Proof That Military Chips From China Are Infected?

For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to  U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.

Specifically, the  American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.

Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.

(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)

Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.

The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.

The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.

So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?

Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.

Backdoors Embedded in DoD Microchips From China

  • Andy

    Please jail the companies CEO’s….

    • STemplar

      How about stand them up against a wall and shoot them?

      • DB-1

        How about try them for treason first, then stand them up against a wall and shoot them.

    • JamalTheBanker

      Die Hard 4 anyone?

    • steve

      This is the end result of of “off Shore Procurement” for Military hardware. This should NEVER have been authorized by anyone in Our Military, or Our Government! This is a potential enemy, and we seem hell bent to fall within their plans of eventual conquest!
      Providing faulty equipment of any sort is the place to start….Choice targeting, anything electronic, which shows up later than immediately? What fools these mortals be…We have a bundle full of them!!!!!!!

      • d. kellogg

        It was VERY easy to achieve when X number of politicians have Y number of stock options and campaign contributions from all these corporations who favor cheapest labor as the greatest and quickest means to high quarterly returns.

        The sad factor is, if/when the excrement hits the fan, these politicians will somehow be the farthest from harm’s way. We can only hope God or whoever they answer to in the afterlife has fitting punishment for such treachery to their own nations all for the sake of personal greed.

  • Musson

    I guess it was just too hard to check for these backdoors?

    So, manufacturers just assumed they were not there.

  • blight_

    Scanning the JTAG command field for any unknown commands by checking the length of the associated DR register revealed an interesting picture. There were plenty of commands for which the associated DR register has a length different from one, hence, used by the JTAG engine. Figure 4a shows some of these registers with the light ones being known from STAPL file analysis, and the dark ones showing newly discovered registers. Not only that, but some registers were impossible to update with a new data suggesting that these registers wererepresenting a ROM (Read-Only Memory) (Figure 4b). This did make some senseas we learned about FROW memory from the STAPL file, from which only onerow was actually read, but three address bits allowed eight rows to be accessed. All those hidden and non-updatable registers were found to be imprinted into certain locations in FROW memory. However, every single PA3 chip has unique valuesstored in FROW and, hence, in hidden registers suggesting that this memory was initialised at a factory and then locked against overwriting. Now we knew for surethat there is some hidden functionality in the PA3 chips[…]
    At this point we went back to those JTAG registers which were non-updatable aswell as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW wasreprogrammable as a normal Flash memory. Actel has a strong claim that
    ‘configuration files cannot be read back via JTAG or any other method’
    in the PA3and in their other latest generation Flash FPGAs [18]. Hence, they claim, they are extremely secure because the readback access is not implemented. We discovered that in fact Actel did implement such an access, with a special key used for activation

  • blight_

    What’s disturbing is that Actel and Microsemi on the surface seem to be fairly “American” companies. Actel was acquired by Microsemi, an “American” company founded in the ’60s.

    A counter-response to this post:
    http://erratasec.blogspot.com/2012/05/bogus-story

  • vok

    Actel and its parent company Microsemi are fabless chip vendors. In other words, they don’t own any manufacturing plant. They design ASIC/FPGA in house, source the production to Asia based foundry. What happens inside fab is everyone’s guess.

  • Jared

    They likely did not implement the JTAG block themselves, but rather licensed one and put it on the chip. I would like to know who designed the JTAG block on the FPGA.

    Also note: exploit requires physical access.

    There are solutions to this problem:
    1) don’t put JTAG TAP on production boards
    2) program FPGA’s state-side and then flow them on the board.

    JTAG TAPs are usually a vulnerable point. Phones have them, your Xbox has one, your car has them, etc.

    • blight_

      Your internet router has one. I was going to flash my netgear with dd-wrt, one of the fixes after bricking uses JTAG. I was wondering what that stuff meant…

      • Jared

        unbricking is a very common use for the JTAG interface. I have a nice USB JTAG for connecting to Texas Instruments DSPs, very nice for real-time debugging the target (motor controller in this case) from my laptop. Lets you see pretty much everything going on inside the chip.

  • Red

    A law should be passed requiring ALL American military equipment to contain nothing but 100% American-made content.

  • Sam

    Serves America right for buying this stuff from the Chinese. Idiots.

    • Black Owl

      I hate to say it, but you’re completely right. We have been stupid in this.

  • DB-1

    This is totally our fault for out sourcing all our manufacturing in the name of cheap labor, makes you really believe the phrase that “you get what you pay for”

    • Mat

      Ironiy is that you are paying way more than you should ,just mayor part of the cost are lobiyst fees and retired generals that turn CEO’s and board members after years of making certain right companys products are bought.
      Legalised corruption in US is simply amazing

  • Black Owl

    When people have trouble getting jobs I used to think it was entirely their fault (and a good part of it is in most cases); however, when I asked a smart friend “where did all the good jobs in factories and manufacturing go?” he replied, “We sold all those job to China.” He was mostly joking with me at the time, but he was right. We need to stop selling those jobs to the Chinese and start training Americans right here in the states for those jobs. Crap like this would never have happened if all of our manufacturing was done in China.

  • Tad

    That outsourcing is working out really swell, ain’t it?

  • Pat

    Fuck China

  • Jazz ism

    I agree with the concept of making Mexico our manufacturing base. More secured supply and the average Mexican making good money and dropping off crime and less influence the cartel has makin them weaker. Dump China. They take enough of our money.

  • IronV

    The single freaking scariest thing I’ve ever read about the rise of China. These bastards will, literally , stop at nothing.

  • Mark

    Good.

    This is a wake-up call.

    China is our enemy.

    The only thing we should be buying from China are egg rolls.

    • Paralus

      We’d have to check them for mercury and other heavy metals

      • d. kellogg

        Well we already learned previously they thought little of spiking pet foods with chemicals lethal to pets in high doses, all for the sake of mimicking nutritional content.
        We’ve already seen toxic levels of chemical contaminants making children’ toys extremely flammable and dinnerware (plates, cups, and cookery utensils) too toxic to eat from,
        why would we expect any less that they wouldn’t longterm poison or taint people food as well?

        Give it time, a story of it will break eventually.

  • spastic88

    can’t we just hit Ctrl + Alt + Delete?

  • ltfunk

    Just another cyberweenies with a vested interest calling wolf.

    Not unusual, not military rated, not common and not a problem – but dont let that stop you worrying.

  • Tribulationtime

    I agree with the very first post. Meanwhile they stay outside…don´t bother in change chips.

    Well WE CAN LAUNCH A PREVENTIVE ATTACK. Whoever win we don´t need the weapons anymore.

  • Bush

    China > American

  • Lance

    With that pic makes me think is the F-22 Oxygen system made in China??????

  • Belesari

    China basicly builds all the factories for them and streamlines the building process by not stringing out the factories through 20 different states? This makes them cheaper!

    My god a country that has the worst record on earth of industrial espionage and is supplying our enemies with weapons is spying on us!!!!!!

    Well damnit we should do that. Though the factories will have to be in 30 different states to make something made in a single city in china driving up its cost 200%. And we will tax the hell out of the corperations who will mostly use the insane amounts of loopholes to avoid paying it.

    Meanwhile our politicians will continue getting bought by chinese corperations and government groups (clinton and friends) and we will demand the heads of the CEO’s while reelect the same idiots who ended up doing this crap in the first place.

    Get a mirror, either hang that guy or get a clue and start making sure that the people you vote for are doing what is best for the country in the best way maybe not the most ideologicaly Pure way but in the way most realisitic and best able to benefit the country in all.

    • Belesari

      This would all require us to admit the current problems with the economy, culture, DoD, politics, jobs, etc all stem from those dipsh*ts in washington and around the country WE THE VOTERS are sending into office.

      Oh but wait we can all be like andy and just repeat the lines told to us and refure to face the more difficult truth.

  • So?

    BTW, SkoroBogatov means QuicklyRich. Hehe.

  • Ara

    To **** with them! why are we still dealing with them?

  • Ems

    read the paper, it is something that was put in by the designers not china…they say all their chips have similar back doors…

  • Dave Tobin IV

    thank pres clinton for giving us NAFTA thats were are jobs have gone and all the CEO’S that took there companies over seas so thay can make millions and have tons of cheap labor the our goverment only cares about money not whats best for the country

  • Old Navy

    Sell them more chop sticks. Build a giant military chip plant in the US. No non US made parts/materials (steel, Al) at all in any military aircraft/ships/trucks/radios, etc, etc, etc. And NO uniform parts. Being retired Navy and a Nam vet. a Navy recruiter gave me a Navy ball cap.,..”made in Nam”. Remember Chop Suey in not Chinese.

    • blight_

      We haven’t outsourced guns…yet.

      • guess

        Some companies have started out sourcing guns. :(

  • WRG01

    In our current culture of deregulation, cutting customs, FDA, FTC, etc budgets, this sort of threat is going to profligate. We must maintain our industrial and technological research, design and MANUFACTURING capabilities for national security, national defense, product safety, food safety and good paying middle income jobs that don’t necessarily require 4 or 7 or 9 years of post-HS educations. This is about our national future…in many ways.

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Gunner

    Ok granted I’m not a pro on these chips but has anyone thought about the problems with the F-22 oxygen system being caused by one of these chips?
    Just an idea so if anyone knows if this is possible chime in.

  • Kevin

    Worst part is…we’re going to continue buying this chinese garbage without batting an eyelash.

  • Indyson

    One EMP burst and all these devices are toast. Read this article carefully…you have to have physical access to the chip to utilize the designed-in backdoor feature. So, Jackie Chan must paraglide stealthly onto the back of an F-22 in flight, penetrate the fuselage, connect his clip-on chip contacts, connect this to a programming device and…what?…erase the warning message for the ejection seat? I just wasted 15 minutes of my life reading and analyzing all this.

  • Roland

    I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware if the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver, my Mcafee anti virus pops up a warning on my laptop. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

  • john

    Lesson for the US: China is a trojan…can’t trust those communists

  • Ht2haskins

    All American military. Hardware should be made in America these fools who outsource should be executed for treason.oh also starship troopers had it right. Your only a citizen of your country if you r a veteran imagine how right this country would be.

    • blight_

      In the book, this was *all* federal service, not just Mobile Infantry or Fleet service. Heinlein included everyone, down to the person testing survival gear on the moon, teachers and volunteer test subjects. I suspect even Heinlein knew that trading a lazy democracy for a military aristocracy wasn’t going to work either. What is a civilian-controlled military where the only civilians who exert control are ex-military?

      Full citizenship was the vote and political office.

  • Shindigs

    Probably in routers for sequence hijacking

  • EJD

    Don’t do weapons! So, the back doors won’t will be a problem, only another way to debug the system.

  • The DAP controller is design by Microsemi , they definition for each combination of pass code , instruction and whole designs . They finish in US. Chinese factory just made it follow the original design. What’s wrong with Chinese workers and factories??? Stupid!!!!