Proof That Military Chips From China Are Infected?

For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to  U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.

Specifically, the  American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.

Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.

(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)

Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.

The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.

The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.

So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?

Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.

Backdoors Embedded in DoD Microchips From China

  • Andy

    Please jail the companies CEO’s….

    • STemplar

      How about stand them up against a wall and shoot them?

      • DB-1

        How about try them for treason first, then stand them up against a wall and shoot them.

        • Josh

          All of your ideas sound amazing and very fitting. Producing all of our high tech vehicles and gadgets in China has always struck me as possibly the stupidest thing anyone could do. Cheaper production costs over national security issues…hmm they really weighed out the pros and cons to that one real well it seems! Haha

          • Andy

            Cheaper production costs …….

            CEO’S GREED BASTER

        • Josh

          All of your ideas sound amazing and very fitting. Producing all of our high tech vehicles and gadgets in China has always struck me as the most idiotic thing anyone could do. Cheaper production costs over national security issues…hmm they really weighed out the pros and cons to that one real well it seems! Haha

    • JamalTheBanker

      Die Hard 4 anyone?

    • steve

      This is the end result of of “off Shore Procurement” for Military hardware. This should NEVER have been authorized by anyone in Our Military, or Our Government! This is a potential enemy, and we seem hell bent to fall within their plans of eventual conquest!
      Providing faulty equipment of any sort is the place to start….Choice targeting, anything electronic, which shows up later than immediately? What fools these mortals be…We have a bundle full of them!!!!!!!

      • d. kellogg

        It was VERY easy to achieve when X number of politicians have Y number of stock options and campaign contributions from all these corporations who favor cheapest labor as the greatest and quickest means to high quarterly returns.

        The sad factor is, if/when the excrement hits the fan, these politicians will somehow be the farthest from harm’s way. We can only hope God or whoever they answer to in the afterlife has fitting punishment for such treachery to their own nations all for the sake of personal greed.

  • Musson

    I guess it was just too hard to check for these backdoors?

    So, manufacturers just assumed they were not there.

  • blight_

    Scanning the JTAG command field for any unknown commands by checking the length of the associated DR register revealed an interesting picture. There were plenty of commands for which the associated DR register has a length different from one, hence, used by the JTAG engine. Figure 4a shows some of these registers with the light ones being known from STAPL file analysis, and the dark ones showing newly discovered registers. Not only that, but some registers were impossible to update with a new data suggesting that these registers wererepresenting a ROM (Read-Only Memory) (Figure 4b). This did make some senseas we learned about FROW memory from the STAPL file, from which only onerow was actually read, but three address bits allowed eight rows to be accessed. All those hidden and non-updatable registers were found to be imprinted into certain locations in FROW memory. However, every single PA3 chip has unique valuesstored in FROW and, hence, in hidden registers suggesting that this memory was initialised at a factory and then locked against overwriting. Now we knew for surethat there is some hidden functionality in the PA3 chips[…]
    At this point we went back to those JTAG registers which were non-updatable aswell as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW wasreprogrammable as a normal Flash memory. Actel has a strong claim that
    ‘configuration files cannot be read back via JTAG or any other method’
    in the PA3and in their other latest generation Flash FPGAs [18]. Hence, they claim, they are extremely secure because the readback access is not implemented. We discovered that in fact Actel did implement such an access, with a special key used for activation

  • blight_

    What’s disturbing is that Actel and Microsemi on the surface seem to be fairly “American” companies. Actel was acquired by Microsemi, an “American” company founded in the ’60s.

    A counter-response to this post:

  • vok

    Actel and its parent company Microsemi are fabless chip vendors. In other words, they don’t own any manufacturing plant. They design ASIC/FPGA in house, source the production to Asia based foundry. What happens inside fab is everyone’s guess.

  • Jared

    They likely did not implement the JTAG block themselves, but rather licensed one and put it on the chip. I would like to know who designed the JTAG block on the FPGA.

    Also note: exploit requires physical access.

    There are solutions to this problem:
    1) don’t put JTAG TAP on production boards
    2) program FPGA’s state-side and then flow them on the board.

    JTAG TAPs are usually a vulnerable point. Phones have them, your Xbox has one, your car has them, etc.

    • blight_

      Your internet router has one. I was going to flash my netgear with dd-wrt, one of the fixes after bricking uses JTAG. I was wondering what that stuff meant…

      • Jared

        unbricking is a very common use for the JTAG interface. I have a nice USB JTAG for connecting to Texas Instruments DSPs, very nice for real-time debugging the target (motor controller in this case) from my laptop. Lets you see pretty much everything going on inside the chip.

        • blight_

          Jared: Cars have a JTAG interface? I know of the ODB, but I assume it’s something in what various manufacturers call the Powertrain Control Module, or the Electronic Control Module, etc?

  • Red

    A law should be passed requiring ALL American military equipment to contain nothing but 100% American-made content.

    • Xenophobe?

      Made by migrant illegal Mexicans

      • blight_

        Well, they’re not as threatening as evil Chinamen?

    • Jared

      This would be a very costly activity, but I would like to see fabrication facilities mirrored in the States for microchip fab.

      • blight_

        It could only make sense with enough demand for American fab. Economies of scale and fast delivery could bring the price down enough to compete, but not before then.

        If you located the fab by a rail/air hub, it would also be a bonus.

        • vok

          That’s not true. US demand for semiconductor related products still runs strong. We are second largest consumer of microchips. In contrast, Taiwan has very small domestic market and yet developed the highest contraction of fabs. Similar situation can be found in South Korea.

          Building and operating a leading edge semiconductor fab is extremely expensive, even large size corporations can’t afford it save for a very few multi-nationals. The profit margin for chip fabrication is low in comparison to other activities. On top of that, manufacturing cost is your #1 overhead in microelectronic business, outsource makes “perfect sense” for fabless model.

          • blight_

            We might be out of phase here. When I said “It could only make sense with enough demand for American fab”, I meant American manufacturing, not consumption. That said, American “consumption” is probably referring to end products consumed here in the United States, but still made overseas.

          • vok

            Read my original response, US is number 2 consumers of microchips, I don’t mean by number 2 consumer of microchip enabled end products. For the later, I would assume US is way ahead of any nations. Apple alone counts for at least 10% of global electronic supply chain. Supply and demand doesn’t matter in manufacturing anymore. If an American company decides it’s cheaper to produce the products overseas and improves its bottom line, it will re-locate production line. US is the only industrialized nation doesn’t have a comprehensive industrial policy which promotes and protect domestic based production. Germany and Japan both have high if not higher costs than US due to better worker compensation and stronger unions. If you don’t see companies from these countries move their entire production bases to China or other developing countries.

          • blight_

            Hmm; who’s consuming the chips within the United States if so much of the industry has moved overseas; thus making sense to co-locate chip manufacturers near the manufacturers making product for end users?

            And agreed, that America’s “free market” system is against protections on domestic production. Even people who rail against NAFTA on one hand talk about the glories of the free market on the other.

            That said, the products that are made here tend to be higher margin products that justify local production. Aircraft have yet to be outsourced, though perhaps this may change.

      • RagingDragon

        Intel, IBM and Global Foundries have microchip fabs in the US. The latter two regularly manufacture chips for fabless design companies, and Intel have hinted that they might enter this market. I believe Global Foundries are the #2 player in this market after after the Taiwanese based TSMC, though the largest Global Foundries shareholder is the government of Abu Dahbi so trust might be an issue there as well.

        • blight_

          Abu Dhabi is part of the UAE. While we trust Bahrain with a massive CENTCOM presence; there’s nothing to suggest the UAE is a Bad Guy.

        • vok

          More importantly, Global Foundries advanced fabs are outside of US, most in Germany as a legacy of AMD’s glory past, the rest are based in Singapore. IBM is a non-player in IC business. It’s fab in upstate NY is nothing more than an R&D lab. The big blue tried to break into foundry business and failed big time.

    • KarlW

      That would fall foul of free trade agreements. A “Buy American” clause will provoke a tit for tat from other nations. Note that America is usually first to complain VERY loudly if it’s defense industry is excluded in a foreign military tender. Given that US defense exports are huge, imagine the outcry if America can’t sell abroad. Gotta see the whole picture, guys.
      That’s not the same as insisting on back-door-free products, though.
      (Question: how much American stuff sold abroad has a backdoor accessible by America only, I wonder?)

    • STemplar

      You’d need a law first stating we need to build the manufacturing infrastructure to do it.

  • Sam

    Serves America right for buying this stuff from the Chinese. Idiots.

    • Black Owl

      I hate to say it, but you’re completely right. We have been stupid in this.

  • DB-1

    This is totally our fault for out sourcing all our manufacturing in the name of cheap labor, makes you really believe the phrase that “you get what you pay for”

    • Mat

      Ironiy is that you are paying way more than you should ,just mayor part of the cost are lobiyst fees and retired generals that turn CEO’s and board members after years of making certain right companys products are bought.
      Legalised corruption in US is simply amazing

  • Black Owl

    When people have trouble getting jobs I used to think it was entirely their fault (and a good part of it is in most cases); however, when I asked a smart friend “where did all the good jobs in factories and manufacturing go?” he replied, “We sold all those job to China.” He was mostly joking with me at the time, but he was right. We need to stop selling those jobs to the Chinese and start training Americans right here in the states for those jobs. Crap like this would never have happened if all of our manufacturing was done in China.

    • Black Owl

      *…was done in America.

    • TrustButVerify

      As I understand it, this will be feasible as soon as you can get American manufacturing workers to work for Chinese wages.

      • blight_

        Hence the plan to abolish minimum wage and eliminate regulatory oversight.

        Of course, we still need “safety nets” on the rooftops…

  • Tad

    That outsourcing is working out really swell, ain’t it?

  • Pat

    Fuck China

  • Jazz ism

    I agree with the concept of making Mexico our manufacturing base. More secured supply and the average Mexican making good money and dropping off crime and less influence the cartel has makin them weaker. Dump China. They take enough of our money.

  • IronV

    The single freaking scariest thing I’ve ever read about the rise of China. These bastards will, literally , stop at nothing.

  • Mark


    This is a wake-up call.

    China is our enemy.

    The only thing we should be buying from China are egg rolls.

    • Paralus

      We’d have to check them for mercury and other heavy metals

      • d. kellogg

        Well we already learned previously they thought little of spiking pet foods with chemicals lethal to pets in high doses, all for the sake of mimicking nutritional content.
        We’ve already seen toxic levels of chemical contaminants making children’ toys extremely flammable and dinnerware (plates, cups, and cookery utensils) too toxic to eat from,
        why would we expect any less that they wouldn’t longterm poison or taint people food as well?

        Give it time, a story of it will break eventually.

  • spastic88

    can’t we just hit Ctrl + Alt + Delete?

  • ltfunk

    Just another cyberweenies with a vested interest calling wolf.

    Not unusual, not military rated, not common and not a problem – but dont let that stop you worrying.

  • Tribulationtime

    I agree with the very first post. Meanwhile they stay outside…don´t bother in change chips.

    Well WE CAN LAUNCH A PREVENTIVE ATTACK. Whoever win we don´t need the weapons anymore.

  • Bush

    China > American

  • Lance

    With that pic makes me think is the F-22 Oxygen system made in China??????

  • Belesari

    China basicly builds all the factories for them and streamlines the building process by not stringing out the factories through 20 different states? This makes them cheaper!

    My god a country that has the worst record on earth of industrial espionage and is supplying our enemies with weapons is spying on us!!!!!!

    Well damnit we should do that. Though the factories will have to be in 30 different states to make something made in a single city in china driving up its cost 200%. And we will tax the hell out of the corperations who will mostly use the insane amounts of loopholes to avoid paying it.

    Meanwhile our politicians will continue getting bought by chinese corperations and government groups (clinton and friends) and we will demand the heads of the CEO’s while reelect the same idiots who ended up doing this crap in the first place.

    Get a mirror, either hang that guy or get a clue and start making sure that the people you vote for are doing what is best for the country in the best way maybe not the most ideologicaly Pure way but in the way most realisitic and best able to benefit the country in all.

    • Belesari

      This would all require us to admit the current problems with the economy, culture, DoD, politics, jobs, etc all stem from those dipsh*ts in washington and around the country WE THE VOTERS are sending into office.

      Oh but wait we can all be like andy and just repeat the lines told to us and refure to face the more difficult truth.

  • So?

    BTW, SkoroBogatov means QuicklyRich. Hehe.

  • Ara

    To **** with them! why are we still dealing with them?

  • Ems

    read the paper, it is something that was put in by the designers not china…they say all their chips have similar back doors…

    • Roland

      I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware of the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver on my laptop, my Mcafee anti virus pops up a warning that indicate the software is a virus. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

  • Dave Tobin IV

    thank pres clinton for giving us NAFTA thats were are jobs have gone and all the CEO’S that took there companies over seas so thay can make millions and have tons of cheap labor the our goverment only cares about money not whats best for the country

    • blight_

      “Following diplomatic negotiations dating back to 1986 among the three nations, the leaders met in San Antonio, Texas, on December 17, 1992, to sign NAFTA. U.S. President George H. W. Bush, Canadian Prime Minister Brian Mulroney and Mexican President Carlos Salinas, each responsible for spearheading and promoting the agreement, ceremonially signed it. The agreement then needed to be ratified by each nation’s legislative or parliamentary branch.
      Before the negotiations were finalized, Bill Clinton came into office in the U.S. and Kim Campbell in Canada, and before the agreement became law, Jean Chrétien had taken office in Canada.”

      Also found:

  • Old Navy

    Sell them more chop sticks. Build a giant military chip plant in the US. No non US made parts/materials (steel, Al) at all in any military aircraft/ships/trucks/radios, etc, etc, etc. And NO uniform parts. Being retired Navy and a Nam vet. a Navy recruiter gave me a Navy ball cap.,..”made in Nam”. Remember Chop Suey in not Chinese.

    • blight_

      We haven’t outsourced guns…yet.

      • guess

        Some companies have started out sourcing guns. :(

  • WRG01

    In our current culture of deregulation, cutting customs, FDA, FTC, etc budgets, this sort of threat is going to profligate. We must maintain our industrial and technological research, design and MANUFACTURING capabilities for national security, national defense, product safety, food safety and good paying middle income jobs that don’t necessarily require 4 or 7 or 9 years of post-HS educations. This is about our national future…in many ways.

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Gunner

    Ok granted I’m not a pro on these chips but has anyone thought about the problems with the F-22 oxygen system being caused by one of these chips?
    Just an idea so if anyone knows if this is possible chime in.

    • blight_

      Talk to Honeywell about their OBOGS first, before looking at FPGA chips?

  • Kevin

    Worst part is…we’re going to continue buying this chinese garbage without batting an eyelash.

  • Indyson

    One EMP burst and all these devices are toast. Read this article carefully…you have to have physical access to the chip to utilize the designed-in backdoor feature. So, Jackie Chan must paraglide stealthly onto the back of an F-22 in flight, penetrate the fuselage, connect his clip-on chip contacts, connect this to a programming device and…what?…erase the warning message for the ejection seat? I just wasted 15 minutes of my life reading and analyzing all this.

  • Roland

    I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware if the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver, my Mcafee anti virus pops up a warning on my laptop. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

  • john

    Lesson for the US: China is a trojan…can’t trust those communists

  • Ht2haskins

    All American military. Hardware should be made in America these fools who outsource should be executed for treason.oh also starship troopers had it right. Your only a citizen of your country if you r a veteran imagine how right this country would be.

    • blight_

      In the book, this was *all* federal service, not just Mobile Infantry or Fleet service. Heinlein included everyone, down to the person testing survival gear on the moon, teachers and volunteer test subjects. I suspect even Heinlein knew that trading a lazy democracy for a military aristocracy wasn’t going to work either. What is a civilian-controlled military where the only civilians who exert control are ex-military?

      Full citizenship was the vote and political office.

  • Shindigs

    Probably in routers for sequence hijacking

  • EJD

    Don’t do weapons! So, the back doors won’t will be a problem, only another way to debug the system.

  • The DAP controller is design by Microsemi , they definition for each combination of pass code , instruction and whole designs . They finish in US. Chinese factory just made it follow the original design. What’s wrong with Chinese workers and factories??? Stupid!!!!