Jump to content



Photo

Cambrigde researchers find hardware backdoor in CPU's?

backdoor hardware cpu us military

  • Please log in to reply
15 replies to this topic

#1 Regert

Regert

    Neowinian

  • 154 posts
  • Joined: 16-July 03
  • Location: Sweden
  • OS: Mainly Windows 7 x64

Posted 28 May 2012 - 09:09

Hey, anyone seen this on any news channels?

Google translate of Swedish article.
http://translate.goo...a-processorchip

Cambrigde article. Here http://www.cl.cam.ac....html#Assurance

Basically, the article says that researchers in Cambridge have found a previously unknown hardware backdoor in chips that are used by the US military and made in China. According to the news article it's possible to enter the chip even if it's owner has locked it with his/her own code.

Update:
New links from the original article:
http://www.wired.com...its/#more-49990

&
http://articles.busi...ign-chip-makers

Ehm, this isn't really reassuring if it's true.

/Regert


#2 Ci7

Ci7

    Neowinian Senior

  • 8,212 posts
  • Joined: 21-June 08
  • OS: Windows 8
  • Phone: Sony XZ

Posted 28 May 2012 - 09:22

what chip?

the one made by Intel?

#3 OP Regert

Regert

    Neowinian

  • 154 posts
  • Joined: 16-July 03
  • Location: Sweden
  • OS: Mainly Windows 7 x64

Posted 28 May 2012 - 09:28

what chip?

the one made by Intel?


It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.
Which one "made by intel" are you referring too?

#4 Ci7

Ci7

    Neowinian Senior

  • 8,212 posts
  • Joined: 21-June 08
  • OS: Windows 8
  • Phone: Sony XZ

Posted 28 May 2012 - 09:37

It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.
Which one "made by intel" are you referring too?


not anything specific , i was wandering

just imagine how powerful such a backdoor would be

#5 georgevella

georgevella

    Software Developer

  • 1,090 posts
  • Joined: 15-May 02

Posted 28 May 2012 - 11:52

I am no CPU engineer, but how can this backdoor (if it exists) be used? I can understand that it can be used as a kill switch but that is the only possible use I can imagine :s

#6 Simon-

Simon-

    Neowinian Senior

  • 10,724 posts
  • Joined: 04-November 02

Posted 28 May 2012 - 12:02

It sounds like it relates to a custom chip they ordered. Or maybe the "backdoor" is a JTAG connector?

#7 OP Regert

Regert

    Neowinian

  • 154 posts
  • Joined: 16-July 03
  • Location: Sweden
  • OS: Mainly Windows 7 x64

Posted 28 May 2012 - 12:51

I am no CPU engineer, but how can this backdoor (if it exists) be used? I can understand that it can be used as a kill switch but that is the only possible use I can imagine :s

It sounds like it relates to a custom chip they ordered. Or maybe the "backdoor" is a JTAG connector?


well. Honestly, it's a bit unclear. The swedish news article states "military processors", which I translated as a CPU in ordinary PC terms. However, in a strict techical sense, it doesn't have to be a CPU as in Central Processing Unit. It can be a microcontroller. I.E Guidance chip, good old FPGA, chipsets .. etc.
So I don't know.

The scientific "abstract" says:
"We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport."
They only speak of silicon chips in general. So I guess it will be clear by september (says somewhere on the groups(scientists page) when the paper is presented on what it actually is. Also - from a US + Allies security point of view, it would be wise to first check the actual chips before the paper goes public.
It can be that our swedish journalist translated silicon chip to processor due to the "This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport" part.

#8 arachnoid

arachnoid

    Times a Ticking

  • 3,227 posts
  • Joined: 03-November 11

Posted 28 May 2012 - 12:56

Also on his list of topics


In the blink of an eye: There goes your AES key
This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'. We demonstrated that it is possible to extract the AES key from the A****/M******** P******* (P**) in a time of 0.01 seconds using a new side-channel analysis technique called Pipeline Emission Analysis (PEA) developed by Quo Vadis Labs (QVL) . This new technique does not introduce a new form of side-channel attacks (SCA). It is a method that improves upon the speed at which all SCA can be performed, on any device and especially against devices previously thought to be infeasible to break because of the time and equipment cost. Possessing the AES key for the P** would allow an attacker to decrypt the bitstream or allow them to authenticate themselves as a legitimate user. This means the device is wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan. We will show that with a very low cost hardware setup made with parts obtained from a local electronics distributor you can improve upon existing SCA by a factor of x1000 to x1,000,000 in time and at a fraction of the cost of existing SCA equipment.
http://www.cl.cam.ac...c_news.html#AES

#9 ThePitt

ThePitt

    Neowinian Senior

  • 4,808 posts
  • Joined: 14-January 06
  • Location: Hell

Posted 28 May 2012 - 15:20

PROCEDURE IS_SECOK USES GV,DO_EXIT;
IF ( ! (SECKEY_OK==0) ) THEN GOTO SECOK;
STATUS = -35;
PRINT "Error, pass key match failure";
CALL DO_EXIT;
SECOK:
LABEL_SEPARATOR = 0;
ENDPROC;

PROCEDURE DO_CHECK_R USES GV,DO_EXIT,DO_READ_SECURITY;
CALL DO_READ_SECURITY;
IF ( ! (ULARE==0) ) THEN GOTO Label_70;
STATUS = -37;
PRINT "FPGA Array Encryption is not enforced.";
PRINT "Cannot guarantee valid AES key present in target device.";
PRINT "Unable to proceed with Encrypted FPGA Array verification.";
CALL DO_EXIT;
Label_70:
IF ( ! (ULARD==1) ) THEN GOTO SKIPRCHK1;
STATUS = -30;
PRINT "FPGA Array Verification is protected by pass key.";
PRINT "A valid pass key needs to be provided.";
CALL DO_EXIT;
SKIPRCHK1:
IF ( ! (ULARD==0) ) THEN GOTO Label_71;
CHKSEC = 0;
Label_71:
LABEL_SEPARATOR = 0;
ENDPROC;


:/ looks legit

#10 n_K

n_K

    Neowinian Senior

  • 5,364 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 28 May 2012 - 15:28

There was a security vuln. that someone claimed to find about 8 years ago that apparently affected ALL intel chips and no matter what OS you had or whatnot, people could (using the network card) basically have full control over the CPU [and basically the pc]. Last year I tried searching for it and couldn't find it at all but I found a few russian researches doing similiar things, have a look on intels site for erratas for their CPUs... Yes, they have full lists of problems, bugs and exploits in CPUs that CANNOT be fixed in previous generation (and current generation) CPUs. From what I remember reading, somehow apparently freeBSD is the only OS in the world to somehow patch some the CPU bugs, how it does it or if it even does I've no idea.

EDIT: Here's an article on one http://www.infoworld...intel-chips-036

Edited by n_K, 28 May 2012 - 15:30.


#11 Enron

Enron

    Windows for Workgroups

  • 8,918 posts
  • Joined: 30-May 11
  • OS: Windows 8.1 U1
  • Phone: Nokia Lumia 900

Posted 28 May 2012 - 15:40

Why are they having high security military components manufactured in China anyway?

#12 n_K

n_K

    Neowinian Senior

  • 5,364 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 28 May 2012 - 15:44

Why are they having high security military components manufactured in China anyway?

Haha, didn't you hear? That's how all the 'really secure US military cards' were getting hacked recently. The card scanners all had 'upgradable' firmware that didn't need an authenticated upgrade so dodgy upgrades occured and all their card details were sent to china!

#13 9³³9

9³³9

    Neowinian

  • 95 posts
  • Joined: 26-January 08

Posted 28 May 2012 - 17:35

Haha, didn't you hear? That's how all the 'really secure US military cards' were getting hacked recently. The card scanners all had 'upgradable' firmware that didn't need an authenticated upgrade so dodgy upgrades occured and all their card details were sent to china!


"free trade" with unfree countries. oh yeah.

#14 arachnoid

arachnoid

    Times a Ticking

  • 3,227 posts
  • Joined: 03-November 11

Posted 28 May 2012 - 19:22

Why are they having high security military components manufactured in China anyway?


The sub contractors have few choices where to buy cheap chips so..........China is high on the list of component manufacturers.

#15 Mordkanin

Mordkanin

    Neowinian Senior

  • 5,394 posts
  • Joined: 15-February 04

Posted 29 May 2012 - 03:12

It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.
Which one "made by intel" are you referring too?


FPGAs. The military uses FPGAs in virtually everything.

Or maybe the "backdoor" is a JTAG connector?



Basically, the "backdoor" seems to be an override for diagnostics/access via JTAG even after the chip has been locked.

Honestly, seems like an engineering/diagnostic tool that got accidentally left in production silicon (Or rather, no one thought it worth removing). I wouldn't call it a backdoor. If you have physical access to the chip, you don't even really need JTAG to access the netlist from an FPGA. It's a PITA, extremely difficult, and is actually a destructive process, but it's possible to recover the code. Code-locks should never be considered secure for super-duper high security applications.

Any expert with enough time and the proper equipment could extract an AES key from an FPGA, ASIC or microcontroller. As I said: ruins the chip, but it can be done.