Feeds

Researchers find backdoor in milspec silicon

Claim world's first finding of secret features in chips

  • alert
  • submit to reddit

Internet Security Threat Report 2014

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London's Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel's own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.