Monday, November 30, 2009

Military wins small battle in war against counterfeit chips

From Ars Technica ...

The US Department of Justice announced today that a California man has pled guilty to trafficking counterfeit computer chips to the US military. Neil Fehaly agreed to cooperate with the government as part of his plea deal, and he faces up to five years in prison for passing off bogus versions of chips from Intel, VIA, STMicro, Analog Devices, and other chipmakers to the Navy. These counterfeits, some of which were outright fakes from China, and others of which were "remarked" versions of cheap chips that had been made to look like more expensive parts, have gone into countless critical military systems since the scam started, possibly endangering the lives of military personnel and civilians.

As we discussed in class the threat presented by counterfeit integrated circuits is real. Counterfeit ICs purchased by the US military are dangerous because these chips when used in military hardware, such as a fighter jet, can easily fail and cause catastrophic damage. Aside from the disabling hardware, ICs can also be altered in such a way that military systems behave in unexpected ways. An altered chip could manipulate the targeting systems in 'smart weapons' so that targets are not hit.

11 comments:

Katie said...

The threat of counterfeit integrated circuits seems more dangerous and ominous than the threat of software vulnerabilities and online hacking because it cannot just simply be fixed by a software update or patch but the counterfeit device is permanently embedded in the mechanics of the computer. When people buy computers, they do not realize that all the different parts that compile the system come from all over the world and how one little component can be activated with a virus that can ultimately comprise the whole computer. The U.S. government is at the risk and mercy of the foreign companies and enterprises that create and sell computers because they could easily embed thousands of machines with a device that could copy every document saved and then send the saved information out to a terrorist group or an enemy nation state that could consequently learn the U.S. military strategies and expose them to the international community. In order to prevent this threat from spreading, the U.S. government needs to work directly with the companies, such as IBM, that are building computers to make sure that the people who are creating the parts of the computer are trustworthy and can develop thorough tests to demonstrate that the systems have not been comprised with a virus or with hidden programs. The U.S. government should also encourage companies at home rather than abroad to build computers to further secure the safety of the parts in the machines. The threat of counterfeit integrated circuits makes me feel very fearful because just the slightest tweak of a component in a computer could easily translate into a disaster on the international scale.

Katie said...

The threat of counterfeit integrated circuits seems more dangerous and ominous than the threat of software vulnerabilities and online hacking because it cannot just simply be fixed by a software update or patch but the counterfeit device is permanently embedded in the mechanics of the computer. When people buy computers, they do not realize that all the different parts that compile the system come from all over the world and how one little component can be activated with a virus that can ultimately comprise the whole computer. The U.S. government is at the risk and mercy of the foreign companies and enterprises that create and sell computers because they could easily embed thousands of machines with a device that could copy every document saved and then send the saved information out to a terrorist group or an enemy nation state that could consequently learn the U.S. military strategies and expose them to the international community. In order to prevent this threat from spreading, the U.S. government needs to work directly with the companies, such as IBM, that are building computers to make sure that the people who are creating the parts of the computer are trustworthy and can develop thorough tests to demonstrate that the systems have not been comprised with a virus or with hidden programs. The U.S. government should also encourage companies at home rather than abroad to build computers to further secure the safety of the parts in the machines. The threat of counterfeit integrated circuits makes me feel very fearful because just the slightest tweak of a component in a computer could easily translate into a disaster on the international scale.

Skyler said...

Reading stories like this remind us how much of a threat we continue to face here at home. We often think of physical enemies, ie. people, overseas, fighting us with guns and weapons, or even on their computers, attacking website we frequent, government data and more. Yet, this story reminds us that there are two very real threats here: one, this threat can come from the physical pieces and materials we use in our computing systems, and two, the attacker can be our own neighbor.

As a family member of two current soldiers in Iraq, it's completely disheartening and quite frightening to know that our threats don't simply end with cyberterrorism or the men on the ground. Another threat that we as a United States government now must combat is in the making of our important tools to fight terrorist activity.

I consider this a huge blow to the safety and wellbeing of our soldiers, as this sort of scheme can be so difficult and timely to correct. The number of planes, jets, computers and weaponry that are now infected could really prove to be quite high ultimately affect the lives of our women and men fighting overseas, and it's so scary to think that we may be sending them out in the field with broken or faulty equipment. This is an issue that I really hope we can resolve soon, and that the American people are made aware of this incident so that we can continue to put pressure on our political and military leaders to correct this issue ASAP.

Simone said...

It's strange that the military would rely on sellers that are not trustworthy for something so important. I'm glad the man was caught and sentenced for sabotaging the military's operations. I would think (or hope) that the military could buy the chips from Intel, etc. instead of from resellers that might pass off counterfeits in hope of a quick profit, or even those with malicious intentions. This also shows that by compromising the integrity of a system, hackers, governments, and terrorist groups can cause a lot of damage. If the chips were used, they could clearly cause damage by hitting the wrong target or not hitting a target at all. They could also be damaging because the existence of counterfeit chips forces the military to be wary of using these parts. When these parts are purchased or used, it is also a waste of money and time when they must be replaced.

matt said...

This small win clearly makes progress against groups or individuals that either counterfeit or remark integrated circuits in use by the military. If there are groups who can make fake chips and pass them off as real ones, then the military will fall victim to the knockoff trends we as consumers have come to know- fake sunglasses, fake iPods, and now fake processors.

A worrisome aspect of this issue is the methods of prevention and detection. After a quick Google search of the issue and how to detect such fraud, I came upon Tandex Labs, a company that “detects counterfeit electronic components to Mil-Spec and commercial specs - Laser Marking of your product.” Their processes include destructive physical analysis, failure analysis, and scanning electron microscopy- all of which destroy the sample material. (See URL below).

An issue that could arise through the use of Tandex Labs’ services is the selection size needed to identify insecure or fake devices. From a random pull of servers or processors, what are the chances that the samples chosen would accurately reflect the number of compromised devices in use? All it takes is one well-placed remark/counterfeit processor to diminish the performance of an important process to have massive repercussions.

If counterfeit processors exist to such a proportion that there is a “Trust in Integrated Circuits” program, there could definitely be electronics listening in on military information flow, jeopardizing any kind of data transmitted or calculated by the military. There need to be more strict policies that identify and destroy counterfeit, remarked, or possibly bugged integrated circuits in order to protect the sensitive information used by the military, as well as the lives of those who serve.

http://www.tandextestlabs.com/

Justin McCarthy said...

An article from the Homeland Security NewsWire published about a month ago outlines the gravity of this problem and speaks to the fact that simply winning small battles in the counterfeit war will not be enough to keep our military personnel safe.

What struck me right away was this statistic: "the Pentagon now
manufactures in secure facilities run by American companies only about 2 percent of the more than $3.5 billion of integrated circuits bought annually for use in military gear"

Though most computer security initiatives focus on software, compromised hardware could prove to be an even more significant security threat to our military. Integrated circuits that have been tampered with, unlike software, can't be patched. As American semiconductor plants continue to move offshore, uncertainty regarding legitimacy in commercial computer chips will continue to haunt military planners.

Perhaps the most unnerving aspect of the article is the real-life example of the September 2007 Israeli attack on a Syrian nuclear reactor. The Syrian air defense system was purportedly disrupted by a Trojan horse kill switch. Furthermore, there is evidence to suggest that the technology was provided to Israeli intelligence by an American semiconductor agency.

In this case, it was our use of tampering with integrated circuits that allowed for disruption of a significant threat abroad. But what's to stop our enemies from doing the same thing to us at home?

Source:
http://homelandsecuritynewswire.com/counterfeit-chips-may-hobble-advanced-weapons?page=0,2

Sydney said...

This article was incredibly frightening to read. It is very alarming to learn that our soldiers are being sent into the field with equipment that may or may not be faulty and ineffective. If these men and women are willing to risk their lives for us, isn't it our responsibility to ensure that they have the best and most reliable technology available?

First or all, this attack is one that hits closer to home than many others. If an online database is hacked, we may lose information, and as crucial as that information is, it does not mean an automatic and outright loss of human life. On the other hand, when a faulty chip goes into a fighter plane, we leave those that are risking their lives to protect us at risk.

It seems strange that we would use Chinese chips in our military machinery. If this is the country that we are continually trying to outrun in the technological industry, why are we letting them make a piece of the technology that will go into our weapons? It is time to stop cutting corners because of monetary issues. The Trust in Integrated Circuits Program may be an expensive one, but if it will help expose faulty pieces of technology, then it is a program worth "throw[ing] lots of taxpayer money at." We may be in debt, but there should not be even one American who would say that a cheaper chip is worth the potential loss of life.

Dasha Pryamitsyna said...

Faulty software can prove to be much more dangerous than malware. Dangers include the fact that while bad or faulty software can be patched with minimal physical intrusion into the instrument, faulty hardware must be replaced manually. Many times, once a chip is physically in place, it is difficult if not impossible to remove it without damaging the rest of the system. So when considering the massive expense it takes to produce and manage a fighter, and the hundreds of thousands of pieces that make up the plane, the cost of figuring out exactly what (probably tiny) chip to replace (withstanding that the jet has still been able to function up to this point and has not crashed/been damaged irreparably) is enormous.
Since these chips can cause systems to behave in erratic or inappropriate ways, they also have the potential of causing confusion between the operators of the machine, other US forces, and foreign militaries. Any kind of confusion or miscommunication between military forces can have disastrous effects. A single unintentional shot fired at an unfriendly target can cause a domino effect of escalating military actions.
The most disturbing part of this situation is not how a US national attempted to profit financially but selling counterfeit chips to the US military, as a result undermining national security, but how the US military has displayed its lack of control over its technology suppliers. While private contracting and outsourcing are valuable cost cutting and efficiency improving tools, they must be used with extreme caution when dealing with matters concerning the security of the nation and the well being of the men and women serving in the armed forces. Since these chips have the potential to cause “catastrophic damage,” why is the military using a middle man handler to resell them the chips instead of buying them directly from a trusted producer?

Tristan said...

The most frightening part of this controversy is that it is between the private sector and, in this case, the military. There is no completely effective, let alone cost and time efficient way for the US to test the integrity of these chips, and yet there is also no way for the government to ensure that the companies can even provide authentic merchandise. As seen in this incident, keen enough criminals can disguise bogus chips as the real deal, under the radar of the military. The way free-market economy works, there simply is nothing the government can do either. They could establish a deal with one specific company, however, prices would soar, the availability of the chips would decrease, and of course, the risk is still there for counterfeits.

Rachel said...

This is not a comment to this post, but merely a comment on something I recently read. Remember talking about the Heartland Data Breach in class? It was the one where the breach was released on the day of President Obama's inauguration, probably so there wouldn't be as much focus on the enormous breach. Well apparently the lawsuit against Heartland has been dismissed due to a lack of evidence that "Heartland executives knew the company had inadequate security and misled the public about it..." What are the effects of allowing Heartland to improperly secure individual's information? Though blame is difficult in this situation (since obviously Heartland did not attack its own system), it is important that companies start becoming responsible for properly securing information. Anybody have any thoughts? Below is the link I found...
http://news.cnet.com/8301-1009_3-10413194-83.html

matt said...

Right to text message privacy?

This has no relation to the previous thread, but is of interest to the class nonetheless.

A police officer in Ontario, CA, is suing his department for reading text messages sent from his work phone. The officers were under the impression that their work phones were also for personal use. The supreme court is planning on ruling (by June) on rules for the use of work phones when used for personal purposes. Previously, an appeals court ruled that the police chief’s inspection violated their 4th amendment rights, and that the wireless company that turned over the texting records, per his request, violated the federal Electronic Communications Privacy Act because they did not receive consent from the officers.

The officers who went over their message limits paid for the difference out of pocket. When the superior officers were tired of collecting the bill, they read into the messages and found “racy” messages which lead to an internal department investigation.

The fact that the officer sent on average 28 text messages per shift is frightening, but that has little to do with information privacy. I do not believe that the officer should sue the department, due to the regulations stipulating their suggestion of limited personal use while on the phone. Suing the wireless company holds more water, due to the violation of the Electronic Communications Privacy Act by not gaining the consent from the officers. This is the only privacy violation I see being possible, due to the fact that they are public servants abusing the privileges their jobs offer.

However, I still am not sure how I feel about the officer’s privacy being a concern when the taxpayers are footing their bill (at least up to the point before they exceed the character limit). I would prefer if police officers in my home town were not abusing their text message privileges while on the job, and I would support a department for making sure such abuses do not go unpunished. If the officers were using their personal phones, this would be another story (until an officer missed an urgent call while replying to a personal text message).

See links below:
http://www.latimes.com/news/nation-and-world/la-na-court-texting15-2009dec15,0,4565821.story
http://www.cnn.com/2009/CRIME/12/14/scotus.messaging/index.html