Feeds

Researchers find backdoor in milspec silicon

Claim world's first finding of secret features in chips

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London's Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel's own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.