It is the US manufacturer Actel who inserted the backdoor," Skorobogatov wrote.

"We never said the Chinese have put a backdoor inside Actel's chips and it does not say so in our papers. It is as though people have put two and two together and made four or five or six, depending on what their agenda is. We believe that other chips will have backdoors. And since a US chip has them and [that] you can do lots of things that give you a vast amount of control over the devices, then, is there any reason to suggest other manufacturers have not done the same?"

Errata Security researcher Robert Graham also called initial reports "bogus", saying there was no evidence to suggest that it was the Chinese that were responsible, or even that the backdoor was malicious.

He explained that the chips have a built-in debugging interface, known as JTAG (named after the Joint Test Action Group, which was formed to test circuit boards). It is in most chips, because it's too costly to make customised versions, without the interface. To use or exploit the interface, you actually need physical access to the chip.

"Whether you call this a security feature to prevent others from hacking the chip through JTAG or a secret backdoor available only to the manufacturer, is open to interpretation," Graham wrote on the Errata Security blog.

Actel, itself, appears to call it a backdoor, noting in a 2002 security paper (PDF) that chips which use Static-RAM (SRAM), including the ProASIC3 (PDF), are vulnerable to attack:

All SRAM [field-programmable gate arrays] (FPGAs) come with a security back-door that leaves designs vulnerable to compromise. Internet news groups regularly detail the ease with which one can simply read back the internal configuration bit-stream, through a chip's JTAG or proprietary programming interface.

Today's largest suppliers now integrate a variety of security settings in all FPGAs, but, unfortunately, even "locking" your SRAM chip with the vendor's security bit might not be good enough to prevent theft. It is easy to surmount some device families' security safeguards by applying high-voltage sequences to certain pins. This action puts the chips into manufacturing test modes, which re-enable internal-device-state access.

Furthermore, Actel's paper notes "SRAM FPGAs ... consistently prove inadequate for providing effective design security", and recommends using chips based on technologies other than SRAM.

Given the age of the paper and the potential for technology to have changed in the meantime, ZDNet Australia contacted Microsemi to confirm that the paper was still relevant to the ProASIC3, but had not received a reply at the time of writing.

As for whether the chips are used in military applications at all, remains to be seen. Graham notes that the US military uses a lot of commercial, off-the-shelf products, indicating that the issue may not be as widespread as initial reports may have assumed it to be.

He also notes that none of Actel's chips have been certified by the US Government to hold secrets.

On the other hand, Skorobogatov said that Actel's parent company Microsemi is a military-oriented manufacturer, and Actel, which Skorobogatov said was acquired over a year ago, aimed 70 per cent of its sales at military customers.

"They are trying to push their products for industrial applications, but, due to high cost and competition, still remain mainly military oriented."

Editorial standards