
Breakthrough silicon scanning discovers backdoor in military chip - wglb
http://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf
======
cnvogel
I think this is a slight update of
<http://news.ycombinator.com/item?id=4035748> where a lot of the obvious
questions (JTAG? Over the Internet? Is it a maliious backdoor or
engineering/debugging leftovers?...) have already been discussed.

------
lollerpops
<http://blogs.entrust.com/enterprise-authentication/?p=474>

~~~
sounds
Scientist prepares paper for CHES conference - with a little over-the-top
wording in the _draft_. Paper is leaked to the internet and blown out of
proportion.

It's still interesting reading. Maybe Microsemi will finally listen to these
guys and stop using the same password for the backdoor in _all_ of the
following chips: "all ProASIC3, Igloo, Fusion and SmartFusion FPGAs" [1]

Ok and PEA is just their patented method of automating differential power
analysis using a test jig - it does the repetitive process using a
microcontroller and some sensors instead of doing it after sampling everything
with an o-scope. It's a good idea and they have worked out the fiddly little
details... but a pretty simple concept.

[1] <http://www.cl.cam.ac.uk/%7Esps32/microsemi_re.pdf>

------
TheMiller
Is this a case of media hype -- and/or the researchers themselves using
innuendo to inflate the importance of their research?

[http://erratasec.blogspot.com/2012/05/bogus-story-no-
chinese...](http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-
backdoor-in.html)

------
cnvogel
One very noteworthy thing from the article: They claim to be able to read back
configuration from a otherwise erased device by changing the reference voltage
of the read-sense amplifiers "used by the backdoor" (=the undocumented command
that allows reading back the supposedly write-only configuration data). (pg15,
top paragraph)

------
raverbashing
Lesson learned:

The more a company touts their product is "secure" the less it is

As much as "we use military-grade encryption" means a 16 year old can break
it.

------
ludovicurbain
I'd love it if someone detailed all the backdoors embedded in Intel/AMD/ARM
CPU's and SoC's.

~~~
flyinglizard
It's not a backdoor, just uncontrolled engineering. I bet you that the product
manager never knew about this; it's provably a capability buried deep inside
the ip block (which, logically, is used in other Actel parts).

Low cost ICs are incredibly complex nowadays, to the point defending even the
most integrated, self-contained of parts is near impossible. I've been doing
security analysis for manufacturers of high end microcontrollers and these
parts are packed with features to the point they are just hard to seal. It's
common to have a debugging/manufacturing/update/boot mechanism that can be
used for attacks even when things are supposedly locked down.

