Researchers at Cambridge University have found that a microprocessor used extensively by the US military contains a backdoor built into the design allowing the chip to be reprogrammed. The chip is used in many systems including weapons, nuclear power plants and public transport. The "bug" is in the chip itself rather than the firmware, the only “fix” would be replacement.
Sergei Skorobogatov of Quo Vadis Labs at Cambridge University said of his backdoor discovery “Our aim was to perform advanced code breaking and to see if there were any unexpected features on the (US Military) chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.”
It sounds very serious and a bit like the Die Hard 4 plot theme but to exploit the backdoor would “require a Mission-Impossible break-in to the afflicted site and hardware, probably carrying a reasonable amount of special equipment with you.” Says Alec Muffet at ComputerWorldUK. In other words you have to be able to physically connect some equipment to the chip/system to re-program it.
A US nuclear power station functioning correctly yesterday
When considering the question of who put the backdoor in the chip, it was not necessarily the Chinese. The backdoor may well have been in the original chip design, put there as a debugging tool by the designer. Errata Security actually say that backdoors are common, rarely malicious and the possible Chinese subversion, because they manufactured the chip, is only improbable speculation. In addition the chip vendor Microsemi/Actel could helpfully issue a statement to clear up if they knew about this chip feature and if it’s part of the design.
Skorobogatov thinks his discovery illustrates a big problem in chip manufacture “The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry.” After reading about the highly targeted Flame espionage virus yesterday, to learn that some important military utilised processors have such vulnerabilities is worrying.