A secret nanoscale "backdoor" etched into the silicon of asupposedly secure programmable chip could give cyberattackersaccess to classified US weapons systems, including guidance, flightcontrol, networking, and communications systems, according to a newreport by cybersecurity researchers in Britain. The Cambridge University study is apparently the first publicdocumentation that such a serious vulnerability has beendeliberately built into a class of microchips used across themilitary and in key industrial applications such as power grids,the researchers say. The discovery underscores the Pentagon's growing concerns over thevulnerability of the "supply chain" for computer chips it relieson. The new research illustrates how spying or even destructivefunctions, such as a "kill switch" that could make a plane fall outof the sky like a brick, could be added unnoticed to microchipswhile they are being designed and manufactured either at home oroverseas, hardware-security experts say. The chip in question one of the ProASIC3 (PA3) line isdesigned by a California company but manufactured in China. It isnot know how or why the backdoor was installed on the chip, butexperts say it is highly unlikely that it was inserted nefariouslyduring the manufacturing process in China. More likely, it might bemerely an overlooked feature left over from a period of earlydevelopment, some say. Yet how the backdoor got there is, in many ways, less importantthan the fact that it is there at all, the experts add. It suggeststhat even the PA3 chip, purchased by a variety of criticalindustries and touted as having "one of the highest levels ofdesign security in the industry," could have exploitablevulnerabilities that users don't even know about. "The major concern here is: If there are backdoors built into otherchips, how easy will it be to find them?" says Sergei Skorobogatov,the researcher who led the Cambridge University study, in aninterview. "It doesn't really matter much if it's a backdoor or aspecial test function embedded by the original chip designer. All ahacker wants is access to the chip.... If the attacker can find itand use it, he gets what he wants." What the chip does The PA3 A3P250 chip is a field programmable gate array, meaning itis basically a blank slate ready to be programmed to perform myriadfunctions. Experts agree that the chips are used widely by the USmilitary in various settings, some likely to be critical, otherslikely to be much less so. Strong encryption protects the chip from further changes. But theCambridge report, titled "Breakthrough silicon scanning discoversbackdoor in military chip," claims to have found an internalpasscode and other vital keys needed to make big changes can befilched through the hidden backdoor. Once inside the chip's backdoor, the potential for mischief issignificant. The chip can be reprogrammed to do anything theattacker wants it to do, including erase itself or divulgeinformation like classified algorithms for targeting, flightcontrol, and other systems, the researchers say. Moreover,successful attackers would have access to proprietary secretsbehind the chip's design. "This means the device is wide open to intellectual property theft,fraud, re-programming as well as reverse engineering of the designwhich allows the introduction of a new backdoor or Trojan," writesMr. Skorobogatov and fellow Cambridge researcher Christopher Woodsin their paper. Concern about kill switches These are some of the concerns that have led the Pentagon andintelligence agencies to accelerate the development of tools thatcan scrutinize chips for signs of intentionally built-inmicroscopic vulnerabilities. A kill-switch, for example, couldallow an adversary to send a command that could cause a criticalfailure on a computer controlled weapon system like a jet fighter,these experts say. "There's a lot of concern within the US military and intelligenceagencies that people, other governments, could be putting intothese chips not just backdoors, but kill switches that areextremely difficult to detect," says David Adler, president of DLAInstruments Corp. of San Jose, Calif., which is assisting thePentagon in its efforts to detect microscopic tampering. The concern spreads beyond the military. The chips are also usedwidely in nuclear power plants, power distribution, aerospace,aviation, public transport, and automotive products, and thediscovery could pave the way for cyberattacks on vitalinfrastructure. "This permits a new and disturbing possibility of a large scaleStuxnet-type attack via a network or the Internet on the siliconitself," the Cambridge researchers write, referring to a nownotorious cybersabotage attack on centrifuge systems inside Iran'snuclear fuel-enrichment facility an attack recently identifiedas the handiwork of the US and Israel. "To our knowledge, this is the first documented case of finding adeliberately inserted backdoor in a real world chip," theresearchers state. Chipmaker's response The chip's maker, Actel, now a subsidiary of Irvine, Calif.-basedMicrosemi Corp., disputes the researchers' claim, saying there isno backdoor at all, while also noting that future designs will beeven more secure. "Microsemi can confirm that there is no designed feature that wouldenable the circumvention of the user security," the company said ina statement. "The researchers assertion is that with the discoveryof a security key, a hacker can gain access to a privilegedinternal test facility reserved for initial factory testing andfailure analysis. Microsemi verified that the internal testfacility is disabled in all shipped devices." The report arrives on the heels of another recent backdoorrevelation. In April, a cybersecurity researcher in San Franciscowent public with evidence that a technology firm with ties to themilitary, Canada-based RuggedCom, also had a backdoor built intothe firmware of an industrial control system router that it toutedas secure. In that case, RuggedCom was able to issue a patch to eliminate thevulnerability. But backdoors left in chips cannot be patched. Moreover, backdoors are extraordinarily difficult to find. Findinga backdoor is roughly equivalent to comparing every street addressfrom a satellite image of North America to a map of North Americajust to be sure they match and that no fake addresses have beenadded, DLA's Mr. Adler says. That suggests many more backdoors may be out there waiting to befound by friend or foe. "It's hard to say about this discovery, but it could be acanary-in-the-coal-mine-type incident that indicates a bigproblem," says Olin Sibert, an expert in hardware systems securityand founder of Boston-based Oxford Systems Inc. "It would not besurprising if similar vulnerabilities were found elsewhere inwidely used components." This shows how important it is that security awareness be pervasivethroughout a manufacturing organization, he says. A China role? In this case, he agrees, there doesn't yet appear to be any sign ofmalicious intent from China or anyone else. "There's lots of chips manufactured in China," Mr. Sibert says."It's theoretically possible, but it would be very difficult forthem to install this sophisticated backdoor." One factor that mitigates against the vulnerability being used toinstall a kill switch is that physical access would be needed tomost of the chips that have been deployed, Skorobogatov says. Evenso, at least some of the chips have been "wired to the network" toenable reprogramming and therefore they and their backdoors arereachable over the Internet, he says. Even if the chips are just inside telephones, the idea of beingable to modify them "is a critical concern," Adler says. "If youare using encryption in a call and someone can disable that andeavesdrop on the call that's a big concern." Regardless of the origin of the backdoor, more are likely to befound as researchers become more adept at searching and new toolsbecome available. "What the researchers have found is ... the strongest suggestion todate that those who claimed complete security for their systems areat best mistaken," says Andrew Righter, a researcher at theUniversity of Pennsylvania. "What the researcher has done is said in the middle of the parade 'The emperor has no clothes' tothe manufacturing industry that says all our toys are secure." "We are going to see a lot more chips fall to these attacks and alot of companies backpedaling, trying to explain why thesebackdoors exist," Mr. Righter says. We are high quality suppliers, our products such as T8 LED Tube , Led High Bay Lights Manufacturer for oversee buyer. To know more, please visits High Power LED Floodlight.
Related Articles -
T8 LED Tube, Led High Bay Lights Manufacturer,
|