Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile

Chinese Cyberwarriors in your Chips?

Perhaps, but the Cambridge ones are more interesting

Article comments

The security interwebs this morning are alive with reference to Sergei Skorobogatov's webpage at Cambridge, the key quote from which is:

We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon `chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

I recommend against panic.

Instead there are a bunch of questions to ask:

What's the threat?

Rephrasing the above: the Cambridge Security Research team found that in one particular type of specialised chip there is a mechanism, built into the design, allowing the chip to be reprogrammed.

The term reprogrammed is relevant because the chip concerned is a FPGA, a Field-Programmable Gate Array, a special kind of chip which[1] can be programmed to perform like custom hardware; so instead of expensively building a magic piece of silicon to perform your task you program a FPGA to do your job.

This is very useful in systems with lots of specialist hardware kicking around, like avionics, missiles, power stations, network hardware and the like.

Are we all doomed?


As-written the paper does not mean that you or your granny's e-banking is at risk, and for all we know the act of reprogramming these FPGAs to do something evil will require a Mission-Impossible breakin to the afflicted site and hardware, probably carrying a reasonable amount of special equipment with you.

That would rather limit the scope for exploitation.

Is this a Cyberattack?

Mmm... perhaps, but I suspect not.

There is a venerable tradition of manufacturers embedding backdoor access into hardware and software[2] and as described above it strikes me as exactly the sort of thing I would have put into a FPGA design in order debug or fix it during the design phase.

So if the question is: was the FPGA design purposely and secretly nobbled in pursuit of the goals of the Chinese state, I would say maybe, but probably not. If the FPGA design is at all good then I doubt a bureaucrat had a hand in backdooring it.[3]

If the question is: does the Chinese state know about this, I would say almost certainly, but that's to be expected.

Do our Governments know about this risk?

Certainly. Whether it's possible to do anything about it is a different matter - occasionally some cybersecurity-homesteader-type trumpets the idea of a purely American computer for America, or an Indian one for India, or a Chinese computer for China, but it's not feasible nor desirable economically.

Put differently: would you give up your iPad? Would you expect your MPs to give up theirs even if doing so made them less effective representatives?

So get used to using a global parts-bin and hysterical stories of the above sort, and learn to work around the issues raised by using mostly untrustworthy components.

So what's the real story here?

For me the real story is Cambridge: a bunch of academic geeks using (apparently) sub-$100's worth of hardware to plumb the guts of a chip. Think of the application to transparency, to hardware hacking, to reverse engineering. To normal people, getting to find out what's inside the case of their devices.

That is what I want to find out more about.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

[1] to oversimplify wildly
[2] Google for: sendmail wizard password
[3] See Botching the Bomb, this month's Foreign Affairs magazine (paywall) or this related snippet.

Email this to a friend

* indicates mandatory field

ComputerWorldUK Webcast