Join 3,564 readers in helping fund MetaFilter (Hide)


Cyberwar: China's move discovered
May 27, 2012 7:38 PM   Subscribe

Revolutionary hardware backdoor discovered in China-made military-grade FPGA chips. Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
posted by scalefree (152 comments total) 55 users marked this as a favorite

 
Never a bad time to mention Ken Thompson's classic paper, Reflections On Trusting Trust.
posted by mhoye at 7:41 PM on May 27, 2012 [21 favorites]


Someone offering me a solution to a problem I didn't even know I had?? Where do I sign?
posted by gjc at 7:43 PM on May 27, 2012 [3 favorites]


Flagged as "One Ping, and one Ping only, Yuri."
posted by vozworth at 7:45 PM on May 27, 2012 [6 favorites]


Pepsi Cyberwar Chips?
posted by ChurchHatesTucker at 7:46 PM on May 27, 2012


Guesses on what the actual chip in question is? Actel? Atmel? Achronix?
posted by newdaddy at 7:47 PM on May 27, 2012


Holy crap. It's a neat economic attack too; the costs of checking all the openly acknowledged Chinese made FGPAs alone would already be astronomical. It's not even like the whole batch has to be backdoored, as an intelligence service could just set up one in a hundred to be backdoored.

That's also ignoring all of the Chinese fake stuff that ends up with European or American markings and is used in NATO kit, and all of the other chip[sets] that might or might not be backdoored, or work to create backdoors that only work when more than one chip combines. Assuming bad faith, one could make this very hard to catch.
posted by jaduncan at 7:47 PM on May 27, 2012 [8 favorites]


I'm kind of intrigued that these chips are manufactured in China in the first place.
posted by carter at 7:49 PM on May 27, 2012 [47 favorites]


I'd expect they'll find more the harder they look, especially with so much engineering being outsourced now. Ideally, we should require that all systems involved in military or economically sensitive work should be manufactured completely inside the U.S., and designed jointly with only "trustworthy" places. Europe should do likewise of course. Yey stimulus!
posted by jeffburdges at 7:51 PM on May 27, 2012 [23 favorites]


Sounds like an act of war to me.
posted by spitbull at 7:52 PM on May 27, 2012 [6 favorites]


This seems more like a press release for an upcoming product from the company mentioned on that page.
posted by Johnny Wallflower at 7:56 PM on May 27, 2012 [6 favorites]


We have always been at war with Eastasia, spitbull.
posted by carter at 7:56 PM on May 27, 2012 [21 favorites]


This seems more like a press release for an upcoming product from the company mentioned on that page.

This is announcing the birth of a whole new industry let alone a single company's product. They're just the first ones out the gate.
posted by scalefree at 7:59 PM on May 27, 2012 [5 favorites]


We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China

OK, prove it. The entire thing balances on this statement. Which chip? Why is it manufactured in China, if it's so "secure?"

Further funding is needed for us to progress to testing further silicon chips

Hmm
posted by circular at 8:00 PM on May 27, 2012 [9 favorites]


The article is pretty press-releasy. OTOH it's definitely a believable attack. And the source, the security group at Cambridge, is one of the best academic security departments around. They have significant credibility.
posted by Nelson at 8:01 PM on May 27, 2012 [11 favorites]


I'm kind of intrigued that these chips are manufactured in China in the first place.

I love how this is eventually going to come up as part of disaster, and everyone will act surprised, even though I saw this issue discussed on a TV show years ago. We outsource nearly all of our security services and production, what could possibly go wrong? I’m sure that no one could have predicted whatever calamity ensues.
posted by bongo_x at 8:07 PM on May 27, 2012 [6 favorites]


Two Things:
1. This is my surprised face
2. Hey HEY - who wants to see American Mfg resurgent before an election?
posted by Farce_First at 8:11 PM on May 27, 2012 [5 favorites]


I'm kind of intrigued that these chips are manufactured in China in the first place.

Yeah, me too.

posted from my iPhone.
posted by furiousxgeorge at 8:12 PM on May 27, 2012 [46 favorites]


First mention of the idea of a chip-level exploit I can think of would be Winn Schwartau in 1991.
posted by scalefree at 8:13 PM on May 27, 2012


I remember some alarm bells coming up about the number of military chips being made in China years ago. Maybe under Clinton? Bush II's first term? Regardless, I remember the assurance was along the lines of "Pfft, we're all friends now, China's not going to do anything, they need our awesome American money and trading too much. Besides, we don't do anything so crude as MAKE things in America anymore. We're all Knowledge Workers now."

Regardless, I enjoy the idea--in a morbid humor sort of way--of the elite American air and naval armada about to put the beatdown on China, and then someone in Beijing flips a switch and everything turns off.
posted by Ghostride The Whip at 8:13 PM on May 27, 2012 [18 favorites]


Sounds like an act of war to me.

Sounds like you're not super-familiar with the history of espionage, to me. Whilst this potentially would be a huge escalation of previous efforts, it's very much of a piece with espionage in general, and very unlikely to start a war.

Don't you remember before Bush got 9/11 the fears he was stoking war with China and the bugged "spy plane" etc?
posted by smoke at 8:18 PM on May 27, 2012 [3 favorites]


When my company was looking at fabbing a chip, we started by crossing China off the list. Not because we were worried about this kind of security attack, but simply because we figured they'd rip off our designs.
posted by ryanrs at 8:19 PM on May 27, 2012 [7 favorites]


There was no question that China would engage in hardware hacking, circular, well the post observes that MI5, NSA, IARPA, etc. have been expecting it.

I personally expected we'd catch them launching viruses from drives or ram long before they bothered hacking the chip, maybe drives and ram are old hat by now, but nobody caught em'.
posted by jeffburdges at 8:20 PM on May 27, 2012


Last time I checked China didn't have hundreds of military bases around the globe and a habit of starting wars. I for one welcome our peace loving remotely disabling missile Sino overlords.

Or maybe they'll just send a signal from a satellite that will brick everyone's cable boxes. Society collapses hours later.
posted by Damienmce at 8:20 PM on May 27, 2012 [13 favorites]


A blackboard is insecure. What you write on it may be secure, but it is up to you to keep what you write on it from prying eyes.

FPGAs are blank slates, like a blackboard. After you buy it you can download your design into it. How do you keep prying eyes from seeing what you downloaded into it? If it is a RAM based design (like Xilinx and Altera), its design is loaded from an external PROM, and loading process can be easily probed if you have access to the equipment.

That's why these companies have come up with a way for the design in the PROM to be encrypted. The chip unencrypts it as it loads it. I have no idea, but I'm guessing that this is what was 'backdoored'.

However, chip probing techniques like this company has are standard in the industry (maybe theirs is more sophisticated, I'm not sure). It has been long known that you could probe an FPGA after it has been loaded to figure out what the design is.

In other words, I'm not sure there's anything the Department of Defence is going to panic about. What's scary is just the fact that they did this. Where else are they doing things like this? For example, was Australia right to exclude China's Huawei telecommunications equipment from their networks for security reasons?
posted by eye of newt at 8:21 PM on May 27, 2012 [9 favorites]


I feel less like a crazy paranoid wonk yelling for people to get off her lawn for being uncomfortable with critical technology being manufactured by countries other than my own.
posted by rmd1023 at 8:30 PM on May 27, 2012 [3 favorites]


The American military cannot possibly be so stupid as to use chips made in China, can they? I mean, of course the Chinese would build backdoors into the chips. Why wouldn't you expect that?
posted by Dasein at 8:31 PM on May 27, 2012 [16 favorites]


This is something I've talked about in detail with my labmates. There are ways to design backdoors into chips that are damn near impossible to detect, if you rely on spread spectrum activation or hide a state in a 1,000,000-state machine. What looks like don't-care logic can secretly activate a soft radio, for instance.

We're entering a very, very fascinating era.

By the way, FPGA security is an on-going research topic -- my friend's doing his dissertation on this exact topic, and it's amazing how creative they get.
posted by spiderskull at 8:36 PM on May 27, 2012 [6 favorites]


Guesses on what the actual chip in question is? Actel? Atmel? Achronix?

Is the redaction of "A****/M******** P******* (P**)" on the linked page (and the pictured paper on that page) not leaky enough to identify it?
posted by We had a deal, Kyle at 8:36 PM on May 27, 2012 [1 favorite]


jeffburges -- they could use a hard drive microcontroller as an attack vector, but remember, missiles don't run spinning disks, and most definitely do run FPGAs.
posted by spiderskull at 8:37 PM on May 27, 2012 [2 favorites]


Oh shit, I guess we better have more censorship and government control over the internet! I mean, it's not like the internet was actually involved in Stuxnet. And it's not like the internet was involved with this. But! Cyberdefense! Cyberattacks! OMG!

Hmm... also, are they really sure that the backdoor was put in by the Chinese, and not by the US designers?
posted by delmoi at 8:39 PM on May 27, 2012 [16 favorites]


Forgive the morbid nature of this dream, but imaging the disastrous consequences of this long expected problem, one can't help but be little a giddy at the blowback for the people that have been outshoring our industry for 30 years.

Shame they'd probably just ignore the lesson anyway, even when purchased with thousands of live.
posted by Chekhovian at 8:42 PM on May 27, 2012 [2 favorites]


I don't have numbers on real parts for you, Dasein, but here's a story in Businessweek about fake Chinese electronics turning up in US military hardware.
posted by Ghostride The Whip at 8:42 PM on May 27, 2012


>I mean, of course the Chinese would build backdoors into the chips. Why wouldn't you expect that?

I imagine almost everyone expected it; the problem is just the financial incentive for ignoring the problem, and the fact that US governmental and corporate Powers That Be have boxed themselves into a corner:

Our system almost cannot resist Low Low Prices.
posted by darth_tedious at 8:44 PM on May 27, 2012 [7 favorites]


the problem is just the financial incentive
the problem is just the scale of the financial incentive
posted by darth_tedious at 8:46 PM on May 27, 2012 [2 favorites]


The only appropriate and proportional response would be a twitter account in the hands of every Chinese citizen.
posted by b1tr0t at 8:47 PM on May 27, 2012 [3 favorites]


Don't you remember before Bush got 9/11 the fears he was stoking war with China and the bugged "spy plane" etc?
Are you talking about this - where the Chinese had their presidential plane outfitted by a US based company, and they later found 27 bugs in the bedroom and bathroom?
posted by delmoi at 8:49 PM on May 27, 2012 [4 favorites]


I propose we wait until China steps away from the computer, forgetting to log out of Facebook, and then we can post some status updates that make them look really foolish.
posted by snofoam at 8:51 PM on May 27, 2012 [19 favorites]


So much "told you so" to be passed around to all guilty parties involved with lowest price bidding, war profiteering and the insane profits of the military-industrial complex. And yet not one punitive action will happen to any of them. Sheer madness.
posted by Purposeful Grimace at 9:00 PM on May 27, 2012 [4 favorites]


I saw a program a few years ago that stated that the only IC's used in the US military that are required to be made in the USA are those that will be used in nuclear weapons. One of the national labs has a fab facility, IIRC. Not sure if it's still the case.
posted by InsertNiftyNameHere at 9:09 PM on May 27, 2012


b1tr0t: "The only appropriate and proportional response would be a twitter account in the hands of every Chinese citizen."

Hahaha! Silly rabbit, Cisco sold China the technology to block out Twitter in favor of their home-grown Sina Weibo. What looked like make-work, was actually a cultural defense maneuver. Twenty dimensional chess, indeed!
posted by stratastar at 9:09 PM on May 27, 2012 [2 favorites]


Or maybe they'll just send a signal from a satellite that will brick everyone's cable boxes. Society collapses hours later.

A signal will enable free premium channels and intravenous ESPN to completely disable the US hours before an attack.
posted by benzenedream at 9:17 PM on May 27, 2012 [2 favorites]


Rationally Paranoid since 2008.
This past January, two brothers from Texas, Michael and Robert Edman, appeared in court to face federal charges of selling counterfeit computer equipment to, among others, the Air Force, Marine Corps, Federal Aviation Administration, Department of Energy, numerous universities and defense contractors such as Lockheed Martin. According to prosecutors, the pair, working largely out of Michael Edman's house in the rural town of Richmond, bought cheap network cards from a supplier in China. They also purchased labels and boxes carrying the logo of Cisco Systems, the U.S.-based hardware giant. Until a source in China tipped off the FBI, no one could tell that the parts were Cisco knockoffs rather than the real thing.2 There are estimates that 7 to 10 percent of all the high-tech products sold worldwide are counterfeits.3
posted by unliteral at 9:19 PM on May 27, 2012


Is the redaction of "A****/M******** P******* (P**)" on the linked page (and the pictured paper on that page) not leaky enough to identify it?

Certainly the unredacted quoted advertising blurb was.
posted by Ogre Lawless at 9:25 PM on May 27, 2012 [1 favorite]


Who ever thought they wouldn't do this?

Out-sourcing defense contractors, I guess.
posted by jamjam at 9:32 PM on May 27, 2012 [1 favorite]


Most times one would use such a thing in a military product, one wouldn't make the programming interface accessible to the outside world.

Still, if the hardware were compromised, this would provide a ready means of reverse-engineering it.
posted by newdaddy at 9:34 PM on May 27, 2012 [1 favorite]


Kinda cool to think that when the missiles are launched, they'll just brick.
posted by maxwelton at 9:34 PM on May 27, 2012 [2 favorites]


It's not just foreign suppliers that our military is vulnerable to. Wait 'til Halliburton reveals what they've been putting in the MRE enchiladas!
posted by benito.strauss at 9:35 PM on May 27, 2012


Regardless, I enjoy the idea--in a morbid humor sort of way--of the elite American air and naval armada about to put the beatdown on China, and then someone in Beijing flips a switch and everything turns off.

Did anyone else get a mental image of vipers shutting down from the Battlestar Galactica miniseries at this point?
posted by George_Spiggott at 9:35 PM on May 27, 2012 [8 favorites]


In any event, you know it's over when we're unable to even act in our own national self-interest because of the overriding singular self-interest of the crony capitalists in charge of doing so.
posted by George_Spiggott at 9:39 PM on May 27, 2012 [26 favorites]


Who ever thought they wouldn't do this?

Oh c'mon, there's nobody on this earth who thought they wouldn't do this. There's such a long tradition of these kinds of shenanigans. Any time - ANY time - you outsource your security, you are vulnerable. Anyone remember the story of how the U.S. embassy was built in Moscow with local labor, and was later found to be so riddled by listening devices and structural features conducive to monitoring, that after an extremely lengthy and expensive effort to secure the building by our best counter-intelligence agents, it was deemed unrescuable, an declared a total loss. Of course, it was too much trouble and money to build a new one, so they stuck with the old one, except you could no longer conduct classified communications within the embassy, so other arrangements had to be made for secure communications. The whole military industrial complex is one boondoggle after another... seen from the taxpayers point of view... on the other hand seen from the industry profiteers point of view, why it's a brilliantly efficient taxpayer robbery enterprise.
posted by VikingSword at 9:40 PM on May 27, 2012 [14 favorites]


so other arrangements had to be made for secure communications

IIRC, the other arrangements involved building three new floors with American labor and materials that they could actually secure.
posted by cosmic.osmo at 9:58 PM on May 27, 2012


This is probably not a surprise, just the next turn of the worm.

http://www.levin.senate.gov/newsroom/speeches/speech/opening-statement-at-sasc-hearing-on-counterfeit-electronic-parts-in-dod-supply-chain/

To think that the chips used in our war machines can only be manufactured in the US is not realistic. The US is global version of Rome. We require the world to make the components that we build into weapons of destruction. It's a shared fate really.
posted by roboton666 at 10:08 PM on May 27, 2012 [1 favorite]


To think that the chips used in our war machines can only be manufactured in the US is not realistic. The US is global version of Rome. We require the world to make the components that we build into weapons of destruction.

One hears variants on this a lot these days, but I'd require proof that the hollowing out of our domestic capabilities was actually inevitable; alternative scenarios are at least imaginable, starting with not incentivizing profit-taking over investment for a period of decades. To hear people talk now we've become a revoltingly "can't do" country, but I really think it's more "won't".
posted by George_Spiggott at 10:15 PM on May 27, 2012 [17 favorites]


Yeah the entire building is now a warehouse of paper taking up a city block of Moscow's most expensive real estate. The building can't even be repurposed.

When China built its new monstrosity of an embassy in D.C. (designed by I.M. Pei, no less...); they had an entire barracks full of male chinese workers flown in to work. I thought, we're not gonna pull a fast one on these guys. They lived in trailers across the street for more than a year. I never saw a one at the starbucks or the crappy chinese buffet across the street. They probably had minders to cross that one street to work.

Pics, Streetview. What an ugly building.
posted by stratastar at 10:15 PM on May 27, 2012


George, from the office of Carl Levin, US Senator:

(In the link I posted)

"Ted Glum, who is the director of the Department of Defense’s Microelectronics Activity Unit, the government’s official authority on this issue, put it this way: 'The defense community is critically reliant on a technology that obsoletes itself every 18 months, is made in unsecure locations and over which we have absolutely no market share influence.' An electronic part may be manufactured for eighteen months, while the defense systems it is used on may be in service for eighteen years – or longer."

You may not like the answer I'm giving you, but then again you haven't really begun to address the problem lodged within your complaint.

I think ultimately the Western Empire will accept it, fail forward and move on.
posted by roboton666 at 10:33 PM on May 27, 2012


Having done this to a customer design is a tremendous breach of customer trust, if it's true. Imagine the cost to develop an FPGA and what a hit to a company it would be to suddenly find that part closed to certain markets. I would expect the domestic company to take their fab business elsewhere in future cycles, at a minimum. I would expect similar customers to embargo the involved fab house as well.

Honestly I would expect lawsuits. I haven't looked at a fab agreement in years but I doubt it would provide cover for this.

Also, organizations such as the Institute of Electrical and Electronics Engineers would be wise to take a stand against such activities. Business is business, and trust is a big part of that.
posted by newdaddy at 10:39 PM on May 27, 2012 [2 favorites]


The decision process will be somewhat messy but ultimately what's required is a national hardware security audit, along the scale of Y2K. Hopefully we get the design & the execution more right than wrong.
posted by scalefree at 10:49 PM on May 27, 2012 [2 favorites]


Why would they broadcast to China that we know what they've done before they have a chance to deal with it?
posted by cmoj at 10:50 PM on May 27, 2012 [1 favorite]


Is the redaction of "A****/M******** P******* (P**)" on the linked page (and the pictured paper on that page) not leaky enough to identify it?

I'm pretty sure this is "Actel/Microsemi ProASCI3 (P60)". On preview, I see Ogre Lawless got there before me.

I'm not entirely convinced that this "backdoor" was actually surreptitiously inserted into these chips in China (Actel is a U.S. company, and designs these chips themselves, but has the chips made in China at what is called a "fab").

First, a bit of background. These chips are very popular set of "programmable" chips, called an FPGA. They fill an interesting niche in electronic design. Sometimes products needs functionality that can't be found in an off-the-shelf chip. So, for complete flexibility, one might choose to instead use a microcontroller, but they're "slow" compared to a custom designed chip (ASIC). However, ASICs have a very high upfront cost, so they are rarely economical for products that are going to have a small manufacturing run (either because the customer only needs a small number of devices, or the design is expected to change frequently). FPGAs fill the middle ground between microcontrollers and ASICs, not as fast as an ASIC and expensive individually, but easy to modify and without the the huge upfront cost of an ASIC.

So, as eye of newt mentioned above, a company that chooses to use an FPGA wants to be able to modify the behavior of the FPGA, but doesn't want it to be easy for their competitors to copy their design. So FPGA chip designers like Actel have built encryption into their FPGA designs. The company that uses a FPGA chip picks an encryption key, and only someone who knows the key can modify or read out the internal design from the FPGA chips in their products.

This leads me to why this might not be a backdoor inserted by the fab in China. It is possible that Actel themselves designed this backdoor into their FPGAs. Why would they do this? It's not inconceivable that in order to support their customers, they have to have a way to read out the design from a chip when the key is unknown, but the customer can prove that they are the owner. Essentially a "send it back to us and we'll unlock it" service.

It will be interesting to hear Actel's response.
posted by RichardP at 10:56 PM on May 27, 2012 [47 favorites]


Argh... that should have been "Actel/Microsemi ProASIC3 (P60)".
posted by RichardP at 11:09 PM on May 27, 2012 [1 favorite]


Sounds like an act of war to me.

More like an act of insurance, in the sense that US arms dealers (Lockheed Martin, etc.) very probably put in the same measures in weapons authorized by the State Department to be sold to "allies".
posted by Blazecock Pileon at 11:24 PM on May 27, 2012


OK, so there's a Back Door built into this chip. Now, how might Bad Guys go about exploiting it? Do they have to gain access to the military equipment, open the case, pull out a circuit board, attach probes to the chip? Or something else? (I find it questionable that the Back Door, while operating in its intended function, could somehow phone home....)
posted by exphysicist345 at 11:32 PM on May 27, 2012 [3 favorites]


First they came for our military hardware, but hey - I was like - I'm a liberal commie pinko so what do I need with military weaponry anyway. Then they came for my cable box but I simultaneously said - thank god, Fox News is finally off the air / is this something I would need a TV to care about anyway. Then they came for my iPhone - and not even the geniuses at the apple store could help me...
posted by Nanukthedog at 11:42 PM on May 27, 2012 [2 favorites]


RichardP, makes sense. Occam Razor favors the mundane explanation over the elaborate yellow peril conspiracy theory.
posted by stbalbach at 11:53 PM on May 27, 2012 [1 favorite]


I worked in semiconductors for many years and in programmable logic chips like FPGA for a good part of that time.

I call BULLSHIT.

There no way a fab in China or anywhere else could engineer in a backdoor to an existing US designed chip. The Chinese fab gets a mask set - that is a set of computer files that graphically describe each layer of the chip. There are many layers (say 40~50). These layers are generated automatically by pretty complex software from higher level design files that describe the functionality of the chip. This process is very hard - it takes a long time to get a chip that works at the required performance. A lot of tweaks are needed. Now if you're really clever you might be able to reconstruct some of the functionality from just the layers, so you can kinda work out how the chip works. Think of it like reverse compiling C code from a binary file - you get code but its not easy to understand. But to then change that in a major way like adding some kind of backdoor and then recreate the layers without screwing anything up without access to the original design files is just not credible.

Functionality like a backdoor is probably built in by the manufacturer. Yes someone could find it and wipe the design then reprogram with something else. So yea, backdoor by manufacturer dumb vulnerability. But it has nothing to do with Chinese fabs, anybody could get their hands on the chip and reverse engineer access to the design.

So chalk this up to a smart guy working this out and then the publicity dept adding the OMFG CHINA ATTACKS OUR BABIES angle.
posted by Long Way To Go at 12:00 AM on May 28, 2012 [31 favorites]


How sure can you be about that, though, Long Way? Remember that our spy agencies try to employ some seriously, frighteningly intelligent people. These guys and gals operate at a level that we normal humans can barely even perceive, much less approach.

What I read your post as saying is that, in essence, "The Chinese are too stupid to do this", but they have a much larger population than ours, so presumably they have a larger pool of terrifyingly intelligent people to draw from. And this is the kind of hack that the West's spy agencies, at their peak, could absolutely have done.

Asserting that that Chinese don't have anyone of Turing's or Rivest's or Shamir's class is probably not very accurate. The fact that we don't know they have them, given the language barriers and that government's penchant to secrecy, isn't evidence one way or the other. In fact, if we don't know about a good number of Chinese genius-level intellects, that's probably evidence that they're in the government somewhere, since otherwise we would have heard about them.

tl;dr version: 'this is really hard to do' does not fly as a counter-argument when you're dealing with governments that can secretly throw nearly unlimited resources at a problem.
posted by Malor at 12:25 AM on May 28, 2012 [2 favorites]


seconding BULLSHIT!

this nyt article summarizes nicely the Obama Administration's paranoia about doing anything electronic in china....they basically say: leave electronics at home, everything will be listened to..... even the printers and thermostats have ears (and IP addresses)!
posted by dongolier at 12:27 AM on May 28, 2012 [1 favorite]


.... our spy agencies try to employ some seriously, frighteningly intelligent people.

People like Léon Theremin, who can make things.
posted by StickyCarpet at 12:39 AM on May 28, 2012 [6 favorites]


First mention of the idea of a chip-level exploit I can think of would be Winn Schwartau in 1991

The parallel that comes to my mind is the apparent US sabotage of a Siberian gas pipeline in the early 1980s (previously).

OK, so there's a Back Door built into this chip. Now, how might Bad Guys go about exploiting it?

From my reading of the article this is more useful for industrial espionage than for haxx0ring equipment. It makes it easier to reverse-engineer things containing those chips, but still not easy.

The researcher is trying to sell their technique as a way to verify that a manufactured chip still meets its original spec and hasn't been compromised at the fab. But in this case, my guess is Long Way is right and the backdoor was put in by the original designer. It wouldn't have been as big a problem except that the backdoor's key is, unexpectedly, extractable (via a sidechannel attack discovered by the hardware verification).
posted by hattifattener at 12:47 AM on May 28, 2012 [2 favorites]


Let's not overlook suspect number two: We did it.
posted by wobh at 12:54 AM on May 28, 2012 [2 favorites]


But to then change that in a major way like adding some kind of backdoor and then recreate the layers without screwing anything up without access to the original design files is just not credible.

I disagree. Chips synthesized from a standard library of cells can probably be somewhat 'decompiled' and re-synthesized with changes. I'm not saying it's easy, but I'd think it'd be within the reach of a state or large corporation.

It'd also be easy to detect, though. The fab's customers could decap and grind down a sampling of the manufactured chips and compare them to the masks they'd originally sent over. This wouldn't require any of the fancy analysis that the FPP article is talking about— just a straightforward "is this what we asked them to fab or is it different?" test.

Me, if I were going to put sekrit backdoors into chips, I'd do it with a Ken Thompson-style subversion of the designing company's logic synthesis software. Or I'd just blackmail one of their engineers, I guess.
posted by hattifattener at 1:04 AM on May 28, 2012 [2 favorites]


You can't verify a chip does what you think it does. People who think you can ignore the fact that at the end of the day it's a three dimensional analog machine and stuff can always be made to optically look like one thing while electrically being another.

There are some preliminary noises that this particular "backdoor" isn't really one, or that if it is one, it was designed in by Actel and not injected during manufacturing. I'm in wait-and-see mode.
posted by effugas at 1:05 AM on May 28, 2012 [1 favorite]


These guys and gals operate at a level that we normal humans can barely even perceive, much less approach.

So why aren't we tripping over people who are merely Einstein smart all the damn time?

I mean, I worked for a major research corporation and had to explain how I diluted to an exact concentration (algebra) to one of our research fellows once. Yeah, I don't really believe that big corporations are any kind of meritocracy either, but for this to be the case intelligence would have to be distributed over a normal curve but there would also need to be a second peak out around IQ 200 or we should be running into a lot more people who are razor sharp but didn't quite make the NSA leading edge of a Vingian singularity scary smart cut.
posted by Kid Charlemagne at 1:05 AM on May 28, 2012 [1 favorite]


Revolutionary and breakthrough are marketing words. Any claim made with marketing words reduces the seeming urgency of the claimed crisis. Is this one actually urgent?
posted by damehex at 1:06 AM on May 28, 2012 [2 favorites]


Yeah, me too.

posted from my iPhone.


Me three.

posted from furiousxgeorge's iPhone
posted by obiwanwasabi at 1:19 AM on May 28, 2012 [14 favorites]


And when I say security, I mean SECURITY!!!
posted by Blazecock Pileon at 1:33 AM on May 28, 2012


It's not inconceivable that in order to support their customers, they have to have a way to read out the design from a chip when the key is unknown, but the customer can prove that they are the owner. Essentially a "send it back to us and we'll unlock it" service.

The chances of OEM military sales departments jumping all over that as a feature are approximately nil.
posted by jaduncan at 2:03 AM on May 28, 2012 [1 favorite]


Who is the "we" of which you speak? Or is the paragraph an extract from the article?
posted by infini at 2:05 AM on May 28, 2012


It's certainly possible Actel built this particular backdoor themselves, but all the spy agencies agree such attacks should be expected. You're dreaming if you imagine China doesn't posses the original design files though, Long Way To Go, which includes at least knowing about this backdoor. We're outsourcing spectacular amounts of design work of course. If Microsemi doesn't outsource any design, they're still vulnerable to good old industrial espionage, which the Chinese do quite effectively.
posted by jeffburdges at 2:22 AM on May 28, 2012 [2 favorites]


It's a press-released paper, which is a bad sign to start off with.

If it's true, then Actel could have done it, the US security services could have done it, the Chinese could have done it, the Vatican could have had someone involved in the tool chain to do it. The days when any one actor in the design->part sequence can be expected to be able to prevent any sort of exploit from any other actor have long since gone.

All of this, seen as victim or aggressor, is as true for the Chinese as it is for us.

Welcome to the 21st century.
posted by Devonian at 2:42 AM on May 28, 2012 [1 favorite]


On the road south from Gua Musang towards Kuala Lumpur there is a 10km stretch of 4 lanes that is nice and straight, bypassing a 20km winding hilly route. It has been under construction and almost ready for a year. If you are up for it you can just slow down as you approach this new road, duck onto the other side of the safety cones, and be the sole car on the virgin highway while the traffic snakes up into the hills.

"Why the hell don't they open this?" I asked myself 6 months ago, on maybe the 3rd or 4th time I was zippping along my nifty shortcut.

Then about 2 months ago I guess the rainy season was in force there, and huge sections of the new road were washed out or fell off into sinkholes. Now they are redoing about half of the road, upgrading bridges over creeks, ripping up the finished roadway and beefing up the supports.

Where are the engineers? Is the contract awarded on a cost-plus basis to political cronies? What the fuck is up with completing a highway, waiting to see what parts are weak, and then rebuilding it?

The moral of this story is that people are fucking lazy and stupid and do things in lazy stupid ways. When do we get our robotic overlords?
posted by Meatbomb at 3:21 AM on May 28, 2012 [3 favorites]


I seem to hear a lot of folks in this thread saying that it's okay to have US military hardware built by a potential enemy of the US. Really?
posted by tommyD at 3:32 AM on May 28, 2012


Ooooohh, the history of espionage!
posted by spitbull at 4:03 AM on May 28, 2012


I agree with Long Way that an intentional back door inserted by Actel designers is an equally (?) plausible explanation. Microsemi (the parent company) needs to make a persuasive statement rather than a "no comment".

It's much less plausible that a compromise in a CAD tool has caused this, as someone suggested upthread.

Next question: who fabs Actel ProASIC parts?
posted by newdaddy at 4:10 AM on May 28, 2012


How sure can you be about that, though, Long Way? Remember that our spy agencies try to employ some seriously, frighteningly intelligent people. These guys and gals operate at a level that we normal humans can barely even perceive, much less approach.

Really?

You're talking about an intelligence agency that entirely missed the collapse of the Soviet Union and September 11th. There may be frighteningly intelligent individuals within our intelligence communities, but they are King of Jack and Shit in our endlessly labyrinthine bureaucracies, and Jack has left town.

Let's also not forget the "slam dunk" of Iraqi WMDs. The only thing our intelligence agency is used for now is to invent reasons to go to war, and to occasionally roll up the Bill of Rights and smoke it. Their purpose in our society is to manufacture evidence for paranoia inducing campaigns of fear.

For instance, despite the fact that we have Iran surrounded by military bases, we'll be pummeled with enough lies to mobilize for the next war designed to lock down our control over what's left of the oil. But it won't be about oil. It will be about how Iran is a threat to Israel, hundreds of miles away behind all of those US military bases. Or about introducing Freedom and Democracy to a country that has more democratic elements than Saudi Arabians are allowed to dream about.

There wasn't any concern about using Chinese manufactured chips in our military equipment. Having an excuse to increase the budget to examine the chips, or just buy new ones, and go to war (and further increase the budget) is what they would call a win-win scenario.
posted by deanklear at 4:48 AM on May 28, 2012 [3 favorites]


deanklear, the fact that our intelligence agencies aren't working very well, after Bush destroyed them, isn't evidence that intelligence agencies can't work, and it's CERTAINLY not evidence about the quality of Chinese programs.

I refer you to the British and American intelligence programs circa WW2, and the NSA in this country through at least the 1970s, for examples of just how good an agency can be, with brilliant people at the helm.

Again, these arguments boil down to, "The Chinese are too stupid to do this", and I could not possibly disagree more strongly.
posted by Malor at 4:58 AM on May 28, 2012 [1 favorite]


Or maybe they'll just send a signal from a satellite that will brick everyone's cable boxes. Society collapses hours later.

I think you meant society uncollapses.
posted by srboisvert at 5:04 AM on May 28, 2012 [8 favorites]


I seem to hear a lot of folks in this thread saying that it's okay to have US military hardware built by a potential enemy of the US. Really?

Well given how some citizens in the U.S. feel about their own government which country should military hardware be built in? In the States itself is far to risky, what with the absolute insanity and all.
posted by juiceCake at 5:50 AM on May 28, 2012 [2 favorites]


Count me among those tipping that Actel did it. I expect it was put there for debugging and/or QA purposes, and then left in because removing it would have amounted to a non-testable design change.
posted by flabdablet at 5:51 AM on May 28, 2012 [2 favorites]


This leads me to why this might not be a backdoor inserted by the fab in China. It is possible that Actel themselves designed this backdoor into their FPGAs. Why would they do this? It's not inconceivable that in order to support their customers, they have to have a way to read out the design from a chip when the key is unknown, but the customer can prove that they are the owner. Essentially a "send it back to us and we'll unlock it" service.
Yeah. Or it could be a back door requested by the US government. Or it might not be a 'back door' at all. It could simply be a bug, equivalent to the hack that let people find out Sony's PS3 firmware signing key.
Think of it like reverse compiling C code from a binary file - you get code but its not easy to understand.
It's not easy but it's not impossible. People do that kind of thing all the time.
You're talking about an intelligence agency that entirely missed the collapse of the Soviet Union and September 11th. There may be frighteningly intelligent individuals within our intelligence communities, but they are King of Jack and Shit in our endlessly labyrinthine bureaucracies, and Jack has left town.
You can't compare their SIGINT with the political analysis though, that's ridiculous. You get a thing, you reverse engineer it, you figure out a way to exploit it. I wouldn't expect geohot to be able to predict political instability in North Korea the outcome of the next election in Mozambique, but I would certainly expect that he'd be able to add a back door to an FPGA design.

The two things don't require the same kind of skills at all. One involves sifting through murky and conflicting information, and filtering out bias. The other just involves scientific analysis of a deterministic system.
So why aren't we tripping over people who are merely Einstein smart all the damn time?
Well, Einstein wasn't just smart, he happened to live at exactly the right time when scientific measurements were getting really good and before relativity had been discovered. Apparently Hilbert was working on the problem too and perhaps would have had it figured out within a few years. The two shared notes and Hilbert had no problem giving Einstein credit. Nowadays, there is a lot less physics out there to discover, and you need massively expensive experiments to get the data for it.

The other thing to consider is the fact that we have computers to do math. In Einstein's day, you had to be able to do all the math you needed to do on paper, or with a slide rule or whatever. It wasn't enough just to understand the 'concepts'. Now, if you get the concepts you can have the computer do the 'real' work, that made being a physicist so difficult in the past. So it's hard to compare.
posted by delmoi at 5:52 AM on May 28, 2012 [1 favorite]


Also: anybody else here old enough to remember the Clipper Chip?
posted by flabdablet at 5:54 AM on May 28, 2012 [1 favorite]


Tony Stark wouldn't fall for this shit.
posted by SPUTNIK at 5:59 AM on May 28, 2012 [4 favorites]


You'd be surprised/shocked/etc. at how much the US government buys from China, despite it not being a Trade Agreements Act beneficiary country. Some of it's because there aren't any domestic sources anymore though most of it is indeed because it's cheaper. The interesting thing is how much of it isn't labeled "Made in China". That's because you can do partial manufacturing in China and finish somewhere else, say Korea, and it magically becomes a product of the finishing country.
posted by tommasz at 6:24 AM on May 28, 2012


Mister Potato Head! Mister Potato Head! Back doors are not secrets!
posted by urbanwhaleshark at 6:37 AM on May 28, 2012 [3 favorites]


In Einstein's day, you had to be able to do all the math you needed to do on paper, or with a slide rule or whatever. It wasn't enough just to understand the 'concepts'. Now, if you get the concepts you can have the computer do the 'real' work, that made being a physicist so difficult in the past. So it's hard to compare.

What does "do math" mean, here?

Which parts of relativity theory could have been developed by a current computer? Yes, a few symbolic computations could have been stuck into Maple, or something, but that's not really the part of the math that is facilitated by being Einstein/Poincare/Lorentz/Hilbert/Riemann/Minkowski, i.e. that's not really the "difficult" part. It's time-consuming, yes, but "the concepts", and not the actual fiddling with tensors or whatever, have always been the difficult part of math. If it's easier to develop a successful theoretical model than it used to be, it's likely because there's a larger arsenal of concepts than there was before, not because symbols are easier to manipulate. Mathematicians still have blackboards and big stacks of paper.

Experimental physics/computational mathematics is of course a different story, but it wouldn't surprise me if Einstein never used a slide rule in a meaningful way, because it wasn't really that sort of problem.
posted by kengraham at 6:37 AM on May 28, 2012 [3 favorites]


Think of it like reverse compiling C code from a binary file - you get code but its not easy to understand.

It's not easy but it's not impossible. People do that kind of thing all the time.


Yeah, but now imagine adding a whole module of code but not changing the file size. That's going to be the trick involved in squeezing all this onto the dies for this chip.
posted by Kid Charlemagne at 6:39 AM on May 28, 2012


If it's easier to develop a successful theoretical model than it used to be, it's likely because there's a larger arsenal of concepts than there was before

And, as delmoi said, because there's vastly more data, made available by experimental/computational methods. It would be interesting to see to what extent these methods actually rely on relativistic models; I would guess quite a lot, which means that such data would by definition be unhelpful if one wanted to invent relativity theory, because it wouldn't exist. IANAAM, though.
posted by kengraham at 6:40 AM on May 28, 2012


The Queen of Diamonds would approve.
posted by Currer Belfry at 6:46 AM on May 28, 2012


Um, what if the backdoor was originally designed and inserted by the American designers?
posted by storybored at 7:06 AM on May 28, 2012


Again, these arguments boil down to, "The Chinese are too stupid to do this", and I could not possibly disagree more strongly.

I agree... I think I misread your comment as evidence that our intelligence community isn't capable of such a blunder.

After the Iranian hijacking of our spy drone, there was some speculation that China had given them some help. Since China and Iran have an oil deal worth 250 billion, and China imports 20% of Iran's oil exports, I wouldn't doubt it.

(On a side note, just think about how colossally stupid it would be if the drone was built from parts from China. All Iran has to do to completely reverse engineer the drone is to take pictures of the components and put in an order. Or just get their friends in Beijing to send them all of the components that have been sent to the US subcontractor who builds them.)
posted by deanklear at 7:09 AM on May 28, 2012 [1 favorite]


It's much less plausible that a compromise in a CAD tool has caused this, as someone suggested upthread.

What makes that implausible? Seems to me like that would be the most inexpensive way to do something like this, if it was done maliciously.
posted by XMLicious at 7:22 AM on May 28, 2012


Well, are you imagining a CAD tool that automagically looks for instances of a hardware-description language construct for an encryption function? And then somehow inserts further logic around it to implement a backdoor, without that ever showing up in a way that is recognizable to logic designers as they verify the resulting implementation? In the wild, used by potentially many customers without anyone suspecting? And never erroneously inserting said backdoor into, say, a video compression codec by mistake?

If you can do all that, I'm sure I'm not the only one who would like to hire you.
posted by newdaddy at 7:35 AM on May 28, 2012


So why aren't we tripping over people who are merely Einstein smart all the damn time?

Well, Einstein wasn't just smart, he happened to live at exactly the right time when scientific measurements were getting really good and before relativity had been discovered.


Your kind of making my point for me. When Einstein published his papers, it's not like there was a shortage of people who could follow them. It was more like a collective, "Oh, duh!" from the physics community. (At least for diffusion/Brownian motion and the photoelectric effect - there were many people who weren't quite ready to accept that time was variable, but they could follow the math.)

So if intelligence really is normally distributed and the intelligence agencies have a bunch of people that most mere mortals would not even be able to comprehend, but someone who is merely as smart as Einstein is pretty easy to follow.... You see the implicit absurdity here, right?

Also, most of Einstein's work was based on old observations and knowledge. That a current creates a magnetic field (1819), like charges repel one another(1785), Brownian motion (1827 or 60 BC, take your pick). The only newcomer to the stable of human knowledge was the photoelectric effect, but that had been known about for 18 years when Einstein explained it.

None of the math is all that challenging once you look at the situation and ask the right questions.
posted by Kid Charlemagne at 7:49 AM on May 28, 2012 [1 favorite]


If you can do all that, I'm sure I'm not the only one who would like to hire you.

No, I'm not a hardware guy myself, but I have been told that hardware designers use tools somewhat analogous to software compilers which allow them to design with a higher-level language or model and automatically generate and lay out the actual design or parts of the design.

If this is true, especially if the process is partly driven by scripts and other ad hoc tools as it would be in software design and things like versioning tools, it would seem to me that you would just need to compromise the software on the specific computers used in the final design steps. If this was done by a hacker who had achieved remote access to the systems it probably wouldn't involve modifying designs automatically in an unguided fashion, it could be targeted at a particular project at a particular company by someone who had looked at the existing code and is guiding the surreptitious changes.

So, I'm imagining basically the same approach you would use to introduce malicious code through the tool chain used to make a software product, through the same sort of industrial espionage that happens all the time if media reports of security breaches resulting in theft of intellectual property are to be believed.
posted by XMLicious at 7:52 AM on May 28, 2012 [1 favorite]


Flagged as "One Ping, and one Ping only, Yuri."

...am too much of a movie addict to let this slip. Yuri is the admiral, as in "Padorin's her uncle!"

Marko Ramius's first officer is Vasili Borodin, to whom he says "Give me a ping, Vasili...one ping only, please." In the book, the dialogue and the plot at that point are a bit different but the names are the same.

Oh and as to RTFA, I am Jack's complete lack of surprise and expect this sort of thing is a lot more widespread than anyone cares to talk about...after all, an honest discussion of the issue would almost certainly cost someone powerful a lot of money).
posted by trackofalljades at 8:01 AM on May 28, 2012 [2 favorites]


Sort of related: Meet 'Flame', The Massive Spy Malware Infiltrating Iranian Computers. New malware has been found on computers in the Middle East. It's remarkably complex and targeted and seems likely to join Stuxnet and Duqu as examples of state-sponsored malware espionage. This really deserves its own post, maybe in a week when we have more information.
posted by Nelson at 8:11 AM on May 28, 2012 [4 favorites]


Regardless of whether a backdoor exists or doesn't exist, this demonstrates what you give up when you let other people make your shit: you lose control. Maybe it's worth it to you to give up control for lower costs, and maybe it isn't - but that's the tradeoff.

Going forward, you also lose the expertise to take the product in other directions. A chip designer, for example, can know a lot of stuff at a theoretical level. But the people who actually build the chip are much more finely aware of practical problems/solutions/possibilities with the product.

So, you get lower prices. But you lose control and you handicap your own ability to innovate. Lose/lose, in my book.
posted by Benny Andajetz at 8:23 AM on May 28, 2012 [1 favorite]


So, you get lower prices. But you lose control and you handicap your own ability to innovate. Lose/lose, in my book.

See SpaceX for an example of successfully keeping almost all of it in-house.
posted by jaduncan at 8:35 AM on May 28, 2012


Thank you trackofalljades, that was bugging me in the back of my mind throughout reading the comments thread and my subconscious was just getting ready to propose rereading the Hunt for Red October.
posted by Molesome at 8:47 AM on May 28, 2012


See SpaceX for an example of successfully keeping almost all of it in-house.
SpaceX isn't a good comparison here. They have made significant process improvements to the manufacture of rockets, so it makes sense to keep all that in house.

Semiconductor fabrication, on the other hand, is very analogous to photographic printing. The breach of trust here is key. This is exactly like sending in some film to be developed, and finding new people photoshopped into your images - or codes stenographically inserted into your image.

It makes a lot of sense to centralize semiconductor fab to achieve massive economies of scale and drop costs. Maybe a nation needs their own equivalent of TSMC for high security projects. But unless you are Intel, it doesn't make sense to fab your own chips.
posted by b1tr0t at 8:53 AM on May 28, 2012


Sure, I mean that the choice to control all can still be viably made. As you say, if there's little process secret sauce there's little point; the circuit layout can be determined with enough resources anyhow even without the original plans.
posted by jaduncan at 9:16 AM on May 28, 2012


The moral of this story is that people are fucking lazy and stupid and do things in lazy stupid ways. When do we get our robotic overlords?

The ones made in China?
posted by ChurchHatesTucker at 9:31 AM on May 28, 2012 [3 favorites]


Asking around and seeing some stuff, I'm convinced that this is a very solid demonstration of a new (and very clever) analysis technique by the paper's authors, that the back door exists, and that it's almost certainly a hidden debug mode in JTAG put there by the FPGA designers as a standard secret-by-obscurity feature.

If I had to guess about the fall-out -- the chip companies involved will get some heavy flak for leaving such a thing in a part sold on its intrinsic security, and that they'll go away and come up with a "NOW you can't find it!" revision that'll work just as well as this one did.
posted by Devonian at 9:48 AM on May 28, 2012 [3 favorites]


Well, China's hacked the Gibson, then.
posted by cmoj at 9:50 AM on May 28, 2012


But unless you are Intel, it doesn't make sense to fab your own chips.

Maybe it doesn't, now. But, like it doesn't make sense to make stereos or TVs or whatever, it's kinda the result of years of "business" decisions already made. It's really a matter of priorities, isn't it?
posted by Benny Andajetz at 10:20 AM on May 28, 2012 [1 favorite]


XMLicious - your comment about the possibility a hacker secreting a back door feature into a configuration management system, makefile or similar automation is accurate - I guess I would characterize this more as a human rather than a CAD tool causing the compromise.
posted by newdaddy at 12:27 PM on May 28, 2012


I might have mistaken which comment you were initially responding to; I thought you were talking about Devonian's "tool chain" comment or hattifattener's "logic synthesis software" comment.
posted by XMLicious at 12:38 PM on May 28, 2012


OK NO ONE KILL ANYONE TIL WE GET THIS SORTED OUT
posted by chronkite at 12:40 PM on May 28, 2012 [5 favorites]


Maybe it doesn't, now. But, like it doesn't make sense to make stereos or TVs or whatever, it's kinda the result of years of "business" decisions already made. It's really a matter of priorities, isn't it?
No, it isn't really a matter of priorities. Note that I didn't say "it doesn't make sense to fab your own chips in the USA." It might make sense to fab in the US, but it would still make sense to have a central company that handles all the actual chip manufacturing, and then a constellation of large and small IC design firms that send their designs to be fabbed by that central company.

IC design logically breaks into two broad disciplines. There is manufacturing process, which involves a lot of solid-state physics, and then there is circuit design, which is analog and digital electrical engineering. Once you have innovated a new manufacturing process, it makes sense to rent out your fab to circuit designers that then just send you designs to "print."

TVs, now that they are LCDs, actually work the same way. A small number of factories make all the LCD panels (the process is similar to making chips) because there is almost no difference in the underlying manufacturing technique.

If it turns out that the back door was inserted by the fab (unlikely, in my opinion, but somewhat plausible) then the solution would be to build a trusted fab in, say, the USA. It wouldn't make sense to require every chip maker to fab their own chips. The capital requirements are just too high.
posted by b1tr0t at 12:43 PM on May 28, 2012 [2 favorites]


b1tr0t:

I misunderstood your comment a little bit. We're on the same page. (Specialization and cooperation is fine - even warranted in some cases - as long as your concern doesn't lose it's control of the process.)
posted by Benny Andajetz at 1:36 PM on May 28, 2012


TVs, now that they are LCDs, actually work the same way.

I've known for quite some time that my TV is watching me.
posted by StickyCarpet at 2:04 PM on May 28, 2012


I don't want to stoke any yellow peril (though lookout, China, I still haven't forgotten what you did to my dog!), but for all the arguments on either side, it's ridiculously naive not to see that, yes, this is exactly the kind of thing powerful nations do/try to do to one another and there are real, proven examples of no less sinister or complex plots. Without all the evidence clearly laid out, speculating about what is or isn't credible on an a priori or even reasonably well informed basis in this case seems pretty dumb. While China may not have an expanionist or imperialist history, it's stupid to pretend its always a harmless or even scrupulous actor on the international stage--China may not be the devil, but if you honestly believe the extent of its national ambitions are limited to the betterment of its people's economic circumstances, as the party propaganda would have it, then I wouldn't trust you to make any important decisions for me, anyway.
posted by saulgoodman at 3:46 PM on May 28, 2012 [1 favorite]


RichardP, you gave a well-thought out response, but I doubt your conclusion that: It's not inconceivable that in order to support their customers, they have to have a way to read out the design from a chip when the key is unknown, but the customer can prove that they are the owner. Essentially a "send it back to us and we'll unlock it" service.

After assuring their customers that the data was safe, "Oh, sure, WE can unlock it anytime we want!" is not something the customers will be glad to hear. Also, the very need for it presumes they expect customers to "whoops" their passwords, and come back to them hat-in-hand, sheepishly. Doubtful marketing plan.
posted by IAmBroom at 5:09 PM on May 28, 2012


Long Way To Go, I mostly buy your belief that reverse-engineering the chip is too difficult... except for the stakes involved. After all, the easy way to reverse-engineer the chip is to figure out how much money it would cost to do so (say, $50RMB), and then find an American/Taiwanese chip designer employee willing to build in a backdoor for 10% of that. Done!

The next backdoor will be much cheaper, of course, since there's "blood" on the designer's hands by then.

This doesn't mean it's a Chinese job, but it doesn't mean it couldn't be.
posted by IAmBroom at 5:25 PM on May 28, 2012


To everyone wondering about whether or not China has enough geniuses to do this... This isn't genius-level work. It's grunt work for bright BS/MS-level people, and lots of computing power - achievable amounts, BTW, not 10^10^10^10 kind of power.

It's not like the scene in Swordfish where Hugh Jackman is so wicked-clever with computers he can hack through a firewall in under a minute while getting a beej with a gun pointed at him - nothing in the world is ever like that. It's a team of chip designers and software engineers, working together 7 days a week to decode just one part of the chip (which is why Long Way To Go's point is probably overstated - 99.9% of the chip is unimportant to the backdoor builders). In 20th-C military terms, they're more like an airborne platoon than Simho Hayha: skilled and tasked with a difficult mission, but hardly one-of-a-kind.
posted by IAmBroom at 5:35 PM on May 28, 2012


Finally, when people wonder why we are buying our chips from China, it's the same reason we buy our diamonds from South Africa & Russia, and our opium from the Middle East: 99% of the supply is from there. Seller's market, plain and simple.

But why is that? Let's take a 25-year history lesson.

In the 80's, if you needed a circuit board cut, you hired one of a handful of shops in your city to fab it. Then the EPA realized that all those heavy metals, toxic outgassing, and other nasty waste products produced by those shops probably out to be regulated and carefully disposed of... By 1995 only BIG board shops could afford all the filters and waste management needed to meet the regs.

Chips, at one level, are just really small circuit boards. They are coated with photoresist, covered with a mask, exposed to intense (ion-producing) light, washed in resist solvent, cleaned... and that's just a single layer of a 10-to-50-layer chip. Nasty chemicals are produced all along the way.

But as the chips followed Moore's Law, they also delved deeper into more & more dangerous byproducts. Nature is like that; she isn't going to give you more for less risk. The sorts of lasers used to burn in chip circuits produce a horror list of byproducts, alone; add to that the resist chemicals, solvents, cleaning chems, etc... Suffice it to say, you don't want to live downstream of one of these plants. Cleanup and safe disposal costs are huge.

Unless... unless you were able to find a place so eager for multi-billion-dollar high-tech business that they just didn't care about cleanup. Someplace so vast that they can dedicate dumping grounds that will forever taint the surrounding water supply, and with an institutionalized disregard for the safety of their own land and people.

Why do we buy all our chips from China? Because we can't afford to do it safely, and we can't bear to ruin that much of our country. Instead, we pay them to do it to themselves.
posted by IAmBroom at 5:49 PM on May 28, 2012 [2 favorites]


It's grunt work for bright BS/MS-level people

We have a ton of these Chinese students at our university (I'm sure that they are at other universities too). We're interested in those with very good back end programming skills. They work very hard, and they are ideal for RAs for the current wave of federal big data grants. So we give them a free ride in the doc program, train them, and then I'm guessing a lot go back to China.
posted by carter at 5:59 PM on May 28, 2012 [1 favorite]


I thought that one of the reasons there are many Chinese students in American universities is because they pay full tuition.
posted by XMLicious at 6:24 PM on May 28, 2012


XMLicious - Not where I am ... If they have the right skill set, we pay for them, because we (theoretically) then make out in grant funding. In some ways it's kind of a backwards way to set up a PhD - but the students aren't complaining. Also (in regards to the linked thread) doing technical courses means that they don't have to write that many research papers.
posted by carter at 6:39 PM on May 28, 2012


Something noone has seemed fit to mention: You have to have the hardware in hand to be able to perform the sorts of attacks these guys are doing. This backdoor, put in by whoever, doesn't suddenly give you the data across the continent. It doesn't give you the source code of the FPGA, it gives you the encryption key of the FPGA, used to confirm that the configuration of the FPGA is being done by something with the rights to do so.

So this encryption is one step (of many) that's done for hardware that has the possibility of falling into enemy hands. It's certainly not the only step, because the US government assumes that a foreign actor holding the hardware can apply the means necessary to work the encrypted chips. But combined with other features, I'm not very concerned about this specific backdoor until I hear that the other security features can also be overridden.
posted by garlic at 9:21 PM on May 28, 2012 [1 favorite]


also, the draft of the paper is here.
posted by garlic at 9:23 PM on May 28, 2012 [2 favorites]


So, garlic, that argument boils down to, "Chinese spy agencies would have a hard time gathering intelligence", when that's what they do. If you think the NSA could lay its tentacles on that stuff, the Chinese probably can, too.

I'm sorry, but 'The Chinese are too stupid to do this' upthread, and your argument of 'Chinese intelligence agencies aren't good enough to get this intelligence', are bad arguments, rooted in a belief in inherent Western superiority. We're used to being the best and the brightest, but we've been focused for decades now on de-legitimizing intelligence as a thing. We've been ruining our intellectual infrastructure, particularly in government, while these other countries are still building theirs.

I strongly suspect that, if we're still the smartest kids on the block, it won't be for much longer.
posted by Malor at 4:17 AM on May 29, 2012 [2 favorites]


Malor, if the Chinese can get this hardware without shooting it down first, they could probably just as easily get the FPGA code prior to encryption. And if they do have to shoot it down first, or get it from a forward operating base, other protocols are activated.

The US military is highly aware of how good the Chinese are at reverse engineering and copying military equipment. That's why they take multiple security measures.
posted by garlic at 4:37 AM on May 29, 2012


Rob Graham of Errata Security provides an alternative analysis.

While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious.
posted by Busy Old Fool at 8:10 AM on May 29, 2012 [3 favorites]


Sort of related: Meet 'Flame', The Massive Spy Malware Infiltrating Iranian Computers.

Iran 'finds fix' for sophisticated Flame malware: Iran says it has developed tools that can defend against the sophisticated cyber attack tool known as Flame.
posted by homunculus at 11:36 AM on May 29, 2012


Meet 'Flame', The Massive Spy Malware Infiltrating Iranian Computers.

Here's an analysis of Flame (pdf) - impressive, but not quite as astounding as some of the more excitable reports suggested.
posted by Busy Old Fool at 12:05 PM on May 29, 2012


Business Insider has posted an interview with Sergei Skorobogato, one of the paper's authors. Reading the interview, what I found most interesting were these statements from the authors:
1) We have made no reference to any Chinese involvement in either of the released papers or any reference to espionage. Therefore we don't agree with Robert Graham's assertion that we suggest Chinese involvement. So we have no idea why people have linked the Chinese to this as it did not come from us.

2) As far as we are concerned the back door was implemented by the manufacturers at the design stage and we suggest that in the papers.

...

4) It is not just a simple JTAG hack, there is a lot more involved than that and it's contained in the paper.

5) We do not agree it is just a debug port, you do not need a debug port to circumvent the security on the chip and read back the IP whilst telling everyone else no such feature exists
The authors appear to believe that the backdoor is a feature designed into the ProASIC3 FPGA by Actel themselves, and not inserted surreptitiously by a Chinese fab, like I suggested above. However, they are of the opinion that this backdoor is not a debugging or other support feature that is disclosed to Actel's customers, so in that regard I was wrong (although they don't clearly state that they've reviewed the documents Actel supplies to their customers after a customer signs Actel's NDA and that this feature is not disclosed).

This implies that they believe that this feature has a more nefarious purpose — perhaps Actel wants to be able to snoop on their customer's IP, or perhaps Actel inserted this feature at the request of a US intelligence service.
posted by RichardP at 1:19 PM on May 29, 2012 [3 favorites]


Or perhaps Actel wanted to be able to verify, during final testing of their encrypted lock-downable FPGA design, that engaging the locks didn't screw up anything internal.

When I said I thought this would probably turn out to be a debugging feature, the kind of debugging I had in mind was Actel engineers debugging their programmable hardware, not customers debugging the functionality of the designs they program onto that hardware.
posted by flabdablet at 7:32 PM on May 29, 2012 [1 favorite]


On the other hand, maybe this is one ill in the world China's not to blame for. More evidence either way would be helpful.
posted by saulgoodman at 10:04 PM on May 29, 2012


That makes sense, RichardP, and our (guilty) intelligence services could very well be the ones doing the shouting about the evil Chinese, as a little misdirection.

My arguments above, by the way, aren't that the Chinese did this. Rather, I'm saying that claims that they somehow couldn't, simply because they are Chinese, or simply because public information on Chinese intelligence services don't suggest that level of sophistication, are both foolish.
posted by Malor at 5:01 AM on May 30, 2012 [1 favorite]


RichardP: "Business Insider has posted an interview with Sergei Skorobogato, one of the paper's authors. Reading the interview, what I found most interesting were these statements from the authors:
1) We have made no reference to any Chinese involvement in either of the released papers or any reference to espionage. Therefore we don't agree with Robert Graham's assertion that we suggest Chinese involvement. So we have no idea why people have linked the Chinese to this as it did not come from us.

That's just what those sneaky Chinese commies want us to think. This proves it!
posted by IAmBroom at 7:00 AM on May 30, 2012


So there's this amazing book: "The Foundations of Mechanical Accuracy". Part of it describes this particular kind of gauge block invented by a swede. Before WWI america was importing the blocks from Sweden, during the war of course, shipments of such goods were blocked by the germans. And consequently the buildup of war material was delayed.

Here's Henry Ford's response:
"This must not happen again; we must have the secret methods within our countries boundaries. I will buy the manufacturing rights".

So there you have it, proof that Ford was a socialist.
posted by Chekhovian at 5:12 PM on May 30, 2012


So there you have it, proof that Ford was a socialist.
It all makes sense now! Ford was playing a long game by supporting hitler, so he could get at the gauge blocks!

[takes off tin-foil hat, wipes brow]
posted by b1tr0t at 5:38 PM on May 30, 2012


Come, come. If you're going to invent a conspiracy theory, you must learn from the masters.

Powerful 'Flame' cyberweapon tied to popular Angry Birds game
posted by flabdablet at 9:14 AM on May 31, 2012 [1 favorite]


I'm truly disappointed that Fox failed to lead with the xenophobic angle: Lua comes from BRAZIL!
posted by b1tr0t at 2:04 PM on May 31, 2012


It's all connected!
posted by flabdablet at 11:23 PM on May 31, 2012


Anyone built a physical angry birds game yet? It might give that story a whole new meaning.
posted by jeffburdges at 8:06 AM on June 1, 2012


There is a physical angry birds game - I ran into a friend of mine the other day whose kid was carrying his new angry birds game box proudly.
posted by rmd1023 at 3:29 PM on June 1, 2012


Actel/Microsemi has issued a denial:
Microsemi can confirm that there is no designed feature that would enable the circumvention of the user security.

The researchers assertion is that with the discovery of a security key, a hacker can gain access to a privileged internal test facility typically reserved for initial factory testing and failure analysis. Microsemi verifies that the internal test facility is disabled in all shipped devices. The internal test mode can only be entered in a customer-programmed device when the customer supplies their passcode, thus preventing unauthorized access by Microsemi or anyone else.
The researchers have responded with a clarifying statement.
posted by RichardP at 2:47 AM on June 2, 2012 [2 favorites]


a privileged internal test facility typically reserved for initial factory testing and failure analysis

Do I get my biscuit now?
posted by flabdablet at 9:06 PM on June 2, 2012


In more old-fashioned espionage news: A Chinese state-security official arrested this year on allegations of spying for Washington is suspected to have compromised some of China's U.S. agents in a major setback that angered President Hu Jintao, sources said.
posted by homunculus at 4:09 PM on June 15, 2012 [1 favorite]


Pentagon Contractors Post Openings For Black-Hat Hackers
posted by jeffburdges at 9:52 AM on June 16, 2012


« Older Kansas passes Tax Act meaning that business owners...  |  Stan's Report (a short story).... Newer »


This thread has been archived and is closed to new comments