Security breaches and counterfeit chips seem to be dominating industry news cycles on a weekly basis; however, last week a new story broke that has left many simply scratching their heads.
Dr. Sergei Skorobogatov, a senior research associate at the University of Cambridge in the United Kingdom who specializes in attack technologies and tamper-resistant processors for Cambridge’s Hardware Security Group, posted a possible “backdoor” finding into Actel’s ProASIC3 chip. Actel, now owned by Microsemi, markets the chips to critical application users such as the U.S. government for weapon technology, aviation, and nuclear and power systems. The PA3 chip is marketed as one of the most highly secure chips in the industry.
The research document, drafted by Skorobogatov and Christopher Woods from Qua Vada Labs, claim to have used an innovative patented technique and were able to extract the secret access key using Pipeline Emission Analysis, ultimately activating backdoor control. According to the posted document, the backdoor is only available on the actual silicon and is has not been detected in any firmware loaded onto the chip.
Traditionally, bugs or flaws in firmware are easily fixed with a patch. No fixes are available for the actual hardware of the chip or silicon which makes the group’s findings even more alarming since the devices are actively deployed in the field. Skorobogatov further states, “This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself. If the key is known, commands can be embedded into a worm to scan for JTAG, then to attack and reprogram the firmware remotely.” The only known fix would be to recall all chips in use for replacement, which is highly unlikely at this point.
Stuxnet style attacks have become the weapon of choice for those involved in cyber warfare. Discovered in 2010 and commonly labeled the “Trojan Horse” of the 21st Century, Stuxnet is a computer worm that attaches itself deep into a computer system (usually SCADA equipment), corrupting files and reprogramming code. These worms specifically target critical applications and industries such as military networks, industrial controls and financial institutions. Stuxnet continues to be the largest viral threat in cyberspace today. In fact, it’s what many experts believe is targeting Iran’s nuclear program. Originally, most thought the Stuxnet virus was built to steal secret codes or factory formulas in Siemens automation software, enabling terrorists or malicious users to counterfeit devices. Experts now believe that is not the case, the Stuxnet worm looks specifically for Siemens software based equipment that has the exact settings needed to inject its code and reprogram the PLD or programmable logic device for the application. Stuxnet has also destroyed major operating systems in Indonesia and India to date.
Researchers from The University of Cambridge further conclude the Actel backdoor entry was deliberately designed into the silicon. Some are pointing the finger towards China where the chips were actually manufactured, however, Skorobogatov is now stating that he does not believe that to be the case. This has sparked much debate in the chip community and again raises the question as to why some of our highest security electronic devices are being made in a region that is widely known for stealing intellectual property rights and leading the trend in counterfeiting devices. Even if this case isn’t found to be designed with malicious intent, doesn’t this keep the door wide open for that to happen in the future?
Robert Graham, an industry expert from Errata Security posted a response to the claims of deliberate backdoor intent on his blog, stating “It could just be part of the original JTAG building-block. Actel didn’t design their own, but instead purchased the JTAG design and placed it on their chips. They are not aware of precisely all the functionality in that JTAG block, or how it might interact with the rest of the system. I’m betting that Microsemi/Actel know about the functionality, but thought of it as a debug feature, rather than a backdoor. It’s remotely possible that the Chinese manufacturer added the functionality, but highly improbable. It’s prohibitively difficult to change a chip design to add functionality of this complexity.”
Graham went on to say, “On the other hand, it’s easy for a manufacturer to flip bits. Consider that the functionality is part of the design, but that Actel intended to disable it by flipping a bit turning it off. A manufacturer could easily flip a bit and turn it back on again. In other words, it’s extraordinarily difficult to add complex new functionality, but they may get lucky and be able to make small tweaks to accomplish their goals.”
Finally, last week a much anticipated response by Microsemi was made in a statement in regards to the security findings by the Cambridge researcher team and posted it on their website. Microsemi is denying that any “backdoor” entry in their ProASIC3 chip was deliberately designed that enables the circumvention of security. They further claim the UK Security Research Team has not contacted them in regards to their findings.