Backdoor discovered in Chinese chip in USA
The FPGA (Programmable Logic Integrated Circuit) chip made in China was chosen as an object for study. Unlike conventional microcircuits, the principle and logic of FPGA operation are not determined by the manufacturer, but are given through programming. Chip - Microsemi / Actel ProASIC3 is widely used in many systems, including nuclear power plants and public transport. The difference in the "military" version of the ProASIC3 version is the best resistance to radiation and electromagnetic effects, as well as temperature differences, the design completely coincides with the "civil" version.
After checking the chip for the presence of "atypical functions", a backdoor was placed there by the manufacturer and able to remove the crypto protection from the chip, change the AES encoding key, gain access to unencrypted data flow or cause significant malfunctions, that is, be used as a kind of " master key ", which did not interfere even with the fact that the configuration was protected by the key of the official user. The researchers who conducted the testing were able to extract the code that could activate the backdoor.
The study was conducted at the Cambridge Laboratory for Pipeline Emission Analysis (PEA) technology which was
Developed with Quo Vadis Labs. This method is very cheap - scanning is performed on equipment costing about one hundred dollars.
The test results were published by Sergey Skorobogatov, a graduate of MEPI, who is an employee of the computer security group at the university. According to him, such a “back door” can be used for personal gain, as a kind of advanced version of Stuxnet. The consequences of such an attack pose a considerable threat to the nat. security and public infrastructure.
In turn, David Graham, from Errata Security, an expert in backdoors in chips, described his vision of this news. He is rather incredulous about the find of Sergey and draws attention to several important, in his opinion, moments.
According to his version, backdoors in integrated circuits are quite common and not all of them are used for malicious purposes. Often their presence is due to technical necessity in the development of the system. Each such product passes testing and debugging (debugging) before release, and often developers forget to turn off the debugger before releasing the product.
Computer chips are already approaching the complexity of software systems, they are made from ready-made blocks, including the standard debugger - contacts on the chip, from which you can remove all service information without inserting the chip into the slot designed for it, which hackers sometimes use. Manufacturers, in order to insure against such unauthorized access, without changing the design of the chip, add an AES cryptographic key (usually bits of the 128 bit), which disables the most dangerous of the debugger commands.
David Graham suggests that Sergey Skorobogatov was able to extract just such a key.
To fully understand the situation, you will have to wait for the official response of the manufacturer, which is Microsemi / Actel.
Information