Proof That Military Chips From China Are Infected?

For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to  U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.

Specifically, the  American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.

Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.

(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)

Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.

The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.

The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.

So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?

Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.

Backdoors Embedded in DoD Microchips From China

38 Comments on "Proof That Military Chips From China Are Infected?"

  1. Please jail the companies CEO's….

  2. I guess it was just too hard to check for these backdoors?

    So, manufacturers just assumed they were not there.

  3. Scanning the JTAG command field for any unknown commands by checking the length of the associated DR register revealed an interesting picture. There were plenty of commands for which the associated DR register has a length different from one, hence, used by the JTAG engine. Figure 4a shows some of these registers with the light ones being known from STAPL file analysis, and the dark ones showing newly discovered registers. Not only that, but some registers were impossible to update with a new data suggesting that these registers wererepresenting a ROM (Read-Only Memory) (Figure 4b). This did make some senseas we learned about FROW memory from the STAPL file, from which only onerow was actually read, but three address bits allowed eight rows to be accessed. All those hidden and non-updatable registers were found to be imprinted into certain locations in FROW memory. However, every single PA3 chip has unique valuesstored in FROW and, hence, in hidden registers suggesting that this memory was initialised at a factory and then locked against overwriting. Now we knew for surethat there is some hidden functionality in the PA3 chips[…]
    At this point we went back to those JTAG registers which were non-updatable aswell as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW wasreprogrammable as a normal Flash memory. Actel has a strong claim that
    'configuration files cannot be read back via JTAG or any other method'
    in the PA3and in their other latest generation Flash FPGAs [18]. Hence, they claim, they are extremely secure because the readback access is not implemented. We discovered that in fact Actel did implement such an access, with a special key used for activation

  4. What's disturbing is that Actel and Microsemi on the surface seem to be fairly "American" companies. Actel was acquired by Microsemi, an "American" company founded in the '60s.

    A counter-response to this post:

  5. Actel and its parent company Microsemi are fabless chip vendors. In other words, they don't own any manufacturing plant. They design ASIC/FPGA in house, source the production to Asia based foundry. What happens inside fab is everyone’s guess.

  6. They likely did not implement the JTAG block themselves, but rather licensed one and put it on the chip. I would like to know who designed the JTAG block on the FPGA.

    Also note: exploit requires physical access.

    There are solutions to this problem:
    1) don't put JTAG TAP on production boards
    2) program FPGA's state-side and then flow them on the board.

    JTAG TAPs are usually a vulnerable point. Phones have them, your Xbox has one, your car has them, etc.

  7. A law should be passed requiring ALL American military equipment to contain nothing but 100% American-made content.

  8. Serves America right for buying this stuff from the Chinese. Idiots.

  9. This is totally our fault for out sourcing all our manufacturing in the name of cheap labor, makes you really believe the phrase that "you get what you pay for"

  10. Black Owl | May 30, 2012 at 12:52 pm |

    When people have trouble getting jobs I used to think it was entirely their fault (and a good part of it is in most cases); however, when I asked a smart friend "where did all the good jobs in factories and manufacturing go?" he replied, "We sold all those job to China." He was mostly joking with me at the time, but he was right. We need to stop selling those jobs to the Chinese and start training Americans right here in the states for those jobs. Crap like this would never have happened if all of our manufacturing was done in China.

  11. That outsourcing is working out really swell, ain't it?

  12. Fuck China

  13. I agree with the concept of making Mexico our manufacturing base. More secured supply and the average Mexican making good money and dropping off crime and less influence the cartel has makin them weaker. Dump China. They take enough of our money.

  14. The single freaking scariest thing I've ever read about the rise of China. These bastards will, literally , stop at nothing.

  15. Good.

    This is a wake-up call.

    China is our enemy.

    The only thing we should be buying from China are egg rolls.

  16. spastic88 | May 30, 2012 at 2:53 pm |

    can't we just hit Ctrl + Alt + Delete?

  17. Just another cyberweenies with a vested interest calling wolf.

    Not unusual, not military rated, not common and not a problem – but dont let that stop you worrying.

  18. Tribulationtime | May 30, 2012 at 4:10 pm |

    I agree with the very first post. Meanwhile they stay outside…don´t bother in change chips.

    Well WE CAN LAUNCH A PREVENTIVE ATTACK. Whoever win we don´t need the weapons anymore.

  19. China > American

  20. With that pic makes me think is the F-22 Oxygen system made in China??????

  21. China basicly builds all the factories for them and streamlines the building process by not stringing out the factories through 20 different states? This makes them cheaper!

    My god a country that has the worst record on earth of industrial espionage and is supplying our enemies with weapons is spying on us!!!!!!

    Well damnit we should do that. Though the factories will have to be in 30 different states to make something made in a single city in china driving up its cost 200%. And we will tax the hell out of the corperations who will mostly use the insane amounts of loopholes to avoid paying it.

    Meanwhile our politicians will continue getting bought by chinese corperations and government groups (clinton and friends) and we will demand the heads of the CEO's while reelect the same idiots who ended up doing this crap in the first place.

    Get a mirror, either hang that guy or get a clue and start making sure that the people you vote for are doing what is best for the country in the best way maybe not the most ideologicaly Pure way but in the way most realisitic and best able to benefit the country in all.

  22. BTW, SkoroBogatov means QuicklyRich. Hehe.

  23. To **** with them! why are we still dealing with them?

  24. read the paper, it is something that was put in by the designers not china…they say all their chips have similar back doors…

  25. Dave Tobin IV | May 31, 2012 at 1:31 am |

    thank pres clinton for giving us NAFTA thats were are jobs have gone and all the CEO'S that took there companies over seas so thay can make millions and have tons of cheap labor the our goverment only cares about money not whats best for the country

  26. Sell them more chop sticks. Build a giant military chip plant in the US. No non US made parts/materials (steel, Al) at all in any military aircraft/ships/trucks/radios, etc, etc, etc. And NO uniform parts. Being retired Navy and a Nam vet. a Navy recruiter gave me a Navy ball cap.,.."made in Nam". Remember Chop Suey in not Chinese.

  27. In our current culture of deregulation, cutting customs, FDA, FTC, etc budgets, this sort of threat is going to profligate. We must maintain our industrial and technological research, design and MANUFACTURING capabilities for national security, national defense, product safety, food safety and good paying middle income jobs that don't necessarily require 4 or 7 or 9 years of post-HS educations. This is about our national future…in many ways.

  28. A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  29. A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  30. Ok granted I'm not a pro on these chips but has anyone thought about the problems with the F-22 oxygen system being caused by one of these chips?
    Just an idea so if anyone knows if this is possible chime in.

  31. Worst part is…we’re going to continue buying this chinese garbage without batting an eyelash.

  32. One EMP burst and all these devices are toast. Read this article carefully…you have to have physical access to the chip to utilize the designed-in backdoor feature. So, Jackie Chan must paraglide stealthly onto the back of an F-22 in flight, penetrate the fuselage, connect his clip-on chip contacts, connect this to a programming device and…what?…erase the warning message for the ejection seat? I just wasted 15 minutes of my life reading and analyzing all this.

  33. I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware if the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver, my Mcafee anti virus pops up a warning on my laptop. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

  34. Lesson for the US: China is a trojan…can't trust those communists

  35. All American military. Hardware should be made in America these fools who outsource should be executed for treason.oh also starship troopers had it right. Your only a citizen of your country if you r a veteran imagine how right this country would be.

  36. Probably in routers for sequence hijacking

  37. Don't do weapons! So, the back doors won't will be a problem, only another way to debug the system.

  38. The DAP controller is design by Microsemi , they definition for each combination of pass code , instruction and whole designs . They finish in US. Chinese factory just made it follow the original design. What's wrong with Chinese workers and factories??? Stupid!!!!

Comments are closed.