Cambrigde researchers find hardware backdoor in CPU's?

[Regert]

Hey, anyone seen this on any news channels?

Google translate of Swedish article.

http://translate.goo...a-processorchip

Cambrigde article. Here http://www.cl.cam.ac....html#Assurance

Basically, the article says that researchers in Cambridge have found a previously unknown hardware backdoor in chips that are used by the US military and made in China. According to the news article it's possible to enter the chip even if it's owner has locked it with his/her own code.

Update:

New links from the original article:

http://www.wired.com/dangerroom/2011/06/chips-oy-spies-want-to-hack-proof-circuits/#more-49990

&

http://articles.businessinsider.com/2011-06-27/news/30048253_1_microchips-missiles-foreign-chip-makers

Ehm, this isn't really reassuring if it's true.

/Regert

[Ci7]

what chip?

the one made by Intel?

[Regert]

what chip?

the one made by Intel?

It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.

Which one "made by intel" are you referring too?

[Ci7]

It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.

Which one "made by intel" are you referring too?

not anything specific , i was wandering

just imagine how powerful such a backdoor would be

[georgevella]

I am no CPU engineer, but how can this backdoor (if it exists) be used? I can understand that it can be used as a kill switch but that is the only possible use I can imagine :s

[Japlabot]

It sounds like it relates to a custom chip they ordered. Or maybe the "backdoor" is a JTAG connector?

[Regert]

I am no CPU engineer, but how can this backdoor (if it exists) be used? I can understand that it can be used as a kill switch but that is the only possible use I can imagine :s

It sounds like it relates to a custom chip they ordered. Or maybe the "backdoor" is a JTAG connector?

well. Honestly, it's a bit unclear. The swedish news article states "military processors", which I translated as a CPU in ordinary PC terms. However, in a strict techical sense, it doesn't have to be a CPU as in Central Processing Unit. It can be a microcontroller. I.E Guidance chip, good old FPGA, chipsets .. etc.

So I don't know.

The scientific "abstract" says:

"We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport."

They only speak of silicon chips in general. So I guess it will be clear by september (says somewhere on the groups(scientists page) when the paper is presented on what it actually is. Also - from a US + Allies security point of view, it would be wise to first check the actual chips before the paper goes public.

It can be that our swedish journalist translated silicon chip to processor due to the "This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport" part.

[Arachno 1D]

Also on his list of topics

In the blink of an eye: There goes your AES key

This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'. We demonstrated that it is possible to extract the AES key from the A****/M******** P******* (P**) in a time of 0.01 seconds using a new side-channel analysis technique called Pipeline Emission Analysis (PEA) developed by Quo Vadis Labs (QVL) . This new technique does not introduce a new form of side-channel attacks (SCA). It is a method that improves upon the speed at which all SCA can be performed, on any device and especially against devices previously thought to be infeasible to break because of the time and equipment cost. Possessing the AES key for the P** would allow an attacker to decrypt the bitstream or allow them to authenticate themselves as a legitimate user. This means the device is wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan. We will show that with a very low cost hardware setup made with parts obtained from a local electronics distributor you can improve upon existing SCA by a factor of x1000 to x1,000,000 in time and at a fraction of the cost of existing SCA equipment.

http://www.cl.cam.ac...c_news.html#AES

[ThePitt]

PROCEDURE IS_SECOK USES GV,DO_EXIT;

IF ( ! (SECKEY_OK==0) ) THEN GOTO SECOK;

STATUS = -35;

PRINT "Error, pass key match failure";

CALL DO_EXIT;

SECOK:

LABEL_SEPARATOR = 0;

ENDPROC;

PROCEDURE DO_CHECK_R USES GV,DO_EXIT,DO_READ_SECURITY;

CALL DO_READ_SECURITY;

IF ( ! (ULARE==0) ) THEN GOTO Label_70;

STATUS = -37;

PRINT "FPGA Array Encryption is not enforced.";

PRINT "Cannot guarantee valid AES key present in target device.";

PRINT "Unable to proceed with Encrypted FPGA Array verification.";

CALL DO_EXIT;

Label_70:

IF ( ! (ULARD==1) ) THEN GOTO SKIPRCHK1;

STATUS = -30;

PRINT "FPGA Array Verification is protected by pass key.";

PRINT "A valid pass key needs to be provided.";

CALL DO_EXIT;

SKIPRCHK1:

IF ( ! (ULARD==0) ) THEN GOTO Label_71;

CHKSEC = 0;

Label_71:

LABEL_SEPARATOR = 0;

ENDPROC;

:/ looks legit

[n_K]

There was a security vuln. that someone claimed to find about 8 years ago that apparently affected ALL intel chips and no matter what OS you had or whatnot, people could (using the network card) basically have full control over the CPU [and basically the pc]. Last year I tried searching for it and couldn't find it at all but I found a few russian researches doing similiar things, have a look on intels site for erratas for their CPUs... Yes, they have full lists of problems, bugs and exploits in CPUs that CANNOT be fixed in previous generation (and current generation) CPUs. From what I remember reading, somehow apparently freeBSD is the only OS in the world to somehow patch some the CPU bugs, how it does it or if it even does I've no idea.

EDIT: Here's an article on one http://www.infoworld.com/d/security-central/researcher-demonstrate-attack-code-intel-chips-036

[123456789A]

Why are they having high security military components manufactured in China anyway?

[n_K]

Why are they having high security military components manufactured in China anyway?

Haha, didn't you hear? That's how all the 'really secure US military cards' were getting hacked recently. The card scanners all had 'upgradable' firmware that didn't need an authenticated upgrade so dodgy upgrades occured and all their card details were sent to china!

[9]

Haha, didn't you hear? That's how all the 'really secure US military cards' were getting hacked recently. The card scanners all had 'upgradable' firmware that didn't need an authenticated upgrade so dodgy upgrades occured and all their card details were sent to china!

"free trade" with unfree countries. oh yeah.

[Arachno 1D]

Why are they having high security military components manufactured in China anyway?

The sub contractors have few choices where to buy cheap chips so..........China is high on the list of component manufacturers.

[Mordkanin]

It's not really specified. But it would be CPU's mostly I guess. It wouldn't matter which brand if they are made in the same country.

Which one "made by intel" are you referring too?

FPGAs. The military uses FPGAs in virtually everything.

Or maybe the "backdoor" is a JTAG connector?

Basically, the "backdoor" seems to be an override for diagnostics/access via JTAG even after the chip has been locked.

Honestly, seems like an engineering/diagnostic tool that got accidentally left in production silicon (Or rather, no one thought it worth removing). I wouldn't call it a backdoor. If you have physical access to the chip, you don't even really need JTAG to access the netlist from an FPGA. It's a PITA, extremely difficult, and is actually a destructive process, but it's possible to recover the code. Code-locks should never be considered secure for super-duper high security applications.

Any expert with enough time and the proper equipment could extract an AES key from an FPGA, ASIC or microcontroller. As I said: ruins the chip, but it can be done.

[Anibal P]

Sounds like a scenario in this book I'm reading, Pakistan and India are at war, Pakistan is the aggressor and willing to use nukes

They have advanced AWACS from the US, the US Gov decides it's backing India, uses a similar backdoor to "erase the data on the chips" and databases, rendering the AWACS useless