Manufacturer disputes backdoor in military chips - researchers disagree
The manufacturer of an FPGA which UK researchers recently claimed to have found a backdoor in has disputed the claim and declared that, "There is no designed feature that would enable the circumvention of user security". The researchers have responded with a statement that reiterates that such a backdoor does indeed exist and that it cannot be disabled.
In a published draft version of a paper, the researchers stated that, and explained how, alongside the user's key, they had discovered an additional hidden key which was identical on all chips. The chips in question are frequently used for military applications. The hidden key provides access to a debugging interface with special privileges which, among other things, allow protected areas to be read.
In response, Microsemi confirmed that the ProASIC3 chip involved has an internal test facility, but stated that it is deactivated by default and is only accessible with the user's passcode. It also stated that it was possible to program the FPGAs with its highest level of security settings. The manufacturer boldly claims that, "This security setting will disable the use of any type of passcode to gain access to all device configurations, including the internal test facility."
This is contradicted by the researchers. Co-author Chris Woods told The H that not only has Actel/Microsemi not documented this additional protection option, but that, "You cant disable the backdoor, only reprogram it to something other than default and hope no one takes the time to break it again". As well as the backdoor key, the user-selected passcode is required – but this can be extracted in the same way as the backdoor key. "It's possible to break the key in about a day whatever you do" says Woods.The problem is not restricted to the ProASIC3, but also affects all third generation Flash FPGAs/SOCs from Actel/Microsemi, including the ProASIC3, Igloo, Fusion and SmartFusion.