by Alec Muffett
https://twitter.com/#!/search/sps32
Sergei Skorobogatov’s username makes a decent search term since it’s embedded in the URL.
Also MeFi suggests that the FPGA referenced in the associated AES-key-sniffing article may be the “Actel/Microsemi ProASIC3 (P60)” – cited as “A****/M******** P******* (P**)” in that paper. This may or may not be the backdoored chip.
Haven’t read the original paper yet, but this looks interesting and has a ring of truth to it: http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html
Putting a crypto gateway ito JTAG makes a weird kind of sense, to me.
I’ve now read the paper; while I don’t sound anything like Alex Kingston, I’ll say “spoilers” ;-).
The paper rightly asserts that a lot of stuff done around JTAG involves security through obscurity; in terms of standards for anything over and above electrical, JTAG makes SNMP look almost rigorous.
The *real* fun will happen, as and when Skorobogatov eta al are released from their confidentiality agreement and are free to publish all of what they know.
In an FPGA, a crypto gateway makes some sense, although I’d have thought there’s be an option to have more permanent / irrevocable protection via a blowable internal fuse as well. Most (but all) chips with JTAG would have the relevant pins tied to ground, but there’s good reason for the ones on these chips to be attached to an actual interface (although likely some multi-pin port to plug a programmer into).
Finally, I can’t help but remember one of the most fun uses JTAG has been put to; in the Sun E10000, an audacious hack has the base system console underpinning the service processors running over the JTAG interface. “If you can run a remote console over it, it definitely needs securing” :-).
Leave a Reply