“Chemical Trojans” baked into circuits could offer invisible way to steal secrets

“Hardware Trojans” could be baked invisibly into circuits by attackers, allowing them to grab secret keys from computer components without fear of detection – even by advanced inspection systems using optical microscopes.

The “Trojan” circuits could be used to steal secrets even from highly secure environments such as military installations or banks. The proposed Trojans would not differ from “real” chips in any of their metal components or polysilicon layers – instead, attackers would alter the “doping” of crystals in a few transistors. “Dopants” are trace impurities used to alter the electrical properties of crystals.
Such “dopant Trojans” could allow attackers to siphon off security keys remotely – and would be extremely difficult to detect, University of Massachusetts researchers warn.
In a paper, “Stealthy Dopant-Level Hardware Trojans”, researchers led by Georg T Becker of the University of Massachusetts
showed how it’s possible to create hardware Trojans which could not be detected by most security methods by simply altering the doping of “a few” transistors.
The researchers also showed off that a Trojan made in this way would allow an attacker to break any key generated by Intel’s secure RNG design, and claim that such chips can “compromise the security of a meaningful real-world target.”
Current security methods often rely on a “golden chip”, where an optical microscope scans a component layer by layer against a sample known to be “good”. The researchers claim that their dopant Trojans would be immune to this.

“Layout-level hardware Trojans that can resist optical inspection, which is believed to be a reliable way to detect layout-level hardware Trojans,” the researchers write. “ The proposed Trojans are inserted bymodifying only the polarity of dopant in the active area and are therefore practically invisible to optical reverse-engineering. From a technical point of view, such modications are certainly feasible in practice.”

The researchers warn that  introducing such chips into the supply chain may be easier than many companies imagine.

“Even if chips are manufactured in a trusted fab, there is the risk that chips with hardware Trojans could be introduced into the supply chain. The discovery of counterfeit chips in industrial and military products over the last years has made this threat much more conceivable.”

“The dopant Trojan can be used to compromise the security of a meaningful real-world target while avoiding detection by functional testing as well as Trojan detection mechanisms,” the researchers say. “Detecting this new type of Trojans is a great challenge. They set a new lower bar on how much overhead can be expected from a hardware Trojan in practice (i.e. zero!). Future work should include developing new methods to detect thesesub-transistor level hardware Trojans.”

Technology companies including Cisco, IBM and Microsoft already back an Open Group programme to protect computer hardware from spyware added to components in the supply chain. The goal is to “safeguard the global supply chain against the increased sophistication of cybersecurity attacks,” Open Group said in a statement. A new open standard, Open Trusted Technology Provider Standard (O-TTPS), aims to provide governments and companies with peace of mind when buying off-the-shelf IT products.

ESET researcher David Harley says in a blog post , “There’s a lot more to a supply chain than the production line. The number of entry points for the insertion of malicious software is so much greater, right up to the time the system hits the customer’s desk.”