Four researchers from the United States, the Netherlands, Switzerland and Germany have published a paper establishing the feasibility of creating difficult to detect hardware trojans. The trojan is made during the manufacturing process by failing to properly dope a portion of the semiconductor chip used to generate random numbers for cryptography. Unlike previously understood hardware trojans, a practice known colloquially as “Chipping”, no extra hardware must be added to the computer chip in order for the exploit to work. This means that visual inspection of the chip will not be an effective countermeasure in these cases. Additionally, the chips that the researchers altered in this way still passed operational standards, meaning that detection of an affected system will be very difficult.
The result of the exploit is that the encryption codes generated by the hardware are trivially easy for an adversary to crack, potentially exposing sensitive data. This development poses major problems for organizations and nations that rely on distributed and international supply chains to construct their sensitive electronic devices. Much like Project BULLRUN this research demonstrates that the creation of sufficiently random numbers remains a central problem of encryption, and a major area of exposure to outside attack.
Dan Gifford- MCySec Media Manager