Supply chain: the risks of backdoors in electronic chips and circuits
It is a strong trend, announced for a long time: the supply chain is an ideal target for a cyber attacker. ENISA recently indicated that attacks on the supply chain should increase fourfold between 2020 and 2021. According to the European agency, 66% of these attacks would target the product code of the targeted supplier, like Solarwinds. The authors of these attacks introduce backdoors in order to be able to compromise at a later stage the information systems of the users of these products: large companies, governments, armies, operators of vital importance, etc.
Today, tensions—not to mention scarcity—in the semiconductor supply chain could bring the material dimension of this threat back to the forefront. With the globalisation of electronic chip and circuit production and design, and the multiplication of intermediaries, it is becoming very difficult to guarantee that a component has not been altered with the addition of a hardware Trojan, in the form of an implant, for example—a modification of the electronic circuit that can under certain conditions result in functional changes to the system. What is the status of the threat, and can we protect ourselves against it?
A strategy already illustrated by the NSA’s practices
The strategy to compromise the digital supply chain is far from new. The documents revealed by Edward Snowden in 2013 included very concrete examples of NSA tools and techniques in this sense. The agency intercepted packages containing Cisco routers in order to replace the firmware of the devices concerned.
The agency was also introducing hardware implants into computers. Its catalogue of tools included, for example, USB cables with implants aimed at exfiltrating data by radio link, or USB ports intended to replace those of the computers to be compromised. This last case implies other interceptions of computer hardware packages in order to substitute this type of component, even though it is soldered to the motherboard. In addition to compromising the affected systems, these implants, called CottonMouth, allowed to establish radio connections in order to set up a bridgehead within closed networks (airgap).
USB hardware implants from the ANT catalogue revealed in 2013
Research in full swing
Since then, researchers have exposed much more advanced and stealthy techniques. A community of researchers has formed around the Trust Hub platform and forum of the National Science Foundation, the U.S. equivalent of the French National Research Agency (‘Agence Nationale de la Recherche, or ANR). The platform is developing evaluation tools to detect hardware implants designed by researchers.
These hardware Trojans can be designed for several purposes: a privilege escalation to take control of the device, the addition of a side-channel to extract information, or denial of service. The addition of these implants is facilitated by the fact that modern chips often contain unused circuit blocks left over from previous versions of the chip or used for evaluation purposes.
In 2016, a team of researchers from the University of Michigan unveiled a backdoor concept within a microprocessor, measuring 6.4 x 2 µm. Added within the chip, the cell stores an electrical charge each time a specific command is executed. When the cell is sufficiently charged, it causes a modification of the processor’s functionality, which grants a privileged level of rights to the programs being executed: the attacker can then execute arbitrary commands on the system incorporating the affected chip. This type of hardware implant is undetectable without scanning the entire chip for this type of cell because the activation method is specific, and the addition of the cell does not affect the other characteristics of the chip.
Section of the compromised microchip, with zoom on the A2 trigger, Source: University of Michigan
Similarly, adding a side-channel to the circuit in order to leak data is also particularly stealthy in nature. This does not usually require any logic to be added to or removed from the circuit. This type of modification can be quite formidable as it modifies a cryptographic function of the affected component.
In terms of denial of service, the attack can cause damage ranging from a reduction in the performance or lifespan of the electronic component, to the creation of a real kill-switch allowing to take out of service the component and, by extension, the device that integrates it. In 2009, a team of researchers from Case Western Reserve University showed the main mechanisms of chip deterioration and the factors that can be exploited at the factory production stage to accelerate these premature ageing effects.
The consequences are quite similar in the case of a typical counterfeit chip, which usually involves lower reliability and reduced performance. Moreover, if counterfeit products are supplied by an unscrupulous company, it will be difficult to establish the possible complicity or acquiescence of the government of the country of origin, even though it may be considered an adversary. While there had been rumblings since at least 2008 about the proportion of counterfeit electronics in the supply chain of the U.S. Air Force, a report by a U.S. Senate Investigation Committee officially sounded the alarm in 2012. It mentioned in particular the case of Chinese companies recovering used electronic chips and removing the identification marks to resell them as new. In 2015, the DoD estimated that 15% of its spare parts of electronic equipment were counterfeit.
A threat that affects all links in the supply chain
The semiconductor supply chain is vulnerable to the addition of hardware implants at all stages: design, manufacturing, and throughout the supply and integration chain if we also consider the risk of substitution of chips by counterfeits. Let us recall that today, the majority of electronic chip designers have become fabless, i.e. they do not own their factories—the cost of which runs into billions—but subcontract the production of their electronic chips to founders. The most prominent example is probably ARM, one of the leading designers of chips (which equip 95% of all smartphones), which focuses exclusively on its design business. The company licenses its intellectual property to third-party companies that use ARM designs in their own chips. So, just as it is possible to hack a software company to introduce backdoors into its software code, it is possible to subtly modify the design of a chip. And one does not prevent the other, especially when a design software editor (AutoCAD) is hacked following the introduction of a backdoor in a third-party software (Solarwinds). This concerns the design company, but also the manufacturing plant, which necessarily has the corresponding drawings. We can also add that the manufacturer generally also owns the unit tests it must conduct on the chips it produces; therefore, sabotage at this level can also prevent a first level of detection.
Finally, in addition to chip substitution, it should be remembered that many applications use reprogrammable chips (or FPGA, for Field Programmable Gate Array).
Even beyond the supply chain, hardware implants can be introduced downstream, after the chips have been received. The strong presence of these chips in Cloud environments suggests remote attack scenarios, especially when the use of the chips is pooled: one client can thus potentially attack another client sharing the same physical infrastructure. It should also be noted that many embedded systems provide for the possibility of remote updates, once again increasing the scope of the threat.
What countermeasures can we implement?
A number of methods for detecting hardware implants have been proposed since the subject was first researched. Some of them consist in scanning electronic circuits using different imaging methods (SOM, SEM, PICA, etc.). However, these methods are very time-consuming, and their efficiency depends on their level of sophistication in the face of the evolution of ever finer chip etching techniques. Other techniques aim at analysing the output results following a specific electronic stimulus. Unfortunately, this type of method will be ineffective when dealing with implants whose activation is conditioned by a very specific logic, such as the one proposed by the researchers at the University of Michigan. Finally, a last category of techniques consists in measuring some specific physical characteristics of the chip (power consumption, temperature, processing time, etc.) in response to a given input. The effectiveness of this type of detection can be improved by secure chip design techniques called DfHT (Design for Hardware Trust), in particular by adding logic circuits to the chip to facilitate implant detection.
In the United States, the Defense Advanced Research Projects Agency (DARPA) is conducting two parallel projects. The programme called SHIELD (Supply Chain Integrity for Electronics Defense) aims to develop microchips called “dielets” that allow the authentication of the circuits and components on which they are implanted. The programme entitled AISS (Automatic Implementation of Secure Silicon) aims to develop design tools to automate the process of integrating security functions into components. The project should enable beneficiaries to take advantage and keep abreast of advances in hardware implant detection and countermeasures.
With the globalisation of the supply chain and the design of electronic chips and circuits, confidence in hardware has become a major issue.
Unlike software implants, there is little or no public information on recent discoveries of hardware Trojans. However, a flurry of research (particularly in China) demonstrates the extremely high potential of this type of cyber weaponry. There is a classic cat-and-mouse game between the methods of insertion and detection of hardware implants, but the possible remedies are often very limited: as it is usually not possible to remove them, the only option is to replace the entire component. On the other hand, the discovery of one single compromised component is enough to cast doubt on the entire fleet integrating this model of component, while the validation of a chip is costly. And of course: in times of shortage, how can we expect a quick supply of reliable chips to replace the suspect components?
In the face of the threat posed by hardware implants, there is a desire to control the production and supply chain as vertically and locally as possible. However, the costs associated with building semiconductor factories are staggering. In April 2020, the American company Intel asked for 8 billion euros in European government aid to build and operate a factory on European soil, specifying that the cost of a single production line amounts to 10 billion euros (the company is initially planning two lines). The company has since announced that it will invest up to 80 billion euros in production capacity on European soil by 2030.
European countries are indeed responsible for the production of less than 10% of today’s chips. Faced with this observation, Europe announced in 2017 that it wished to encourage investment in the semiconductor industry on its territory, through the instrument called IPCEI (Important Projects of Common European Interest). The construction of the Bosch plant in Dresden has thus received 140 million euros from this programme, for a total investment of 1 billion euros . Today, in a context of shortage, the European countries are logically in a hurry. Germany announced in February 2021 that it wanted this programme to reach a total of 50 billion euros and was ready to provide 1 billion. Perhaps after seeing the impact of the shortage this year on its automotive industry, Germany announced in early September that it would increase to 3 billion euros its participation in the European programme. A follow-up to the IPCEI project is also being prepared, with the aim of doubling production capacity on European soil by 2030 and creating a European industrial alliance to achieve this goal.
If we are not able to ensure Europe’s self-sufficiency in the short and medium term, it would probably be desirable to strengthen research into methods of designing and detecting hardware implants in order to limit the risk they pose.
 Coup d’envoi des Alliances industrielles européennes dans les puces et le cloud [European industrial alliances in chips and clouds kick off]
- Operational security
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition