Breakthrough silicon scanning discovers backdoor in military chip

Man, somebody might go to jail over this one!

Jon

That server seems to have been offline for the past couple of hours... can't get any response from it.

Is this PDF online anywhere else?

--
Dave Platt                                    AE6EO
Friends of Jade Warrior home page:  http://www.radagast.org/jade-warrior
  I do _not_ wish to receive unsolicited commercial email, and I will
     boycott any company which has the gall to send me such ads!

It makes a good headline, but if your "enemies" are sitting around poking your hardware with a jtag I think think that whether or not it is possible to get the bit stream out is a smaller issue.

and bit streams aren't normally very useful unless you want to copy just a device

-Lasse

I'd expect that all FPGA vendors include some undocumented JTAG way to snoop the internals, including the configuration bits. They'd almost have to, to be able to anayze problems.

--

John Larkin         Highland Technology, Inc

jlarkin at highlandtechnology dot com
http://www.highlandtechnology.com

Precision electronic instrumentation
Picosecond-resolution Digital Delay and Pulse generators
Custom laser drivers and controllers
Photonics and fiberoptic TTL data links
VME thermocouple, LVDT, synchro   acquisition and simulation

Yeah, and I don't care so much on my stuff, but if they are building secure software defined radios or national security-level crypto gear, somebody is going to be REALLY upset about undocumented back doors like this.

Jon

I've never seen the internal or JTAG streams for FPGAs documented.

It sure didn't take long for this to morph into nonsense:

--

John Larkin Highland Technology Inc

jlarkin at highlandtechnology dot com

Precision electronic instrumentation Picosecond-resolution Digital Delay and Pulse generators Custom timing and laser controllers Photonics and fiberoptic TTL data links VME analog, thermocouple, LVDT, synchro, tachometer Multichannel arbitrary waveform generators

On a sunny day (Tue, 29 May 2012 22:09:54 -0700) it happened John Larkin wrote in :

Is not that a Murdoch newspaper? Member of the J.T. political club? What do you expect?

No, it it about as far from that as you get in the UK!

--

John Devereux

No!! From

The Guardian is part of the GMG Guardian Media Group of newspapers, radio stations, print media including The Observer Sunday newspaper, The Guardian Weekly international newspaper, and new media?Guardian Abroad website, and guardian.co.uk. All the aforementioned were owned by The Scott Trust, a charitable foundation existing between 1936 and 2008, which aimed to ensure the paper's editorial independence in perpetuity, maintaining its financial health to ensure it did not become vulnerable to take overs by for-profit media groups. At the beginning of October

2008, the Scott Trusts assets were transferred to a new limited company, The Scott Trust Limited, with the intention being that the original trust would be wound up.[75] Dame Liz Forgan, chair of the Scott Trust, reassured staff that the purposes of the new company remained as under the previous arrangements.

--
Mike Perkins
Video Solutions Ltd
www.videosolutions.ltd.uk

But on a chip that is designed to be military secure you cannot afford to use "security by obscurity". This sort of technical scanning attack refined the way that the Cambridge group have done it was predictable. The production chips should be hard wired access denied.

The original chip designers must have watched too much Blake's 7 as the backdoor has an astonishing prequel in science fiction in Orac (which exploits a backdoor feature built into every computer by its designer).

--
Regards,
Martin Brown

Some of their science reporting is actually pretty good:

But this FPGA is not so designed. The only difference between this chip's grades (commercial, industrial, automotive, military) are the spec'd temperature ranges.

All of the FPGA's grades were supposed to be protected against read-back or bitstream sniffing. Clever people designed the chip, other clever people figured out a way around the block. See

--
Rich Webb     Norfolk, VA

If the bad guys have access to the JTAG connector on an FPGA, they have the entire gadget. And the serial config bitstream. Being able to read the internal config bits isn't much worse than that.

Actually, being able to read the internal config bits may be useless. At least being able to read the serial config stream lets the bad guys program their own FPGA to the same config. I don't think knowing the internal config bit pattern helps, unless you somehow know what those bits mean.

I can't imagine any way that undocumented JTAG registers would allow remote hacking of a system over the Internet, as the newspapers are now shrieking.

On a sunny day (Wed, 30 May 2012 11:22:52 +0100) it happened Mike Perkins wrote in :

OK, I stand corrected. But maybe they have some agenda too? The jive lately seems to be to pester China. We have seen Huawei rejected in down under (where global heating Bill lives), on security grounds. In the EU Huawei and some other company are under investigation for dumping and getting Chinese government subsidies. Then there is the poor Chen who now lives in the US,. I think the gist is that China should attack Taiwan, and then US will sell more weapons, China bad guy.... and that would solve the $$$ that US has to pay back to China. Of course it will result in WW3, but Obanana does not mind living in a grass hut without electrickity, he grew up that way in Kenya OK, hey, I have been soldering and testing some i2c routines, my pressure- temperature - compass module from ebay came today, made a test setup. Soldering gets you mind of politics, so.... Hey this module also has an ?unprogrammed it seems? PIC 16F689. Oh, sorry for drifting off-topic.

Video solution hey?

On a sunny day (Wed, 30 May 2012 06:49:10 -0700) it happened John Larkin wrote in :

Oh, things like that have been done many times, If the attacker has a clue what pins or subsystem is used to for example send data over the internet, he can add his own module and sort of send all input and output (these things are often used for crypto) over the net. he can even write HDL to FIND where and if data is send. Or do the reverse, simply wait for a kill command. So basically he can have thousands of gates programmed hidden from YOUR view.

data

The hacker would have to have physical access to the inside of the military device. Once he does that, he can just plug into the JTAG port. Why bother with the Internet?

--

John Larkin                  Highland Technology Inc
www.highlandtechnology.com   jlarkin at highlandtechnology dot com   

Precision electronic instrumentation
Picosecond-resolution Digital Delay and Pulse generators
Custom timing and laser controllers
Photonics and fiberoptic TTL data links
VME  analog, thermocouple, LVDT, synchro, tachometer
Multichannel arbitrary waveform generators

Specific to SDRs, I don't think the contents of the FPGA would be static. They should require a host processor to initialize them.

Security in that case is a packaging thing, and that's been pretty well done. Heck, the debit module we did for the Exxon credit card network (circa 1992 ) erased itself completely if you opened the case in any way. There might have been a way to open it, but we couldn't find one, and it got approved by them for use.

-- Les Cargill

data

Doctor, doctor, it hurts when I do that...

Because it's SCARIER!

-- Les Cargill