An international team of researchers has published a paper that proves circuits can be modified with malware during the manufacturing process, yet appear clean, and evade detection mechanisms.
The ability to introduce malicious modifications during manufacturing could have devastating consequences, particularly for chips used in either military or safety-critical applications.
According to Threatpost, until now, evidence of hardware-based Trojans has been "anecdotal at best" with experts believing that any alterations to motherboard circuitry or wiring would be detectable either through visual inspection or in comparison to a gold copy of the specific hardware.
The paper says although hardware Trojans have drawn the attention of governments and industry in recent years, there has been no reported hardware Trojans in practice, and that little is known about how such a Trojan would look.
The researchers demonstrated a stealthy approach for implementing hardware Trojans below the gate level, and then evaluated the impact on the security of the target device.
The approach essentially proves that integrated circuits, such as those used by military or critical infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place overseas.
The technique
According to the researchers, they inserted their hardware Trojans by altering the dopant polarity of existing transistors, instead of adding additional circuitry to the target design.
In this way, the modified circuit appears to be legitimate on all wiring layers and is thus resistant to most detection techniques.
In his blog, famed security "guru" Bruce Schneier says the paper covers several scenarios for potential sabotage, but the "most interesting, and devastating", is to modify a chip's random number generator.
According to Schneier, this technique would be able to "reduce the amount of entropy in Intel's hardware random number generator from 128-bits to 32-bits. He adds that this could be accomplished without "triggering any of the built-in self-tests, without disabling any of the built-in self-tests, and without failing any randomness tests".
Potential for abuse
The researchers believe the potential for abuse is enormous. Firstly, integrated circuits are at the core of practically all modern applications, including critical ones such as medical devices, cars, industrial control systems, military devices and power management.
Moreover, circuit blocks in a single IC are designed by different parties, usually manufactured in an external and potentially off-shore foundry. They are then packaged by someone else, and distributed by yet another.
"This increased exploitation of outsourcing and aggressive use of globalisation in circuit manufacturing has given rise to several trust and security issues, as each of the parties involved potentially constitutes a security risk," says the paper.
It cites the 2005 report published by the Defence Science Board of the US Department of Defence, which voiced concerns about the US military's reliance on these circuits, which are manufactured overseas.
"The discovery of counterfeit chips in industrial and military products over the last years has made this threat much more conceivable," says the paper.
In 2010, chip broker VisionTech was charged with selling fake chips, many of which were destined for safety and security critical systems such missile systems, radiation detectors, and radar devices.
Researchers believe the hardware Trojan threat is only going to grow in the future, particularly with the growing concerns around cyber war.
Share