Security backdoor found in China-made US military chip

Information Age ^ | May 28, 2012 | staff

[Pelham]

Cambridge University researchers find that a microprocessor used by the US military but made in China contains secret remote access capability

A microchip used by the US military and manufactured in China contains a secret "backdoor" that means it can be shut off or reprogrammed without the user knowing, according to researchers at Cambridge University's Computing Laboratory.

The unnamed chip, which the researchers claim is widely used in military and industrial applications, is "wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan", they said.

The discovery was made during testing of a new technique to extract the encryption key from chips, developed by Cambridge spin-off Quo Vadis Labs.

The "bug" is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether.

"The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry," wrote Cambridge University researcher Sergei Skorobogatov and Quo Vadis Labs research Christopher Woods in a draft paper.

"It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing."

[anymouse]

This could be good for U.S.-based chip manufacturers.

Oh, they make most of their chips overseas due to cheap labor, looser environmental regulations and lower taxes.

And even in their U.S. chip operations they employ foreign H1B visa workers.

Darn that military industrial complex! /sarc

[Bobalu]

A close reading of this article leads me to believe they are talking about a common micro-controller chip here. These chips power things like cell phones, microwave ovens, anti-lock brake systems...and most everything else these days.

They speak of a weakness in the chips encryption. I believe they are saying the code-protection feature is weak. When you program a controller chip and wish to protect your work you set a hardware flag that makes it impossible to read out the firmware by normal means.

There are companies that will open the chip and break the protection by physical means. But this story is about the manufacturer leaving in an easier way to get at the protected code.

from the article
“the chip in question is widely used in military and industrial applications. The “backdoor” means it is “wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan”, they said”

This statement is what leads me to believe they are speaking of a weak code-protection system on the chip.
This does not mean the chip can be re-programmed remotely. That ability is added by what is known as bootloader code in the chip. They don’t mention any such thing here.

Nearly all controller chips can be erased even if the code-protect flag is set. Then you can re-program the chip with new code. You could pay to have the protection of one chip physically defeated and get a copy of the firmware. Then you could simply erase the flash memory on any number of identical chips and re-program with code that has the original functionality and whatever added features you wish.(even bootloader code)

What I am saying is it would only be a little bit tougher to get at the firmware on a properly protected controller and then modify that firmware for nefarious purposes. The code-protect feature is merely a speedbump...that is all.

IMO some of the hardware geeks at this company just wanted a way to peek at whatever code these chips were ever programmed with...nothing more.

This is probably a licensed ARM variant of some type.

[publius911]

Bookmark

[mo]

Appears as though our creditors are securing their collateral.

[DaveTesla]

bttt

[Sirius Lee]

I'll bet, or I have to hope, that our government discovered the backdoor years ago and quietly replaced these chips on our military equipment - and the Goldman Sachs mainframes - in order to give the Chinese a surprise when they tried to shut everything down.

Of course We the Peasants are xcrewed if you're one of those rare people who use a personal computer or keep money in a non-TBTF bank or use electricity from a grid controlled by a computer.

[rdcbn]

This is old news.

Lots of work has been done to check the artwork for these kinds of things.

BTW, this kind if cuts both ways.

The Chinese copy everything :-)

[Tijeras_Slim]

Why would they use a “backdoor” when we’ve pretty much invited them in the front?

[null and void]

Nut-job Conspiracy Theory Ping!

To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...

[zeugma]

Does anyone remember CryptoAG?

Not only does the U.S. government do the same thing, but they've been caught doing it as well. I simply do not understand how the military could accept for delivery anything with a CPU from china. That would include an amazing amount of stuff these days. Hell, my coffee roaster has a computer in it.

[DoodleDawg]

This administration has the intelligence of an amoeba. That’s ONE amoeba.

The administration doesn't buy the chips. They buy the items that the manufacturer put the chip in. The ire should be directed to the defense industry that puts profits before security.