For more information or to schedule a speaking engagement, please use our Contact form.
Mailing Address:
1307 Westgrove Blvd.
Alexandria, Virginia 22307
Phone Number:
703-768-5105
Cambridge researcher claims to have found backdoor on Chinese made chip?
May 28, 2012
China Business Intelligence
This is slightly less cut-and-dried malevolence than it first appeared. Here is a link to a review of the paper.
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in...
. . . and to the home page of the author, who also seems to debunk the idea of malicious intent behind the backdoor.
http://www.cl.cam.ac.uk/~sps32/qvl_proj.html. . . . (see the bottom of his webpage, for his latest additions).
What the authors conclude is that chip 'manufacturers' DO put undocumented features into their chips, to aid in testing and debugging extremely complex chips. (This seems to be a common tactic for designers very complex microcircuits.)
Sometimes, these undocumented features may be used to extract information from the chip, and so they put some type of lock on that particular feature.
The authors have found that 1) on this particular chip, there were undocumented features, and 2) that a secret key is used to gain access to those test/debug features. They also to appear to have been able to extract the actual key used for gaining that access.
At no point do the authors claim that this backdoor was added by the Chinese. In fact they assert it was indeed added by the manufacturer.
This does not mean that the Chinese have never added, or couldn't ever add, such logic to a chip that they foundry-manufactured at Grace or SMIC (or clandestinely in a foreign-invested foundry physically in China) for a client design house.
But it DOES mean that it would be easier for them to use the backdoor already put in place by a design engineer for benign testing objectives, than to have to add some logic themselves.
You could indeed add logic that granted internal access to secrets on a chip, and that was completely invisible to the owner of the chip.
However, such logic could most easily be detected (if one were inspecting for security anomalies) as a slight change in behavior of the chip during wafer testing. This would be followed by an investigation by the chip designer as to why it did not behave exactly as expected.
Much easier for the Chinese to analyze the chip, and discover the already existing test/debug logic, extract the key, and use that to break in, exploiting the pre-existing backdoor - that they certainly know about.