While the electronics industry works to improve its supply chain integrity, the need for chip companies to keep some features secret sometimes clashes with the need for more transparency at the OEM -- and ultimately the end-user -- level.
That's the case in one of the examples cited in a Gartner report published last fall. In this final of three blog posts on the insecurity of the commercial IT supply chain as described in that report, I'll explain the incident and the broader problem it represents.
Last summer, University of Cambridge PhD candidate Sergei Skorobogatov and fellow research Christopher Woods reported in an academic paper that they had discovered a backdoor in Microsemi/Actel ProASIC3 FPGA chips. The paper said that the researchers had used a technique called pipeline emission analysis to extract a key to the back door.
According to Skorobogatov:
If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems.
The paper caused a flurry of concern because the ProASIC FPGAs are reportedly widely used in military systems, flight control, and industrial and automotive applications. But Microsemi (which acquired Actel in 2010) says that what the researchers found was not a backdoor, but rather an integral part of the chip’s security. In order to access the information -- pre-programmed data such as the unique ID of the device and other data necessary for the production, manufacturing, and testing of the device -- a hacker would have to break into the chip’s first-line security, or the front door, first, says Paul Ekas, vice president of marketing for SOC products at Microsemi.
Click to read the rest of this article on EBN.