|
|
|
Hackers could access US weapons systems through vulnerable chip By Mark Clayton
An encrypted chip used by the military and nuclear power plants has a secret 'backdoor' that can be hacked
The Cambridge University study is apparently the first public documentation that such a serious vulnerability has been deliberately built into a class of microchips used across the military and in key industrial applications such as power grids, the researchers say.
The discovery underscores the Pentagon's growing concerns over the vulnerability of the "supply chain" for computer chips it relies on. The new research illustrates how spying or even destructive functions, such as a "kill switch" that could make a plane fall out of the sky like a brick, could be added unnoticed to microchips while they are being designed and manufactured either at home or overseas, hardware-security experts say.
Every weekday JewishWorldReview.com publishes what many in the media and Washington consider "must-reading". In addition to INSPIRING stories, HUNDREDS of columnists and cartoonists regularly appear. Sign up for the daily update. It's free. Just click here.
Yet how the backdoor got there is, in many ways, less important than the fact that it is there at all, the experts add. It suggests that even the PA3 chip, purchased by a variety of critical industries and touted as having "one of the highest levels of design security in the industry," could have exploitable vulnerabilities that users don't even know about.
"The major concern here is: If there are backdoors built into other chips, how easy will it be to find them?" says Sergei Skorobogatov, the researcher who led the Cambridge University study, in an interview. "It doesn't really matter much if it's a backdoor or a special test function embedded by the original chip designer. All a hacker wants is access to the chip.... If the attacker can find it and use it, he gets what he wants."
WHAT THE CHIP DOES
Strong encryption protects the chip from further changes. But the Cambridge report, titled "Breakthrough silicon scanning discovers backdoor in military chip," claims to have found an internal passcode and other vital keys needed to make big changes can be filched through the hidden backdoor.
Once inside the chip's backdoor, the potential for mischief is significant. The chip can be reprogrammed to do anything the attacker wants it to do, including erase itself or divulge information like classified algorithms for targeting, flight control, and other systems, the researchers say. Moreover, successful attackers would have access to proprietary secrets behind the chip's design.
"This means the device is wide open to intellectual property theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan," writes Mr. Skorobogatov and fellow Cambridge researcher Christopher Woods in their paper.
CONCERN ABOUT KILL SWITCHES
"There's a lot of concern within the US military and intelligence agencies that people, other governments, could be putting into these chips not just backdoors, but kill switches that are extremely difficult to detect," says David Adler, president of DLA Instruments Corp. of San Jose, Calif., which is assisting the Pentagon in its efforts to detect microscopic tampering.
The concern spreads beyond the military. The chips are also used widely in nuclear power plants, power distribution, aerospace, aviation, public transport, and automotive products, and the discovery could pave the way for cyberattacks on vital infrastructure.
"This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself," the Cambridge researchers write, referring to a now notorious cybersabotage attack on centrifuge systems inside Iran's nuclear fuel-enrichment facility — an attack recently identified as the handiwork of the US and Israel.
"To our knowledge, this is the first documented case of finding a deliberately inserted backdoor in a real world chip," the researchers state.
CHIPMAKER'S RESPONSE
"Microsemi can confirm that there is no designed feature that would enable the circumvention of the user security," the company said in a statement. "The researchers assertion is that with the discovery of a security key, a hacker can gain access to a privileged internal test facility reserved for initial factory testing and failure analysis. Microsemi verified that the internal test facility is disabled in all shipped devices."
The report arrives on the heels of another recent backdoor revelation. In April, a cybersecurity researcher in San Francisco went public with evidence that a technology firm with ties to the military,Canada-based RuggedCom, also had a backdoor built into the firmware of an industrial control system router that it touted as secure.
In that case, RuggedCom was able to issue a patch to eliminate the vulnerability. But backdoors left in chips cannot be patched.
Moreover, backdoors are extraordinarily difficult to find. Finding a backdoor is roughly equivalent to comparing every street address from a satellite image of North America to a map of North America just to be sure they match and that no fake addresses have been added, DLA's Mr. Adler says.
That suggests many more backdoors may be out there waiting to be found by friend or foe.
"It's hard to say about this discovery, but it could be a canary-in-the-coal-mine-type incident that indicates a big problem," says Olin Sibert, an expert in hardware systems security and founder of Boston-based Oxford Systems Inc. "It would not be surprising if similar vulnerabilities were found elsewhere in widely used components."
This shows how important it is that security awareness be pervasive throughout a manufacturing organization, he says.
A CHINA ROLE?
"There's lots of chips manufactured in China," Mr. Sibert says. "It's theoretically possible, but it would be very difficult for them to install this sophisticated backdoor."
One factor that mitigates against the vulnerability being used to install a kill switch is that physical access would be needed to most of the chips that have been deployed, Skorobogatov says. Even so, at least some of the chips have been "wired to the network" to enable reprogramming — and therefore they and their backdoors are reachable over the Internet, he says.
Even if the chips are just inside telephones, the idea of being able to modify them "is a critical concern," Adler says. "If you are using encryption in a call and someone can disable that and eavesdrop on the call — that's a big concern."
Regardless of the origin of the backdoor, more are likely to be found as researchers become more adept at searching and new tools become available.
"What the researchers have found is ... the strongest suggestion to date that those who claimed complete security for their systems are at best mistaken," says Andrew Righter, a researcher at the University of Pennsylvania. "What the researcher has done is said — in the middle of the parade — 'The emperor has no clothes' to the manufacturing industry that says all our toys are secure."
"We are going to see a lot more chips fall to these attacks and a lot of companies backpedaling, trying to explain why these backdoors exist," Mr. Righter says.
Every weekday JewishWorldReview.com publishes what many in Washington and in the media consider "must reading." Sign up for the daily JWR update. It's free. Just click here.
Interested in a private Judaic studies instructor — for free? Let us know by clicking here.
Comment by clicking here.
© 2012, The Christian Science Monitor | ||||||||||||||||
