Dopant-Level Hardware Trojans (and NSA/MITM/Brazil)

This one got lost in the shuffle… in a paper that’s made quite a splash across the security community, researchers showed they could backdoor a physical chip — by changing only the chemical composition of certain parts of the silicon.

Normally, to check for backdoored hardware, you can do electrical tests (did someone change out the chip for a different design with more or less power consumption?) or even do some tomography (“slice off the top layer, take a picture, repeat”) to make sure the chip’s internal wiring is as it should be.

With this method, none of those methods work… Think about it this way.
The physical design of a transistor doesn’t actually do the transisting. That honor goes to the dopant — which, in reality, is just a little bit of some trace element that’s been snuck into the silicon during the fab process.

Change the element, and you can turn a transistor into a short, or an open… with no visible change in the design.

It’s therefore possible to e.g reduce the randomness of RNGs just enough to make cryptanalysis easy.

NSA MITM: Managed to miss this one in the fray. The NSA Kim Dotcommed’ed Brazilian oil company Petrobras. (nation state hackers can MITM? SRSLY?! ZOMGwereallgonnadie*) I’ve pointed out the stealthier variant of this attack (via BGP) several times.

No doubt many of you will recall that the New Zealand GCSB tipped off Kim Dotcom that something was amiss when they mounted a similar attack on him — increasing his ping time by 20ms+ and adding several hops to his ever-important-to-maintain-a-high-score-in-some-computer-game connection. The whole thing seems a little laughable, but there you have it.

* (Yes, I am a little fatigued by the parade of “yes we all knew that was possible and that people like the NSA probably were doing it” announcements. Even kleptography was long suspected. Yes, I realize all this is a big shock to most of the world and therefore, in a larger scheme of things, probably necessary as well as more effective than honest-to-goodness WTFHOLYCRAPBBQ-level announcements. But still — can has nuz that tells us something new?)

%d bloggers like this: