China not to blame for backdoor in US military chip

Security experts, along with researcher who found the backdoor, say no evidence of China's involvement

In the world of cyberespionage, there is plenty to blame on China. But the recent discovery by a postdoctoral student in the U.K. of a backdoor in a chip is apparently not one of them.

The consensus of numerous security experts, along with the student himself, Sergei Skorobogatov, is that while the FPGA (Field Programmable Gate Array) chip was manufactured in China, there is no evidence that the Chinese put it there, or that it was intended for cyberespionage.

Skorobogatov, a senior research associate in the Security Group at the Computer Laboratory of the University of Cambridge, generated a firestorm last week with the description of his findings. He posted on his website a letter he sent to "interested government parties," which began: "UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment."

He then reported finding a backdoor in the Actel/Microsemi ProASIC3 chip, said it was "military grade," noted that while it was designed by an American company it was manufactured in China, and wrote that this, "previously unknown backdoor [was] inserted by the manufacturer."

He added: "This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure."

Skorobogatov has since backed off considerably, saying readers misinterpreted him or projected their own agendas on his writing. He wrote on his website that it was Actel, not a Chinese manufacturer, that inserted the backdoor.

"The claims about [the] Chinese being involved, was made up by someone who originally made the post at Reddit," he said. "We never said the Chinese have put a backdoor inside Actel's chips and it does not say so in our papers. It is as though people have put two and two together and made four or five or six, depending on what their agenda is."

However, Skorobogatov did say earlier that the chip was "manufactured in China" and it was the "manufacturer" that inserted the backdoor.

Skorobogatov told CSO by email he did not mean that the Chinese were the manufacturer. "Yes, the chip was fabricated in Taiwan Republic of China, but the chip manufacturer is Actel (owned by Microsemi), who developed the chip design," he wrote. "Our findings show that the traces of the backdoor can be found in the development software files."

But Microsemi disputes that. ZDNet's Michael Lee reported that Microsemi has denied that it put the backdoor in the chip. "Microsemi can confirm that there is no designed feature that would enable the circumvention of the user security," the company wrote.

Skorobogatov has also backed off his original claim that the chip he analyzed was military grade. "Because military parts are not publicly sold, we cannot comment [on] our results on them, but for the publication results, we chose A3P250 industrial device, because it behaves in the similar way as military-grade parts," he wrote on his website.

However, other analysts say Skorobogatov's suggestion that this chip is used in defense and industrial infrastructure systems is also exaggerated. Robert David Graham, writing on the Errata Security blog, called much of it "bogus."

"Much has been made about this being a 'military' chip, but that's not true -- at least, it's not what you think," he wrote.

"The military uses a lot of commercial, off-the-shelf products. A million soldiers use laptops to browse Facebook and exchange emails with their loved ones. It doesn't mean that these laptops are anything special or different than any other laptops. They are the same Dell, Apple, and HP laptops that everyone else uses."

There is also debate over the source of the backdoor. Graham, who said they are relatively common and "a byproduct of software complexity," suggested that they come from one of the most common building blocks of chips, the debugger known as JTAG. "This is a standard way of soldering some wires to the chip and connecting to the USB port, allowing common tools to debug your custom chip," Graham said.

"Companies [should] disable the debug feature in the version they send to customers, but that's not so easy with chips. Therefore, chips always have the JTAG interface enabled. What chip designers attempt to do is just not connect the pins to it. Or, if they connect the pins, they don't route to the pins on the circuit board," he said.

This, he said, can enable hacking a device, unless there is, "a key [put] into the JTAG hardware that only the manufacturer knows, to disable some of the more dangerous JTAG commands. That's what appears to have happened here."

"Whether you call this a security feature to prevent others from hacking the chip through JTAG, or a secret backdoor available only to the manufacturer, is open to interpretation," Graham said.

But ZDNet's report quotes Microsemi saying that the JTAG debugging interface "is disabled in all shipped devices."

Whatever the source of the backdoor, Joel Harding, a former military intelligence officer and now an information operations expert and consultant, said Skorobogatov's findings, "highlight a huge problem."

"There is no 'vetting' process for Chinese computers. Yes, we have independent researchers like Sergei, but how do you know that the computer on your desk doesn't contain a backdoor? Who checked the software? Is there malicious code on board?" he said. "There is no program looking at 99.9999% of computers to make sure they are safe and secure. Not even congressmen or senators have their computers checked."

Harding said that is why the Department of Defense launched the Trusted Foundry program for "sensitive DoD programs --- basically nuclear weapons and such. But, the vast majority of computers in the military are also not checked for hidden software, backdoors or malicious code hardwired into the system," he said.

Finally, in comment threads on various stories, people note that the chip was manufactured by UMC, a company with operations in Taiwan, Singapore and Japan, and argue that while Taiwan is part of the Republic of China, it is not as hostile to the U.S. as mainland China. One commenter, M.V., wrote: "Manufactured in China (as it is today implied) is not the same as Manufactured in Taiwan (aka R.o.C)."

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies