A powerful new report by Cambridge scientist Sergei Skorobogatov hit the Internet over the weekend confirming Chinese computer chips used in U.S. military systems have hidden "back doors" that can disable everything from American fighter jets to nuclear power plants.

It's a bold claim that until now has been impossible to prove, but Skorobogatov says he has developed a new ultra-sensitive technology that's able to detect "malicious insertions" into chips. "The scale and range of possible attacks," he says, "has huge implications for National Security and public infrastructure."

After the initial flurry of excitement, a response cropped up on the security blog Errata saying Skorobogatov's claim was bogus and there is actually no back door at all. We asked the scientist to respond to that post specifically in our list of questions and answers below.

BI: What are back doors?

SS: The back door is an additional undocumented feature deliberately inserted into the device for extra functionality. There are some traces of the existence of such back doors in the system files of Actel development software. The great danger comes from the fact that such a back door undermines the high level of security in FPGA making it exposed to various attacks. Although Actel makes a big claim that their devices are extremely secure because there is no physical path for the configuration data to the outside world, they made this way covertly and locked with the key for themselves.

BI: What kind of serious security issues in military technology did your research expose?

SS: [Trustworthiness] of chip developers who are subcontracted by military but mainly outsource their designs and chip fabrication to China and India.

BI: How are they malicious? And are they all dangerous?

SS: No, some features are made for debug purposes or memory initialization. But the one we described seriously undermines the security protection of the chip.

BI: Why is your research into military chip weaknesses relevant at this time?

SS: Because there is a growing demand for verification of chips being manufactured with third parties involved which are located in China and India. This happens at all levels from chip design to chip fabrication.

BI: Why did you choose an American military chip and what is it used for?

SS: In that aspect we can only rely on the information provided by the manufacturer. They state that their chips are used in "Space and Missile Systems Centers, fighter jets, missiles, flight computers, mission computers, weapon systems, radar control systems ..."

There are several reasons we chose Actel products in our research. One is the very high level of their security protection as everyone knows that standard micro controllers are easy to attack. Another is their usage in critical applications which makes many discoveries have great impact.

BI: Can you explain what you mean by "breakthrough in silicon scanning"?

SS: We showed that our technique is capable of detecting malicious insertions into chips. All previous techniques are not sensitive enough to help in finding the back door in Actel devices.

BI: Could you respond to this Errata post specifically?

1) We have made no reference to any Chinese involvement in either of the released papers or any reference to espionage. Therefore we don't agree with Robert Graham's assertion that we suggest Chinese involvement. So we have no idea why people have linked the Chinese to this as it did not come from us.



2) As far as we are concerned the back door was implemented by the manufacturers at the design stage and we suggest that in the papers.



3) We do not know if the chip was certified to hold secrets or not. We quote Actel and their website which says that the ProASIC and other flash lines are sold to the military as well as into automotive, aerospace, medical and consumer systems. It is a very secure device with AES encryption, if you use it, then you want to protect the IP and there is no better way that using AES with no read-back.



4) It is not just a simple JTAG hack, there is a lot more involved than that and it's contained in the paper.



5) We do not agree it is just a debug port, you do not need a debug port to circumvent the security on the chip and read back the IP whilst telling everyone else no such feature exists.