Foreign chips causing concern for the military

May 2, 2008

The dwindling of domestic chip and electronics manufacturing in the United States, combined with the phenomenal growth of suppliers in countries like China, has caused concern for the U.S. military that the chips that is uses for its weaponry may be sabotaged with hidden backdoors and self-destruct mechanisms.1

Well into the 1970s, the U.S. military's status as one of the largest consumers of integrated circuits gave it some control over the industry's production and manufacturing. The DOD also maintained its own chip-making plant at Fort Meade until the early 1980s, when costs became prohibitive. But these days, the U.S. military consumes only about 1 percent of the world's integrated circuits, and nearly every military system today contains some commercial hardware. The Pentagon is now caught in a bind. "The economy is globalized, but defense is not globalized," says Samsung's Victoria Coleman, who helped create the Cyber Trust initiative to secure congressional support for cybersecurity. "How do you reconcile the two?"1

Although commercial chip makers routinely and exhaustively test chips with hundreds of millions of logic gates, they can't afford to inspect everything. So instead they focus on how well the chip performs specific functions. For a microprocessor destined for use in a cellphone, for instance, the chip maker will check to see whether all the phone's various functions work. Any extraneous circuitry that doesn't interfere with the chip's normal functions won't show up in these tests.1 "We passed the point a long time ago when you could combinatorially test all the possible inputs for a complex chip. If somebody hid a function that, given the right inputs, could cause the chip to do something surprising, it's not clear how you could test for that." says Stephen Kent, chief information security scientist for BBN Technologies and a member of the Intelligence Science Board, which advises U.S. intelligence agencies.2

This past January, two brothers from Texas, Michael and Robert Edman, appeared in court to face federal charges of selling counterfeit computer equipment to, among others, the Air Force, Marine Corps, Federal Aviation Administration, Department of Energy, numerous universities and defense contractors such as Lockheed Martin. According to prosecutors, the pair, working largely out of Michael Edman's house in the rural town of Richmond, bought cheap network cards from a supplier in China. They also purchased labels and boxes carrying the logo of Cisco Systems, the U.S.-based hardware giant. Until a source in China tipped off the FBI, no one could tell that the parts were Cisco knockoffs rather than the real thing.2 There are estimates that 7 to 10 percent of all the high-tech products sold worldwide are counterfeits.3

Security experts warn that as supply chains become more global and more opaque, no one can be sure what parts are going into the computers that run everything-from air traffic control towers to banks to weapons systems. Secretary of Homeland Security Michael Chertoff raised the issue recently "Increasingly when you buy computers they have components that originate ... all around the world," he said. "We need to look at ... how we assure that people are not embedding in very small components ... that can be triggered remotely."2

Recognizing this enormous vulnerability, the Defense Advanced Research Projects Agency (DARPA), the Pentagon's R&D wing, released details about a three-year initiative it calls the Trust in Integrated Circuits program. The findings from the program could give the military - and defense contractors who make sensitive microelectronics - a guaranteed method of determining whether their chips have been compromised.1

So what is the best way to kill a chip? No one agrees on the most likely scenario, and in fact, there seem to be as many potential avenues of attack as there are people working on the problem. But the threats most often mentioned fall into two categories: a kill switch or a backdoor. A kill switch is any manipulation of the chip's software or hardware that would cause the chip to die outright - to shut off a fighter jet's missile-launching electronics, for example. A backdoor, by contrast, lets outsiders gain access to the system through code or hardware to disable or enable a specific function. Because this method works without shutting down the whole chip, users remain unaware of the intrusion. For instance, an enemy could use it to bypass battlefield radio encryption.1

According Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time, in January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline.4

Documents had showed that the Soviets had stolen valuable data on radar, computers, machine tools and semiconductor, setting forth the extent of Soviet penetration into U.S. and other Western laboratories, factories and government agencies. The Americans also found out that the Soviets were looking for computer control systems to automate the operation of their new trans-Siberian gas pipeline. So with the help of a KGB insider, the CIA slipped a flawed version of the software to the Soviets in a way that they would not detect it. The software that was to run the pumps, turbines, and valves of the Siberian pipeline was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds. Because the sabotage of the gas pipeline was a closely guarded secret, when it exploded, the first reports caused concern in the U.S. military and at the White House. NORAD feared that it was a missile liftoff from a place where no rockets were known to be based, or a detonation of a small nuclear device. However, satellites did not pick up any telltale signs of a nuclear explosion.4

The Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every component of their infrastructure might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.4

In April 2008, researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. To launch its attack, the team used a special programmable processor running the Linux operating system. The chip was programmed to inject malicious firmware into the chip's memory, which then allows an attacker to log into the machine as if he were a legitimate user. To reprogram the chip, researchers needed to alter only a tiny fraction of the processor circuits. They changed 1,341 logic gates on a chip that has more than 1 million of these gates in total, said Samuel King, an assistant professor in the university's computer science department.5

His team was able to add the back door by reprogramming a small number of the circuits on a LEON processor running the Linux operating system. These programmable chips are based on the same SPARC design that is used in Sun Microsystems' midrange and high-end servers. They are not widely used, but have been deployed in systems used by the International Space Station. In order to hack into the system, King first sent it a specially crafted network packet that instructed the processor to launch the malicious firmware. Then, using a special login password, King was able to gain access to the Linux system. "From the software's perspective, the packet gets dropped... and yet I have full and complete access to this underlying system that I just compromised," King said. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.5

In the meantime, other countries appear to be awakening to the chip threat. At a January hearing, a U.S. House Committee on Foreign Affairs addressed Pakistan's ongoing refusal to let the United States help it secure its nuclear arsenal with American technology. Pakistan remains reluctant to allow such intervention, citing fears that the United States would use the opportunity to cripple its weapons with - what else? - a kill switch.1

1. "The Hunt for the Kill Switch", IEEE Spectrum, May 2008

2. "Counterfeit Chips Raise Big Hacking, Terror Threats, Experts Say", Popular Mechanics, April 2008

3. "On the trail of counterfeit chips", TechOnline, May 22, 2006

4. "CIA slipped bugs to Soviets", MSNBC, February 27, 2004

5. "Malicious Microprocessor Opens New Doors for Attack", PC World, April 15, 2008