Home » News » Around the Globe » Proof That Military Chips From China Are Infected?

Proof That Military Chips From China Are Infected?

by John Reed on May 30, 2012

For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to  U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.

Specifically, the  American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.

Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.

(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)

Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.

The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.

The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.

So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?

Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.

Backdoors Embedded in DoD Microchips From China

Share |

{ 83 comments… read them below or add one }

Andy May 30, 2012 at 11:37 am

Please jail the companies CEO's….

Reply

STemplar May 30, 2012 at 12:21 pm

How about stand them up against a wall and shoot them?

Reply

DB-1 May 30, 2012 at 12:26 pm

How about try them for treason first, then stand them up against a wall and shoot them.

Reply

Josh May 30, 2012 at 2:28 pm

All of your ideas sound amazing and very fitting. Producing all of our high tech vehicles and gadgets in China has always struck me as possibly the stupidest thing anyone could do. Cheaper production costs over national security issues…hmm they really weighed out the pros and cons to that one real well it seems! Haha

Reply

Andy May 30, 2012 at 3:46 pm

Cheaper production costs …….

CEO'S GREED BASTER

Josh May 30, 2012 at 2:29 pm

All of your ideas sound amazing and very fitting. Producing all of our high tech vehicles and gadgets in China has always struck me as the most idiotic thing anyone could do. Cheaper production costs over national security issues…hmm they really weighed out the pros and cons to that one real well it seems! Haha

Reply

JamalTheBanker May 30, 2012 at 1:36 pm

Die Hard 4 anyone?

Reply

steve May 31, 2012 at 9:51 am

This is the end result of of "off Shore Procurement" for Military hardware. This should NEVER have been authorized by anyone in Our Military, or Our Government! This is a potential enemy, and we seem hell bent to fall within their plans of eventual conquest!
Providing faulty equipment of any sort is the place to start….Choice targeting, anything electronic, which shows up later than immediately? What fools these mortals be…We have a bundle full of them!!!!!!!

Reply

Musson May 30, 2012 at 11:38 am

I guess it was just too hard to check for these backdoors?

So, manufacturers just assumed they were not there.

Reply

blight_ May 30, 2012 at 11:39 am

Scanning the JTAG command field for any unknown commands by checking the length of the associated DR register revealed an interesting picture. There were plenty of commands for which the associated DR register has a length different from one, hence, used by the JTAG engine. Figure 4a shows some of these registers with the light ones being known from STAPL file analysis, and the dark ones showing newly discovered registers. Not only that, but some registers were impossible to update with a new data suggesting that these registers wererepresenting a ROM (Read-Only Memory) (Figure 4b). This did make some senseas we learned about FROW memory from the STAPL file, from which only onerow was actually read, but three address bits allowed eight rows to be accessed. All those hidden and non-updatable registers were found to be imprinted into certain locations in FROW memory. However, every single PA3 chip has unique valuesstored in FROW and, hence, in hidden registers suggesting that this memory was initialised at a factory and then locked against overwriting. Now we knew for surethat there is some hidden functionality in the PA3 chips[...]
At this point we went back to those JTAG registers which were non-updatable aswell as FROW to check whether we could change their values. Once the backdoor feature was unlocked, many of these registers became volatile and the FROW wasreprogrammable as a normal Flash memory. Actel has a strong claim that
'configuration files cannot be read back via JTAG or any other method'
in the PA3and in their other latest generation Flash FPGAs [18]. Hence, they claim, they are extremely secure because the readback access is not implemented. We discovered that in fact Actel did implement such an access, with a special key used for activation

Reply

blight_ May 30, 2012 at 11:45 am

What's disturbing is that Actel and Microsemi on the surface seem to be fairly "American" companies. Actel was acquired by Microsemi, an "American" company founded in the '60s.

A counter-response to this post:
http://erratasec.blogspot.com/2012/05/bogus-story

Reply

vok May 30, 2012 at 12:04 pm

Actel and its parent company Microsemi are fabless chip vendors. In other words, they don't own any manufacturing plant. They design ASIC/FPGA in house, source the production to Asia based foundry. What happens inside fab is everyone’s guess.

Reply

Jared May 30, 2012 at 12:11 pm

They likely did not implement the JTAG block themselves, but rather licensed one and put it on the chip. I would like to know who designed the JTAG block on the FPGA.

Also note: exploit requires physical access.

There are solutions to this problem:
1) don't put JTAG TAP on production boards
2) program FPGA's state-side and then flow them on the board.

JTAG TAPs are usually a vulnerable point. Phones have them, your Xbox has one, your car has them, etc.

Reply

blight_ May 30, 2012 at 12:15 pm

Your internet router has one. I was going to flash my netgear with dd-wrt, one of the fixes after bricking uses JTAG. I was wondering what that stuff meant…

Reply

Jared May 30, 2012 at 12:21 pm

unbricking is a very common use for the JTAG interface. I have a nice USB JTAG for connecting to Texas Instruments DSPs, very nice for real-time debugging the target (motor controller in this case) from my laptop. Lets you see pretty much everything going on inside the chip.

Reply

blight_ May 31, 2012 at 9:19 am

Jared: Cars have a JTAG interface? I know of the ODB, but I assume it's something in what various manufacturers call the Powertrain Control Module, or the Electronic Control Module, etc?

Reply

Red May 30, 2012 at 12:13 pm

A law should be passed requiring ALL American military equipment to contain nothing but 100% American-made content.

Reply

Xenophobe? May 30, 2012 at 12:16 pm

Made by migrant illegal Mexicans

Reply

blight_ May 30, 2012 at 12:20 pm

Well, they're not as threatening as evil Chinamen?

Reply

Jared May 30, 2012 at 12:17 pm

This would be a very costly activity, but I would like to see fabrication facilities mirrored in the States for microchip fab.

Reply

blight_ May 30, 2012 at 12:25 pm

It could only make sense with enough demand for American fab. Economies of scale and fast delivery could bring the price down enough to compete, but not before then.

If you located the fab by a rail/air hub, it would also be a bonus.

Reply

vok May 30, 2012 at 12:34 pm

That's not true. US demand for semiconductor related products still runs strong. We are second largest consumer of microchips. In contrast, Taiwan has very small domestic market and yet developed the highest contraction of fabs. Similar situation can be found in South Korea.

Building and operating a leading edge semiconductor fab is extremely expensive, even large size corporations can’t afford it save for a very few multi-nationals. The profit margin for chip fabrication is low in comparison to other activities. On top of that, manufacturing cost is your #1 overhead in microelectronic business, outsource makes “perfect sense” for fabless model.

Reply

blight_ May 30, 2012 at 12:43 pm

We might be out of phase here. When I said "It could only make sense with enough demand for American fab", I meant American manufacturing, not consumption. That said, American "consumption" is probably referring to end products consumed here in the United States, but still made overseas.

RagingDragon May 30, 2012 at 8:19 pm

Intel, IBM and Global Foundries have microchip fabs in the US. The latter two regularly manufacture chips for fabless design companies, and Intel have hinted that they might enter this market. I believe Global Foundries are the #2 player in this market after after the Taiwanese based TSMC, though the largest Global Foundries shareholder is the government of Abu Dahbi so trust might be an issue there as well.

Reply

blight_ May 31, 2012 at 9:18 am

Abu Dhabi is part of the UAE. While we trust Bahrain with a massive CENTCOM presence; there's nothing to suggest the UAE is a Bad Guy.

Reply

vok May 31, 2012 at 9:12 pm

More importantly, Global Foundries advanced fabs are outside of US, most in Germany as a legacy of AMD's glory past, the rest are based in Singapore. IBM is a non-player in IC business. It's fab in upstate NY is nothing more than an R&D lab. The big blue tried to break into foundry business and failed big time.

Reply

KarlW May 30, 2012 at 6:43 pm

That would fall foul of free trade agreements. A "Buy American" clause will provoke a tit for tat from other nations. Note that America is usually first to complain VERY loudly if it's defense industry is excluded in a foreign military tender. Given that US defense exports are huge, imagine the outcry if America can't sell abroad. Gotta see the whole picture, guys.
That's not the same as insisting on back-door-free products, though.
(Question: how much American stuff sold abroad has a backdoor accessible by America only, I wonder?)

Reply

STemplar May 31, 2012 at 10:14 am

You'd need a law first stating we need to build the manufacturing infrastructure to do it.

Reply

Sam May 30, 2012 at 12:16 pm

Serves America right for buying this stuff from the Chinese. Idiots.

Reply

Black Owl May 30, 2012 at 12:48 pm

I hate to say it, but you're completely right. We have been stupid in this.

Reply

DB-1 May 30, 2012 at 12:32 pm

This is totally our fault for out sourcing all our manufacturing in the name of cheap labor, makes you really believe the phrase that "you get what you pay for"

Reply

Mat May 30, 2012 at 12:54 pm

Ironiy is that you are paying way more than you should ,just mayor part of the cost are lobiyst fees and retired generals that turn CEO's and board members after years of making certain right companys products are bought.
Legalised corruption in US is simply amazing

Reply

Black Owl May 30, 2012 at 12:52 pm

When people have trouble getting jobs I used to think it was entirely their fault (and a good part of it is in most cases); however, when I asked a smart friend "where did all the good jobs in factories and manufacturing go?" he replied, "We sold all those job to China." He was mostly joking with me at the time, but he was right. We need to stop selling those jobs to the Chinese and start training Americans right here in the states for those jobs. Crap like this would never have happened if all of our manufacturing was done in China.

Reply

Black Owl May 30, 2012 at 1:03 pm

*…was done in America.

Reply

TrustButVerify May 31, 2012 at 2:45 am

As I understand it, this will be feasible as soon as you can get American manufacturing workers to work for Chinese wages.

Reply

blight_ May 31, 2012 at 9:15 am

Hence the plan to abolish minimum wage and eliminate regulatory oversight.

Of course, we still need "safety nets" on the rooftops…

Reply

Tad May 30, 2012 at 1:22 pm

That outsourcing is working out really swell, ain't it?

Reply

Pat May 30, 2012 at 1:34 pm

Fuck China

Reply

Jazz ism May 30, 2012 at 2:27 pm

I agree with the concept of making Mexico our manufacturing base. More secured supply and the average Mexican making good money and dropping off crime and less influence the cartel has makin them weaker. Dump China. They take enough of our money.

Reply

IronV May 30, 2012 at 2:30 pm

The single freaking scariest thing I've ever read about the rise of China. These bastards will, literally , stop at nothing.

Reply

Mark May 30, 2012 at 2:37 pm

Good.

This is a wake-up call.

China is our enemy.

The only thing we should be buying from China are egg rolls.

Reply

Paralus May 30, 2012 at 6:08 pm

We'd have to check them for mercury and other heavy metals

Reply

spastic88 May 30, 2012 at 2:53 pm

can't we just hit Ctrl + Alt + Delete?

Reply

ltfunk May 30, 2012 at 3:54 pm

Just another cyberweenies with a vested interest calling wolf.

Not unusual, not military rated, not common and not a problem – but dont let that stop you worrying.

Reply

Tribulationtime May 30, 2012 at 4:10 pm

I agree with the very first post. Meanwhile they stay outside…don´t bother in change chips.

Well WE CAN LAUNCH A PREVENTIVE ATTACK. Whoever win we don´t need the weapons anymore.

Reply

Bush May 30, 2012 at 4:11 pm

China > American

Reply

Lance May 30, 2012 at 4:34 pm

With that pic makes me think is the F-22 Oxygen system made in China??????

Reply

Belesari May 30, 2012 at 4:37 pm

China basicly builds all the factories for them and streamlines the building process by not stringing out the factories through 20 different states? This makes them cheaper!

My god a country that has the worst record on earth of industrial espionage and is supplying our enemies with weapons is spying on us!!!!!!

Well damnit we should do that. Though the factories will have to be in 30 different states to make something made in a single city in china driving up its cost 200%. And we will tax the hell out of the corperations who will mostly use the insane amounts of loopholes to avoid paying it.

Meanwhile our politicians will continue getting bought by chinese corperations and government groups (clinton and friends) and we will demand the heads of the CEO's while reelect the same idiots who ended up doing this crap in the first place.

Get a mirror, either hang that guy or get a clue and start making sure that the people you vote for are doing what is best for the country in the best way maybe not the most ideologicaly Pure way but in the way most realisitic and best able to benefit the country in all.

Reply

Belesari May 30, 2012 at 4:39 pm

This would all require us to admit the current problems with the economy, culture, DoD, politics, jobs, etc all stem from those dipsh*ts in washington and around the country WE THE VOTERS are sending into office.

Oh but wait we can all be like andy and just repeat the lines told to us and refure to face the more difficult truth.

Reply

So? May 30, 2012 at 8:44 pm

BTW, SkoroBogatov means QuicklyRich. Hehe.

Reply

Ara May 30, 2012 at 10:30 pm

To **** with them! why are we still dealing with them?

Reply

Ems May 30, 2012 at 11:21 pm

read the paper, it is something that was put in by the designers not china…they say all their chips have similar back doors…

Reply

Roland June 2, 2012 at 3:57 am

I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware of the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver on my laptop, my Mcafee anti virus pops up a warning that indicate the software is a virus. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

Reply

Dave Tobin IV May 31, 2012 at 1:31 am

thank pres clinton for giving us NAFTA thats were are jobs have gone and all the CEO'S that took there companies over seas so thay can make millions and have tons of cheap labor the our goverment only cares about money not whats best for the country

Reply

blight_ May 31, 2012 at 4:28 pm

http://en.wikipedia.org/wiki/North_American_Free_

"Following diplomatic negotiations dating back to 1986 among the three nations, the leaders met in San Antonio, Texas, on December 17, 1992, to sign NAFTA. U.S. President George H. W. Bush, Canadian Prime Minister Brian Mulroney and Mexican President Carlos Salinas, each responsible for spearheading and promoting the agreement, ceremonially signed it. The agreement then needed to be ratified by each nation's legislative or parliamentary branch.
Before the negotiations were finalized, Bill Clinton came into office in the U.S. and Kim Campbell in Canada, and before the agreement became law, Jean Chrétien had taken office in Canada."

Also found: http://www.ustr.gov/sites/default/files/NAFTA-Myt

Reply

Old Navy May 31, 2012 at 9:09 am

Sell them more chop sticks. Build a giant military chip plant in the US. No non US made parts/materials (steel, Al) at all in any military aircraft/ships/trucks/radios, etc, etc, etc. And NO uniform parts. Being retired Navy and a Nam vet. a Navy recruiter gave me a Navy ball cap.,.."made in Nam". Remember Chop Suey in not Chinese.

Reply

blight_ May 31, 2012 at 9:14 am

We haven't outsourced guns…yet.

Reply

guess May 31, 2012 at 6:23 pm

Some companies have started out sourcing guns. :(

Reply

WRG01 May 31, 2012 at 9:53 am

In our current culture of deregulation, cutting customs, FDA, FTC, etc budgets, this sort of threat is going to profligate. We must maintain our industrial and technological research, design and MANUFACTURING capabilities for national security, national defense, product safety, food safety and good paying middle income jobs that don't necessarily require 4 or 7 or 9 years of post-HS educations. This is about our national future…in many ways.

Reply

Neal May 31, 2012 at 10:29 am

A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
“Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

Reply

Neal May 31, 2012 at 10:30 am

A local hat maker lost its contract in 2002 because it used wool from new Zealand because Quote
“Federal law prohibits the use of foreign material in products made for the Defense Department. Lincoln said that Bancroft Cap is the only domestic beret producer for the U.S. Armed Services.”

Why doesn’t this law apply to electronics? Wool from a very friendly country is security issue?

Reply

Gunner May 31, 2012 at 11:27 am

Ok granted I'm not a pro on these chips but has anyone thought about the problems with the F-22 oxygen system being caused by one of these chips?
Just an idea so if anyone knows if this is possible chime in.

Reply

blight_ May 31, 2012 at 4:26 pm

Talk to Honeywell about their OBOGS first, before looking at FPGA chips?

Reply

Kevin June 1, 2012 at 2:24 am

Worst part is…we’re going to continue buying this chinese garbage without batting an eyelash.

Reply

Indyson June 1, 2012 at 10:11 am

One EMP burst and all these devices are toast. Read this article carefully…you have to have physical access to the chip to utilize the designed-in backdoor feature. So, Jackie Chan must paraglide stealthly onto the back of an F-22 in flight, penetrate the fuselage, connect his clip-on chip contacts, connect this to a programming device and…what?…erase the warning message for the ejection seat? I just wasted 15 minutes of my life reading and analyzing all this.

Reply

Roland June 2, 2012 at 3:46 am

I bought a spy camera on ebay. The seller and manufacturer were from China. I was unaware if the risk when I installed the software driver that comes along with the spy camera. During the time I was installing the software driver, my Mcafee anti virus pops up a warning on my laptop. I immediately remove the disk software and install an addition virus removal on my laptop computer. Most spy camera on ebay have this disk software drivers and its all made in China.

Reply

john June 7, 2012 at 1:33 am

Lesson for the US: China is a trojan…can't trust those communists

Reply

Ht2haskins August 25, 2012 at 4:04 pm

All American military. Hardware should be made in America these fools who outsource should be executed for treason.oh also starship troopers had it right. Your only a citizen of your country if you r a veteran imagine how right this country would be.

Reply

blight_ August 25, 2012 at 4:09 pm

In the book, this was *all* federal service, not just Mobile Infantry or Fleet service. Heinlein included everyone, down to the person testing survival gear on the moon, teachers and volunteer test subjects. I suspect even Heinlein knew that trading a lazy democracy for a military aristocracy wasn't going to work either. What is a civilian-controlled military where the only civilians who exert control are ex-military?

Full citizenship was the vote and political office.

Reply

Shindigs October 19, 2012 at 11:49 pm

Probably in routers for sequence hijacking

Reply

EJD April 10, 2013 at 3:02 pm

Don't do weapons! So, the back doors won't will be a problem, only another way to debug the system.

Reply

McPosterdoor May 30, 2012 at 11:42 am

We have them by the long and pointy's.

"Two years after China joined the WTO in 2001, China has approved the direct import of American chicken feet and since then, China has been the major destination of chicken feet from around the globe."
http://en.wikipedia.org/wiki/Chicken_feet

Reply

blight_ May 30, 2012 at 11:49 am

Go to any dim sum here in the states. Chicken feet.

Reply

Jared May 30, 2012 at 12:22 pm

i'll stick to dumplings.

Reply

blight_ May 30, 2012 at 12:47 pm

I'm a shumai guy myself.

Reply

vok May 30, 2012 at 12:57 pm

Read my original response, US is number 2 consumers of microchips, I don’t mean by number 2 consumer of microchip enabled end products. For the later, I would assume US is way ahead of any nations. Apple alone counts for at least 10% of global electronic supply chain. Supply and demand doesn’t matter in manufacturing anymore. If an American company decides it’s cheaper to produce the products overseas and improves its bottom line, it will re-locate production line. US is the only industrialized nation doesn’t have a comprehensive industrial policy which promotes and protect domestic based production. Germany and Japan both have high if not higher costs than US due to better worker compensation and stronger unions. If you don’t see companies from these countries move their entire production bases to China or other developing countries.

Reply

blight_ May 30, 2012 at 1:03 pm

Hmm; who's consuming the chips within the United States if so much of the industry has moved overseas; thus making sense to co-locate chip manufacturers near the manufacturers making product for end users?

And agreed, that America's "free market" system is against protections on domestic production. Even people who rail against NAFTA on one hand talk about the glories of the free market on the other.

That said, the products that are made here tend to be higher margin products that justify local production. Aircraft have yet to be outsourced, though perhaps this may change.

Reply

Praetorian May 30, 2012 at 1:24 pm
blight_ May 31, 2012 at 9:16 am

Would this fab use COTS designs? Then you have to trust commercial designers too, or in-house that as well.

That said, if we go with these FPGA's, and since they are fairly flexible one can just build them en masse. Beats custom design which is hard to make profitable every time.

Reply

blight_ May 31, 2012 at 4:26 pm

So Medtronic et al, Boeing et al, Lockmart et al, GM et al?

Reply

Dfens May 31, 2012 at 11:27 pm

Yes! See, there's nothing to fear. China is our friend. Remember how the New York times kept publishing those stories about lead in toys and anti-freeze in medicines? Then China bought the New York times and the problems all magically solved themselves. Isn't that great?

Reply

icedrake May 31, 2012 at 11:34 pm

Oh, now I see it. Of course, paranoia trumps facts. Thank you for clarifying that one for us, Dfens. You still maintaining that surveillance post in case the Martians come to steal our strategic stockpile of moon cheese, right?

Reply

icedrake June 2, 2012 at 1:36 am

It's so cute how you take completely unrelated events and use them to justify your disregarding very valid reasons for why this one is a non-issue. But no, you don't need smart people to explain things to you; you haven't figured out how to listen to others yet. Maybe tomorrow.

Reply

Leave a Comment

Previous post:

Next post: