Proof That Military Chips From China Are Infected?

For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to  U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.

Specifically, the  American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.

Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.

(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)

Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.

The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.

The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.

So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?

Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.

Backdoors Embedded in DoD Microchips From China

  • Andy

    Please jail the companies CEO’s….

  • Musson

    I guess it was just too hard to check for these backdoors?

    So, manufacturers just assumed they were not there.

  • blight_

    Scanning the JTAG command field for any unknown commands by checking the length of the associated DR register revealed an interesting picture. There were plenty of commands for which the associated DR register has a length different from one, hence, used by the JTAG engine. Figure 4a shows some of these registers with the light ones being known from STAPL file analysis, and the dark ones showing newly discovered registers. Not only that, but some registers were impossible to update with a new data suggesting that these registers wererepresenting a ROM (Read-Only Memory) (Figure 4b). This did make some senseas we learned about FROW memory from the STAPL file, from which only onerow was actually read, but three address bits allowed eight rows to be accessed. All those hidden and non-updatable registers were found to be imprinted into certain locations in FROW memory. However, every single PA3 chip has unique valuesstored in FROW and, hence, in hidden registers suggesting that this memory was initialised at a factory and then locked against overwriting. Now we knew for surethat there is some hidden functionality in the PA3 chips[…]
    At this point we went back to those JTAG registers which were non-updatable aswell as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW wasreprogrammable as a normal Flash memory. Actel has a strong claim that
    ‘configuration files cannot be read back via JTAG or any other method’
    in the PA3and in their other latest generation Flash FPGAs [18]. Hence, they claim, they are extremely secure because the readback access is not implemented. We discovered that in fact Actel did implement such an access, with a special key used for activation

  • blight_

    What’s disturbing is that Actel and Microsemi on the surface seem to be fairly “American” companies. Actel was acquired by Microsemi, an “American” company founded in the ’60s.

    A counter-response to this post:

  • vok

    Actel and its parent company Microsemi are fabless chip vendors. In other words, they don’t own any manufacturing plant. They design ASIC/FPGA in house, source the production to Asia based foundry. What happens inside fab is everyone’s guess.

  • Jared

    They likely did not implement the JTAG block themselves, but rather licensed one and put it on the chip. I would like to know who designed the JTAG block on the FPGA.

    Also note: exploit requires physical access.

    There are solutions to this problem:
    1) don’t put JTAG TAP on production boards
    2) program FPGA’s state-side and then flow them on the board.

    JTAG TAPs are usually a vulnerable point. Phones have them, your Xbox has one, your car has them, etc.

  • Red

    A law should be passed requiring ALL American military equipment to contain nothing but 100% American-made content.

    • Xenophobe?

      Made by migrant illegal Mexicans

      • blight_

        Well, they’re not as threatening as evil Chinamen?

    • Jared

      This would be a very costly activity, but I would like to see fabrication facilities mirrored in the States for microchip fab.

      • blight_

        It could only make sense with enough demand for American fab. Economies of scale and fast delivery could bring the price down enough to compete, but not before then.

        If you located the fab by a rail/air hub, it would also be a bonus.

        • vok

          That’s not true. US demand for semiconductor related products still runs strong. We are second largest consumer of microchips. In contrast, Taiwan has very small domestic market and yet developed the highest contraction of fabs. Similar situation can be found in South Korea.

          Building and operating a leading edge semiconductor fab is extremely expensive, even large size corporations can’t afford it save for a very few multi-nationals. The profit margin for chip fabrication is low in comparison to other activities. On top of that, manufacturing cost is your #1 overhead in microelectronic business, outsource makes “perfect sense” for fabless model.

      • RagingDragon

        Intel, IBM and Global Foundries have microchip fabs in the US. The latter two regularly manufacture chips for fabless design companies, and Intel have hinted that they might enter this market. I believe Global Foundries are the #2 player in this market after after the Taiwanese based TSMC, though the largest Global Foundries shareholder is the government of Abu Dahbi so trust might be an issue there as well.

    • KarlW

      That would fall foul of free trade agreements. A “Buy American” clause will provoke a tit for tat from other nations. Note that America is usually first to complain VERY loudly if it’s defense industry is excluded in a foreign military tender. Given that US defense exports are huge, imagine the outcry if America can’t sell abroad. Gotta see the whole picture, guys.
      That’s not the same as insisting on back-door-free products, though.
      (Question: how much American stuff sold abroad has a backdoor accessible by America only, I wonder?)

    • STemplar

      You’d need a law first stating we need to build the manufacturing infrastructure to do it.

  • Sam

    Serves America right for buying this stuff from the Chinese. Idiots.

    • Black Owl

      I hate to say it, but you’re completely right. We have been stupid in this.

  • DB-1

    This is totally our fault for out sourcing all our manufacturing in the name of cheap labor, makes you really believe the phrase that “you get what you pay for”

    • Mat

      Ironiy is that you are paying way more than you should ,just mayor part of the cost are lobiyst fees and retired generals that turn CEO’s and board members after years of making certain right companys products are bought.
      Legalised corruption in US is simply amazing

  • Black Owl

    When people have trouble getting jobs I used to think it was entirely their fault (and a good part of it is in most cases); however, when I asked a smart friend “where did all the good jobs in factories and manufacturing go?” he replied, “We sold all those job to China.” He was mostly joking with me at the time, but he was right. We need to stop selling those jobs to the Chinese and start training Americans right here in the states for those jobs. Crap like this would never have happened if all of our manufacturing was done in China.

  • Tad

    That outsourcing is working out really swell, ain’t it?

  • Pat

    Fuck China

  • Jazz ism

    I agree with the concept of making Mexico our manufacturing base. More secured supply and the average Mexican making good money and dropping off crime and less influence the cartel has makin them weaker. Dump China. They take enough of our money.

  • IronV

    The single freaking scariest thing I’ve ever read about the rise of China. These bastards will, literally , stop at nothing.

  • Mark


    This is a wake-up call.

    China is our enemy.

    The only thing we should be buying from China are egg rolls.

    • Paralus

      We’d have to check them for mercury and other heavy metals

      • d. kellogg

        Well we already learned previously they thought little of spiking pet foods with chemicals lethal to pets in high doses, all for the sake of mimicking nutritional content.
        We’ve already seen toxic levels of chemical contaminants making children’ toys extremely flammable and dinnerware (plates, cups, and cookery utensils) too toxic to eat from,
        why would we expect any less that they wouldn’t longterm poison or taint people food as well?

        Give it time, a story of it will break eventually.

  • spastic88

    can’t we just hit Ctrl + Alt + Delete?

  • ltfunk

    Just another cyberweenies with a vested interest calling wolf.

    Not unusual, not military rated, not common and not a problem – but dont let that stop you worrying.

  • Tribulationtime

    I agree with the very first post. Meanwhile they stay outside…don´t bother in change chips.

    Well WE CAN LAUNCH A PREVENTIVE ATTACK. Whoever win we don´t need the weapons anymore.

  • Bush

    China > American

  • Lance

    With that pic makes me think is the F-22 Oxygen system made in China??????

  • Belesari

    China basicly builds all the factories for them and streamlines the building process by not stringing out the factories through 20 different states? This makes them cheaper!

    My god a country that has the worst record on earth of industrial espionage and is supplying our enemies with weapons is spying on us!!!!!!

    Well damnit we should do that. Though the factories will have to be in 30 different states to make something made in a single city in china driving up its cost 200%. And we will tax the hell out of the corperations who will mostly use the insane amounts of loopholes to avoid paying it.

    Meanwhile our politicians will continue getting bought by chinese corperations and government groups (clinton and friends) and we will demand the heads of the CEO’s while reelect the same idiots who ended up doing this crap in the first place.

    Get a mirror, either hang that guy or get a clue and start making sure that the people you vote for are doing what is best for the country in the best way maybe not the most ideologicaly Pure way but in the way most realisitic and best able to benefit the country in all.

  • So?

    BTW, SkoroBogatov means QuicklyRich. Hehe.

  • Ara

    To **** with them! why are we still dealing with them?

  • Ems

    read the paper, it is something that was put in by the designers not china…they say all their chips have similar back doors…

  • Dave Tobin IV

    thank pres clinton for giving us NAFTA thats were are jobs have gone and all the CEO’S that took there companies over seas so thay can make millions and have tons of cheap labor the our goverment only cares about money not whats best for the country

  • Old Navy

    Sell them more chop sticks. Build a giant military chip plant in the US. No non US made parts/materials (steel, Al) at all in any military aircraft/ships/trucks/radios, etc, etc, etc. And NO uniform parts. Being retired Navy and a Nam vet. a Navy recruiter gave me a Navy ball cap.,..”made in Nam”. Remember Chop Suey in not Chinese.

    • blight_

      We haven’t outsourced guns…yet.

  • WRG01

    In our current culture of deregulation, cutting customs, FDA, FTC, etc budgets, this sort of threat is going to profligate. We must maintain our industrial and technological research, design and MANUFACTURING capabilities for national security, national defense, product safety, food safety and good paying middle income jobs that don’t necessarily require 4 or 7 or 9 years of post-HS educations. This is about our national future…in many ways.

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Neal

    A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
    “Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

    Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

  • Gunner

    Ok granted I’m not a pro on these chips but has anyone thought about the problems with the F-22 oxygen system being caused by one of these chips?
    Just an idea so if anyone knows if this is possible chime in.

  • Kevin

    Worst part is…we’re going to continue buying this chinese garbage without batting an eyelash.

  • Indyson

    One EMP burst and all these devices are toast. Read this article carefully…you have to have physical access to the chip to utilize the designed-in backdoor feature. So, Jackie Chan must paraglide stealthly onto the back of an F-22 in flight, penetrate the fuselage, connect his clip-on chip contacts, connect this to a programming device and…what?…erase the warning message for the ejection seat? I just wasted 15 minutes of my life reading and analyzing all this.

  • Roland

    I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware if the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver, my Mcafee anti virus pops up a warning on my laptop. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

  • john

    Lesson for the US: China is a trojan…can’t trust those communists

  • Ht2haskins

    All American military. Hardware should be made in America these fools who outsource should be executed for treason.oh also starship troopers had it right. Your only a citizen of your country if you r a veteran imagine how right this country would be.

  • Shindigs

    Probably in routers for sequence hijacking

  • EJD

    Don’t do weapons! So, the back doors won’t will be a problem, only another way to debug the system.

  • The DAP controller is design by Microsemi , they definition for each combination of pass code , instruction and whole designs . They finish in US. Chinese factory just made it follow the original design. What’s wrong with Chinese workers and factories??? Stupid!!!!