Trojan Integrated Circuits
Sounding the Bell on 3D IC Security
John Ellis
Counterfeit: made in imitation of something else with intent to deceive (Webster)
Trojan Horse: someone or something intended to defeat or subvert from within usually by deceptive means (Webster)
_________________________________________
We can spot a fake when we see one. Misprinted labels, stitched logos that aren’t quite right, and poor quality materials can be all signs that something is amiss. However, when it comes to counterfeit electronic parts, fakes are not as obvious as the flaws cannot always be seen. While government agencies and industry groups have aggressively gone after this problem, the fact is that there are still significant issues with counterfeit electronics in the US supply chain.
Last November, Michigan Senator Carl Levin testified to the US Senate Committee on Armed Services that in a study of “suspected counterfeit parts over a 2-year period…reported 1,800 cases covering a total of 1 million individual parts.” 70% of these came from China.[1] Notably, it has been estimated that nearly 15% of all spare and replacement parts purchased by the Department of Defense are counterfeit. And the problem is increasing—a recent iSupply report states that counterfeit part reports have risen by nearly a factor of 700 over the last decade[2].
How many counterfeit parts in a system does it take to render it non-functional or compromised? That depends on the system’s function. However, in electronic systems, there are no unimportant parts. For example, even a “simple” part, such as a capacitor, being replaced with a counterfeit, can kill a system. As counterfeit parts have been found in aircraft, helicopter, and even missiles, this problem is very, very serious. The problem is so significant that in December, 2011, President Obama signed the U.S. National Defense Authorization Act (NDAA), which adds regulations for counterfeit part detection and avoidance for military parts suppliers.
In Asia, particularly China, counterfeiting is often just another lucrative business model. But is money the only incentive? What if, buried in the whole greed aspect of counterfeiting parts was another more deceptive, insidious plot taking place—a plot to surreptitiously collect high-value data and potentially disable strategic systems remotely? Enter the Trojan Integrated Circuit (IC) or commonly referred to as Trojan chip.
Trojan Chips
A Trojan chip, sometimes referred to as a “hardware Trojan,” is not merely a counterfeit; it is a chip that works as advertised, but with something “extra.” A Trojan chip is typically a packaged product that looks and functions exactly as designed—possibly even from the original manufacturer. However, buried within the Trojan chip’s circuitry is malicious functionality designed to steal, control, or damage.
In the hearing to the US Senate Committee on Armed Services, Director of the Missile Defense Agency, Lt. General O’Reilly, emphasized the seriousness of Trojan chips, stating “…there is a risk of counterfeit parts having malicious functions that could be activated to disable a critical component of the BMDS[3].”
Why are counterfeits such a problem for military systems? Many military systems were designed generations ago, relatively speaking, with regards to electronics. With the rapid pace of electronics development, parts can quickly become obsolete. Military systems’ lives are often extended beyond that originally specified, so that even “lifetime” buys of replacement components are frequently long depleted. In this case, finding and testing replacement parts is time consuming and expensive. This provides a prime opportunity for low-cost counterfeit and Trojan chips to be pawned-off as a replacement. The parts might be old scrap, or even Trojans. Legacy parts can readily be manufactured overseas where trailing-edge technology has proliferated. As even trailing-edge[4] technology provides such a tremendous increase in capability (namely, smaller transistor size) over technology used in the original part design, that there is often plenty of room to add in additional circuitry beyond that required or expected. The Department of Defense, recognizing this threat, set up the Trusted Foundry[5] program which ensures military parts have a traceable, secure path from a trusted suppler to the final product’s use. However, purchases have often been made outside of this trusted supply-chain, leading to very serious incidents with counterfeit and Trojan parts.
In terms of the damage Trojans may be able to inflict to US national security, keep in mind that in the case of an asymmetric attack, as a militarily less-capable country may choose to use during a time of war, assaults on economic and civilian infrastructures are expected[6]. The leaves the possibility open that Trojans would be directed not only at defense and “official” national security assets, but against commonly used and pervasive civilian assets, such as the Internet, satellites, communications backbones, and smart phones and tablets.
How hard is it to insert a hardware Trojan into a system? Easier than one might think—some smart phones and tablet computers already have what could be considered Trojan hardware. What may be considered a Trojan to one party might certainly be considered a “feature” to another, particularly if the feature is undocumented and can be used without the end user’s authority, knowledge, or permission. In this regard, Trojan chips may already be a standard part of the fabric in the semiconductor industry. An example of this would be the inclusion of a so-called “kill-switch” by Apple on their iPhones. The kill-switch allows for rogue apps to be removed by Apple if they match a list of known “bad apps”. The feature was not disclosed to end users until discovered by a hacker and confirmed by Apple.[7] Upon questioning, Steve Jobs acknowledged, “Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull.”
Could additional features exist in smart systems which haven’t been disclosure by the vendor? Certainly. Might they be buried deeply in Trojan circuits in a system? In what cases would such “features” be justified? Apple investigated remote disablement of an iPhone, and filed a patent covering the capability[8]. This feature might make complete sense in case of a lost or stolen phone. But what if similar features, such as remote control or sensitive data collection capability, were used by hackers, Apple statisticians, or a government for other, less noble purposes? Perhaps the fact that Apple applied for a patent on this capability merely exposes that companies and perhaps governments may be adding in such capability where they can, but only Apple was naive enough to flaunt it publicly. Future additions will likely remain a company secret.
Software vs. Hardware Trojans
Software viruses and Trojan horses are quite common. Companies, such as McAfee and Norton Utilities have made a good business off detecting and eliminating software infected with such code. Code to log your keystrokes, passwords, and credit card information is just one of the additional “features” Trojan software may add into existing programs. However, quite different than Trojan software, which may be detected or even blocked when an unauthorized port is accessed, Trojan hardware, namely malicious circuitry, can exist at a level that virus and Trojan software scanners cannot observe. In fact, the circuitry may not be readily detected by any currently-known means, other than a destructive tear-down of the hardware. Likewise, circumventing Trojan circuitry, if found, requires replacement of the hardware affected. Therefore, though emplacement of Trojan hardware may be more difficult to pull off than Trojan software, its impact and remedy can be much more serious.
(page 1/4)