Hacker News new | past | comments | ask | show | jobs | submit login
Breakthrough silicon scanning discovers backdoor in military chip (cam.ac.uk)
84 points by wglb on Sept 24, 2012 | hide | past | favorite | 10 comments



I think this is a slight update of http://news.ycombinator.com/item?id=4035748 where a lot of the obvious questions (JTAG? Over the Internet? Is it a maliious backdoor or engineering/debugging leftovers?...) have already been discussed.


http://blogs.entrust.com/enterprise-authentication/?p=474


Scientist prepares paper for CHES conference - with a little over-the-top wording in the _draft_. Paper is leaked to the internet and blown out of proportion.

It's still interesting reading. Maybe Microsemi will finally listen to these guys and stop using the same password for the backdoor in _all_ of the following chips: "all ProASIC3, Igloo, Fusion and SmartFusion FPGAs" [1]

Ok and PEA is just their patented method of automating differential power analysis using a test jig - it does the repetitive process using a microcontroller and some sensors instead of doing it after sampling everything with an o-scope. It's a good idea and they have worked out the fiddly little details... but a pretty simple concept.

[1] http://www.cl.cam.ac.uk/%7Esps32/microsemi_re.pdf


Okay, but if I am reading correctly, the original post talks about access over the internet due to designed remote upgrade abilities while the URL provided for the entrust.com article says physical access is required.

This parent post looks like a much more thorough threat to me, depending on where the chips are used...


Is this a case of media hype -- and/or the researchers themselves using innuendo to inflate the importance of their research?

http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese...


One very noteworthy thing from the article: They claim to be able to read back configuration from a otherwise erased device by changing the reference voltage of the read-sense amplifiers "used by the backdoor" (=the undocumented command that allows reading back the supposedly write-only configuration data). (pg15, top paragraph)


Lesson learned:

The more a company touts their product is "secure" the less it is

As much as "we use military-grade encryption" means a 16 year old can break it.


I'd love it if someone detailed all the backdoors embedded in Intel/AMD/ARM CPU's and SoC's.


It's not a backdoor, just uncontrolled engineering. I bet you that the product manager never knew about this; it's provably a capability buried deep inside the ip block (which, logically, is used in other Actel parts).

Low cost ICs are incredibly complex nowadays, to the point defending even the most integrated, self-contained of parts is near impossible. I've been doing security analysis for manufacturers of high end microcontrollers and these parts are packed with features to the point they are just hard to seal. It's common to have a debugging/manufacturing/update/boot mechanism that can be used for attacks even when things are supposedly locked down.


All major CPU manufacturers publish detailed bug information, some of which can be used in exploits.

Here is one example:

http://download.intel.com/design/processor/specupdt/313279.p...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: