China's link to chip backdoor shut close

In the world of cyberespionage, there is plenty to blame on China. But the recent discovery by a postdoctoral student in the U.K. of a backdoor in a chip is apparently not one of them.

The consensus of numerous security experts, along with the student himself, Sergei Skorobogatov, is that while the FPGA (Field Programmable Gate Array) chip was manufactured in China, there is no evidence that the Chinese put it there, or that it was intended for cyberespionage.

Skorobogatov, a senior research associate in the Security Group at the Computer Laboratory of the University of Cambridge, generated a firestorm last week with the description of his findings. He posted on his website a letter he sent to "interested government parties," which began: "UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment."

He then reported finding a backdoor in the Actel/Microsemi ProASIC3 chip, said it was "military grade," noted that while it was designed by an American company it was manufactured in China, and wrote that this, "previously unknown backdoor [was] inserted by the manufacturer."

He added: "This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure."

Skorobogatov has since backed off considerably, saying readers misinterpreted him or projected their own agendas on his writing. He wrote on his website that it was Actel, not a Chinese manufacturer, that inserted the backdoor.

"The claims about [the] Chinese being involved, was made up by someone who originally made the post at Reddit," he said. "We never said the Chinese have put a backdoor inside Actel's chips and it does not say so in our papers. It is as though people have put two and two together and made four or five or six, depending on what their agenda is."

However, Skorobogatov did say earlier that the chip was "manufactured in China" and it was the "manufacturer" that inserted the backdoor.

Skorobogatov told CSO by email he did not mean that the Chinese were the manufacturer. "Yes, the chip was fabricated in Taiwan Republic of China, but the chip manufacturer is Actel (owned by Microsemi), who developed the chip design," he wrote. "Our findings show that the traces of the backdoor can be found in the development software files."

But Microsemi disputes that. ZDNet's Michael Lee reported that Microsemi has denied that it put the backdoor in the chip. "Microsemi can confirm that there is no designed feature that would enable the circumvention of the user security," the company wrote.

Skorobogatov has also backed off his original claim that the chip he analyzed was military grade. "Because military parts are not publicly sold, we cannot comment [on] our results on them, but for the publication results, we chose A3P250 industrial device, because it behaves in the similar way as military-grade parts," he wrote on his website.

However, other analysts say Skorobogatov's suggestion that this chip is used in defense and industrial infrastructure systems is also exaggerated. Robert David Graham, writing on the Errata Security blog, called much of it "bogus."

"Much has been made about this being a 'military' chip, but that's not true -- at least, it's not what you think," he wrote.

"The military uses a lot of commercial, off-the-shelf products. A million soldiers use laptops to browse Facebook and exchange emails with their loved ones. It doesn't mean that these laptops are anything special or different than any other laptops. They are the same Dell, Apple, and HP laptops that everyone else uses."

There is also debate over the source of the backdoor. Graham, who said they are relatively common and "a byproduct of software complexity," suggested that they come from one of the most common building blocks of chips, the debugger known as JTAG. "This is a standard way of soldering some wires to the chip and connecting to the USB port, allowing common tools to debug your custom chip,"Ã'Â GrahamÃ'Â said.

"Companies [should] disable the debug feature in the version they send to customers, but that's not so easy with chips. Therefore, chips always have the JTAG interface enabled. What chip designers attempt to do is just not connect the pins to it. Or, if they connect the pins, they don't route to the pins on the circuit board," heÃ'Â said.

This, he said, can enable hacking a device, unless there is, "a key [put] into the JTAG hardware that only the manufacturer knows, to disable some of the more dangerous JTAG commands. That's what appears to have happened here."

"Whether you call this a security feature to prevent others from hacking the chip through JTAG, or a secret backdoor available only to the manufacturer, is open to interpretation," Graham said.

But ZDNet's report quotes Microsemi saying that the JTAG debugging interface "is disabled in all shipped devices."

Whatever the source of the backdoor, Joel Harding, a former military intelligence officer and now an information operations expert and consultant, said Skorobogatov's findings, "highlight a huge problem."

"There is no 'vetting' process for Chinese computers. Yes, we have independent researchers like Sergei, but how do you know that the computer on your desk doesn't contain a backdoor? Who checked the software? Is there malicious code on board?" he said.Ã'Â "There is no program looking at 99.9999% of computers to make sure they are safe and secure. Not even congressmen or senators have their computers checked."

Harding said that is why the Department of Defense launched the Trusted Foundry program for "sensitive DoD programs --- basically nuclear weapons and such. But, the vast majority of computers in the military are also not checked for hidden software, backdoors or malicious code hardwired into the system," he said.

Finally, in comment threads on various stories, people note that the chip was manufactured by UMC, a company with operations in Taiwan, Singapore and Japan, and argue that while Taiwan is part of the Republic of China, it is not as hostile to the U.S. as mainland China. One commenter, M.V., wrote: "Manufactured in China (as it is today implied) is not the same as Manufactured in Taiwan (aka R.o.C)."

Read more about security awareness in CSOonline's Security Awareness section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

More videos

Blog Posts