What's new

Can USA Jammed/Hacked Pakistan's F-16 ?

Well reason I wanted to know is to check if this is even plausible- aerospace dev cycles are not like pc apps. What you said require a specilized F16 tailor made with completely different mission computers and fms etc. And as gambit may have briefly explained there is a cert process that is followed to ensure the systems behave as per the requirements in all probable operational conditions. The mechanisim of keys development, provision is again shrouded with mystery which you seem to be aware. I have some exp in civil aero industry, and not military aero industry - but the dev challeges and cycles are quite similar. Hence it would be interesting to look at the time line of PAF F16s negotiations with US to see of this is even possible - as most learned memeber here have not seen or heared of this anywhere and it looks like is soecific for PAF ( as you say IAF F16s dont need it)

Well, the people who work on these types of systems have had several decades to hone the techniques being used here, in general terms only, of course. The F-16 first flew in the 70s, and has had several major revisions of all kinds to move it into the digital domain.

If you have some idea of the civilian domain, the software developed and deployed by Airbus is a good illustrative example of modern capabilities for real time bi-directional communication with aircraft.
 
. . . . .
Well reason I wanted to know is to check if this is even plausible- aerospace dev cycles are not like pc apps. What you said require a specilized F16 tailor made with completely different mission computers and fms etc. And as gambit may have briefly explained there is a cert process that is followed to ensure the systems behave as per the requirements in all probable operational conditions. The mechanisim of keys development, provision is again shrouded with mystery which you seem to be aware. I have some exp in civil aero industry, and not military aero industry - but the dev challeges and cycles are quite similar. Hence it would be interesting to look at the time line of PAF F16s negotiations with US to see of this is even possible - as most learned memeber here have not seen or heared of this anywhere and it looks like is specific fic for PAF ( as you say IAF F16s dont need it). And to develop, integrate, maintain and fail proof such a mechanism on a fighter jet is not going to be monumental challenege itself!
The issue is not about degraded versions of X weapons systems for foreign sales.

In the F-16, there is a g-limiter (AOA) feature intended for specific external load configuration. We could sell a degraded version of the F-16 that would give US and allied F-16 a CONSTANT combat advantage in terms of ACM, and there would be nothing customers could do about it. You can complain all you want but if you do not want Soviet/Russia/China fighters, you have to put up with what we have to offer -- a degraded F-16 that cannot maneuver as good as the American version. Too bad for you who have to import your defense. Can the PAF prove beyond any reasonable doubt that its F-16s cannot pull 9 g?

So from that perspective, why should we bother to produce versions of the radar that we can degrade from the Pentagon? What level of 'at will' degradation should there be? Limits to range and target resolutions so instead of detecting a target at 200 km, if the target is an Israeli F-16, the Pakistani F-16 radar is degraded instantly to only 100 km? Israel would have to tell the Pentagon when/where its pilots would meet Pakistani pilots? Why not just give Israeli pilots control over Pakistani F-16s?

Whichever versions of that hypothetical scenario, I would have to produce a separate radar product line with full testing regimes that such an 'at will' degradation system will work %100 of the time. Same for on board ECM and Comm. Of course, the Zionist Jews who controls the US Military Industrial Complex (MIC) and Hollywood would have plenty of money to make that possible, right?

Unnecessary klomplikations. All I have to do is sell you an F-16 with degraded flight control systems and the Jews will beat you even if you have the same radar as they do. You have no choice when you eliminated the Soviets/Russians/Chinese from your shopping list. And even then, what guarantees do you have that they will not do what you suspect US of doing? So either you buy the degraded F-16 or be defenseless.

Now cue more silly 'technical' drawings from those who have no relevant experience in the matter that will 'prove' that PAF F-16s are vulnerable to backdoor 'hacking' by US. :rolleyes:
 
.
The issue is not about degraded versions of X weapons systems for foreign sales.

In the F-16, there is a g-limiter (AOA) feature intended for specific external load configuration. We could sell a degraded version of the F-16 that would give US and allied F-16 a CONSTANT combat advantage in terms of ACM, and there would be nothing customers could do about it. You can complain all you want but if you do not want Soviet/Russia/China fighters, you have to put up with what we have to offer -- a degraded F-16 that cannot maneuver as good as the American version. Too bad for you who have to import your defense. Can the PAF prove beyond any reasonable doubt that its F-16s cannot pull 9 g?

So from that perspective, why should we bother to produce versions of the radar that we can degrade from the Pentagon? What level of 'at will' degradation should there be? Limits to range and target resolutions so instead of detecting a target at 200 km, if the target is an Israeli F-16, the Pakistani F-16 radar is degraded instantly to only 100 km? Israel would have to tell the Pentagon when/where its pilots would meet Pakistani pilots? Why not just give Israeli pilots control over Pakistani F-16s?

Whichever versions of that hypothetical scenario, I would have to produce a separate radar product line with full testing regimes that such an 'at will' degradation system will work %100 of the time. Same for on board ECM and Comm. Of course, the Zionist Jews who controls the US Military Industrial Complex (MIC) and Hollywood would have plenty of money to make that possible, right?

Unnecessary klomplikations. All I have to do is sell you an F-16 with degraded flight control systems and the Jews will beat you even if you have the same radar as they do. You have no choice when you eliminated the Soviets/Russians/Chinese from your shopping list. And even then, what guarantees do you have that they will not do what you suspect US of doing? So either you buy the degraded F-16 or be defenseless.

Now cue more silly 'technical' drawings from those who have no relevant experience in the matter that will 'prove' that PAF F-16s are vulnerable to backdoor 'hacking' by US. :rolleyes:

This is absolute dishonesty. Presenting a complicated degradation scenario and appealing to 'klomplikations'. Stop being the condescending master. What you are saying shows absolute lack of understanding of manufacturing.

Let's look at commercial examples. How many different product lines does intel have? Does it make their processors highly expensive? The scales involved keep the costs low. Let's look at the other end of the spectrum. How much would it cost to deliver 18, I repeat eighteen, customized designs over almost a decade?

Focused Ion Beam technology allows the modification of integrated circuits after manufacture. So your design contains the 'backdoor' by design but always in a disabled state. The electric pathways aren't there for the functionality to ever activate. You manufacture using your run of the mill process, then use ion beam technology to enable the feature. How much would it cost to enable it in eighteen samples? Not much. Then again, it's not like we get a breakdown saying we charged you 5 million for the radar.

You are showing intellectual dishonesty by diverting the reader's attention towards complicated processes and then appealing to 'klomplications'. I have worked in companies selling to American security agencies. They require special consideration handled by separate personnel. They justify this increased, specialized effort through higher pricing.

And why backdoor vs degraded performance? Because when you are looking for dominance, you don't spend time in dogfights with degraded aircrafts. You simply disable their functions. Or, you give them degraded along with backdoors, so you have a story to tell when people confront you about backdoors. And that's exactly what you are doing. Telling the official story, so uncomfortable discussions of backdoors can be avoided.
 
.
This is absolute dishonesty. Presenting a complicated degradation scenario and appealing to 'klomplikations'. Stop being the condescending master. What you are saying shows absolute lack of understanding of manufacturing.

Let's look at commercial examples. How many different product lines does intel have? Does it make their processors highly expensive? The scales involved keep the costs low. Let's look at the other end of the spectrum. How much would it cost to deliver 18, I repeat eighteen, customized designs over almost a decade?

Focused Ion Beam technology allows the modification of integrated circuits after manufacture. So your design contains the 'backdoor' by design but always in a disabled state. The electric pathways aren't there for the functionality to ever activate. You manufacture using your run of the mill process, then use ion beam technology to enable the feature. How much would it cost to enable it in eighteen samples? Not much. Then again, it's not like we get a breakdown saying we charged you 5 million for the radar.

You are showing intellectual dishonesty by diverting the reader's attention towards complicated processes and then appealing to 'klomplications'. I have worked in companies selling to American security agencies. They require special consideration handled by separate personnel. They justify this increased, specialized effort through higher pricing.

And why backdoor vs degraded performance? Because when you are looking for dominance, you don't spend time in dogfights with degraded aircrafts. You simply disable their functions. Or, you give them degraded along with backdoors, so you have a story to tell when people confront you about backdoors. And that's exactly what you are doing. Telling the official story, so uncomfortable discussions of backdoors can be avoided.

In addition, customizing software is not an impossible task, specially when the stakes are this high.
 
.
The issue is not about degraded versions of X weapons systems for foreign sales.

In the F-16, there is a g-limiter (AOA) feature intended for specific external load configuration. We could sell a degraded version of the F-16 that would give US and allied F-16 a CONSTANT combat advantage in terms of ACM, and there would be nothing customers could do about it. You can complain all you want but if you do not want Soviet/Russia/China fighters, you have to put up with what we have to offer -- a degraded F-16 that cannot maneuver as good as the American version. Too bad for you who have to import your defense. Can the PAF prove beyond any reasonable doubt that its F-16s cannot pull 9 g?

So from that perspective, why should we bother to produce versions of the radar that we can degrade from the Pentagon? What level of 'at will' degradation should there be? Limits to range and target resolutions so instead of detecting a target at 200 km, if the target is an Israeli F-16, the Pakistani F-16 radar is degraded instantly to only 100 km? Israel would have to tell the Pentagon when/where its pilots would meet Pakistani pilots? Why not just give Israeli pilots control over Pakistani F-16s?

Whichever versions of that hypothetical scenario, I would have to produce a separate radar product line with full testing regimes that such an 'at will' degradation system will work %100 of the time. Same for on board ECM and Comm. Of course, the Zionist Jews who controls the US Military Industrial Complex (MIC) and Hollywood would have plenty of money to make that possible, right?

Unnecessary klomplikations. All I have to do is sell you an F-16 with degraded flight control systems and the Jews will beat you even if you have the same radar as they do. You have no choice when you eliminated the Soviets/Russians/Chinese from your shopping list. And even then, what guarantees do you have that they will not do what you suspect US of doing? So either you buy the degraded F-16 or be defenseless.

Now cue more silly 'technical' drawings from those who have no relevant experience in the matter that will 'prove' that PAF F-16s are vulnerable to backdoor 'hacking' by US. :rolleyes:

Problem is people generalize the type of tech they see in one industry and extrapolate conclusions with massive generalization. Some are suggesting a subscription based system on PAF F16s, like amazon, netflix etc., where you need to renew your password every x months or so otherwise they act funny! Just because there is SW there must be a backdoor now that is controlled by an agent in Pentagon. What we don't realize is that without the necessary HW, infrastructure, and the ability to know where each PAF F16 is exactly in 3D space at speeds greater than mach 1 (even detecting a fighter jet at 100-200Km is a difficult task), how can this even work? And you add in the complexity to tailor build this for a few PAF F16s in a short amount of time (after 2001 when sanctions were lifted and MNNA was granted) it starts becoming ridiculous.

I don't think any technical explanations can work to convince any of them, as even if you open all the nuts and bolts of the jet, along with review of source code, they will still make something up!
The only counter arguments are purely logical ones:
1) If US interests are against PAF having F16s, it can just decide to NOT SELL!
2) PAF leadership have to be in this; and it was developed and verified for such a small number of jets. The MLUs were done in Turkey so they are also in this conspiracy now.
3) If ever such a mechanism is exposed and is blamed for loss against Russian made Su30s of IAF, what will that mean for US defense industry! What will all the allies think of all the US equipment they are using! Will just the assurance that we secretly screwed PAF only work?
4) US companies are privately held and not govt run. I know this is a hopeless argument here as most believers of these theories have already declared PAF leadership as traitors and coconspirators, so what chance US companies have. On the other hand govt controlled Russian and Chinese companies are completely trust worthy.

In addition, customizing software is not an impossible task, specially when the stakes are this high.
Ok now PAF F16s have encryption locks + backdoor switches as well? You know what If stakes are high US would just not simply sell or stop spares supply! Period.
 
Last edited:
.
What you are saying shows absolute lack of understanding of manufacturing.
That is hilarious to me considering I have been in manufacturing for 20+ yrs, specifically semiconductor.

Let's look at commercial examples. How many different product lines does intel have? Does it make their processors highly expensive? The scales involved keep the costs low. Let's look at the other end of the spectrum. How much would it cost to deliver 18, I repeat eighteen, customized designs over almost a decade?

And why backdoor vs degraded performance? Because when you are looking for dominance, you don't spend time in dogfights with degraded aircrafts. You simply disable their functions. Or, you give them degraded along with backdoors, so you have a story to tell when people confront you about backdoors. And that's exactly what you are doing. Telling the official story, so uncomfortable discussions of backdoors can be avoided.
There are limits to every analogy.

For starter, the customer base for Intel, GM, Ford, Versace, Godiva's Chocolates, Starbucks, or Harley Davidson are vastly different than for tanks, machine guns, warships, or fighter jets. Can we agree on that? You have no choice on agreement, really...So the answer is 'Yes'...:lol:

The customer base, which includes demographics, determines your product lines, manufacturing capabilities, and price points. For my industry, we cannot force our customer base to accept only NAND. Their needs demands diverse memory types for diverse applications. So we -- meaning my industry and not my company -- have a portfolio of DRAM, NOR, NAND, RAM, SRAM, ROM, and so on...

The customer base for tanks are much more restrictive and restrictive in many more ways than just how many countries there are in the world. For example, arms manufacturers simply cannot sell without governments' permission. A tank is an instrument of death and destruction, so its use is final, meaning there is no recovery possible for the object of its actions, so from that perspective, building a diverse line of tanks is actually financially precarious, if not outright foolish. I can design a line of armored combat vehicles for different environments, but my customer base will buy only one main battle tank -- the best one I can design. I can sell a version of my MBT with different weapons configuration, but not a version without its main gun because that would not be an MBT.

The same idea applies to warships and fighter jets. A C-130 is not comparable to a C-5. Each was designed for specific situations and the customer base for air transport is actually smaller than the base for tanks. So it would no financial sense for me to make a degraded version of the C-5.

The customer base determines your product lines and how you are going to make and sell them.

And I am the one who have no ideas about manufacturing? :lol:
 
.
That is hilarious to me considering I have been in manufacturing for 20+ yrs, specifically semiconductor.


There are limits to every analogy.

For starter, the customer base for Intel, GM, Ford, Versace, Godiva's Chocolates, Starbucks, or Harley Davidson are vastly different than for tanks, machine guns, warships, or fighter jets. Can we agree on that? You have no choice on agreement, really...So the answer is 'Yes'...:lol:

The customer base, which includes demographics, determines your product lines, manufacturing capabilities, and price points. For my industry, we cannot force our customer base to accept only NAND. Their needs demands diverse memory types for diverse applications. So we -- meaning my industry and not my company -- have a portfolio of DRAM, NOR, NAND, RAM, SRAM, ROM, and so on...

The customer base for tanks are much more restrictive and restrictive in many more ways than just how many countries there are in the world. For example, arms manufacturers simply cannot sell without governments' permission. A tank is an instrument of death and destruction, so its use is final, meaning there is no recovery possible for the object of its actions, so from that perspective, building a diverse line of tanks is actually financially precarious, if not outright foolish. I can design a line of armored combat vehicles for different environments, but my customer base will buy only one main battle tank -- the best one I can design. I can sell a version of my MBT with different weapons configuration, but not a version without its main gun because that would not be an MBT.

The same idea applies to warships and fighter jets. A C-130 is not comparable to a C-5. Each was designed for specific situations and the customer base for air transport is actually smaller than the base for tanks. So it would no financial sense for me to make a degraded version of the C-5.

The customer base determines your product lines and how you are going to make and sell them.

And I am the one who have no ideas about manufacturing? :lol:

This article completely demolishes everything you have said on this thread. Your own military is concerned about this, and you are trying to lul to sleep my countrymen by feeding them false information. I'll edit this post later to copy the article itself.

https://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch

The Hunt for the Kill Switch
By SALLY ADEE
Posted 1 May 2008 | 19:57 GMT
Mjc2MTg0MQ

Image: James Archer/AnatomyBlue
Last September, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of a Syrian radar—supposedly state-of-the-art—to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident of electronic warfare—and not just any kind.

Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar.

That same basic scenario is cropping up more frequently lately, and not just in the Middle East, where conspiracy theories abound. According to a U.S. defense contractor who spoke on condition of anonymity, a “European chip maker” recently built into its microprocessors a kill switch that could be accessed remotely. French defense contractors have used the chips in military equipment, the contractor told IEEE Spectrum. If in the future the equipment fell into hostile hands, “the French wanted a way to disable that circuit,” he said.Spectrum could not confirm this account independently, but spirited discussion about it among researchers and another defense contractor last summer at a military research conference reveals a lot about the fever dreams plaguing the U.S. Department of Defense (DOD).

Feeding those dreams is the Pentagon’s realization that it no longer controls who manufactures the components that go into its increasingly complex systems. A single plane like the DOD’s next generation F-35 Joint Strike Fighter, can contain an “insane number” of chips, says one semiconductor expert familiar with that aircraft’s design. Estimates from other sources put the total at several hundred to more than a thousand. And tracing a part back to its source is not always straightforward. The dwindling of domestic chip and electronics manufacturing in the United States, combined with the phenomenal growth of suppliers in countries like China, has only deepened the U.S. military’s concern.

Recognizing this enormous vulnerability, the DOD recently launched its most ambitious program yet to verify the integrity of the electronics that will underpin future additions to its arsenal. In December, the Defense Advanced Research Projects Agency (DARPA), the Pentagon’s R&D wing, released details about a three-year initiative it calls the Trust in Integrated Circuits program. The findings from the program could give the military—and defense contractors who make sensitive microelectronics like the weapons systems for the F-35—a guaranteed method of determining whether their chips have been compromised. In January, the Trust program started its prequalifying rounds by sending to three contractors four identical versions of a chip that contained unspecified malicious circuitry. The teams have until the end of this month to ferret out as many of the devious insertions as they can.

Vetting a chip with a hidden agenda can’t be all that tough, right? Wrong. Although commercial chip makers routinely and exhaustively test chips with hundreds of millions of logic gates, they can’t afford to inspect everything. So instead they focus on how well the chip performs specific functions. For a microprocessor destined for use in a cellphone, for instance, the chip maker will check to see whether all the phone’s various functions work. Any extraneous circuitry that doesn’t interfere with the chip’s normal functions won’t show up in these tests.

“You don’t check for the infinite possible things that are not specified,” says electrical engineering professor Ruby Lee, a cryptography expert at Princeton. “You could check the obvious possibilities, but can you test for every unspecified function?”

Nor can chip makers afford to test every chip. From a batch of thousands, technicians select a single chip for physical inspection, assuming that the manufacturing process has yielded essentially identical devices. They then laboriously grind away a thin layer of the chip, put the chip into a scanning electron microscope, and then take a picture of it, repeating the process until every layer of the chip has been imaged. Even here, spotting a tiny discrepancy amid a chip’s many layers and millions or billions of transistors is a fantastically difficult task, and the chip is destroyed in the process.

But the military can’t really work that way. For ICs destined for mission-critical systems, you’d ideally want to test every chip without destroying it.

The upshot is that the Trust program’s challenge is enormous. “We can all do with more verification,” says Samsung’s Victoria Coleman, who helped create the Cyber Trust initiative to secure congressional support for cybersecurity. “My advice to [DARPA director] Tony Tether was ’trust but verify.’ That’s all you can do.”

Semiconductor offshoring dates back to the 1960s, when U.S. chip makers began moving the labor-intensive assembly and testing stages to Singapore, Taiwan, and other countries with educated workforces and relatively inexpensive labor.

Today only Intel and a few other companies still design and manufacture all their own chips in their own fabrication plants. Other chip designers—including LSI Corp. and most recently Sony—have gone “fabless,” outsourcing their manufacturing to offshore facilities known as foundries. In doing so, they avoid the huge expense of building a state-of-the-art fab, which in 2007 cost as much as US $2 billion to $4 billion.

Well into the 1970s, the U.S. military’s status as one of the largest consumers of integrated circuits gave it some control over the industry’s production and manufacturing, so the offshoring trend didn’t pose a big problem. The Pentagon could always find a domestic fab and pay a little more to make highly classified and mission-critical chips. The DOD also maintained its own chip-making plant at Fort Meade, near Washington, D.C., until the early 1980s, when costs became prohibitive.

But these days, the U.S. military consumes only about 1 percent of the world’s integrated circuits. “Now,” says Coleman, “all they can do is buy stuff.” Nearly every military system today contains some commercial hardware. It’s a pretty sure bet that the National Security Agency doesn’t fabricate its encryption chips in China. But no entity, no matter how well funded, can afford to manufacture its own safe version of every chip in every piece of equipment.

The Pentagon is now caught in a bind. It likes the cheap, cutting-edge devices emerging from commercial foundries and the regular leaps in IC performance the commercial sector is known for. But with those improvements comes the potential for sabotage. “The economy is globalized, but defense is not globalized,” says Coleman. “How do you reconcile the two?”

In 2004, the Defense Department created the Trusted Foundries Program to try to ensure an unbroken supply of secure microchips for the government. DOD inspectors have now certified certain commercial chip plants, such as IBM’s Burlington, Vt., facility, as trusted foundries. These plants are then contracted to supply a set number of chips to the Pentagon each year. But Coleman argues that the program blesses a process, not a product. And, she says, the Defense Department’s assumption that onshore assembly is more secure than offshore reveals a blind spot. “Why can’t people put something bad into the chips made right here?” she says.

Three years ago, the prestigious Defense Science Board, which advises the DOD on science and technology developments, warned in a report that the continuing shift to overseas chip fabrication would expose the Pentagon’s most mission-critical integrated circuits to sabotage. The board was especially alarmed that no existing tests could detect such compromised chips, which led to the formation of the DARPA Trust in IC program.

Where might such an attack originate? U.S. officials invariably mention China and Russia. Kenneth Flamm, a technology expert at the Pentagon during the Clinton administration who is now a professor at the University of Texas at Austin, wouldn’t get that specific but did offer some clues. Each year, secure government computer networks weather thousands of attacks over the Internet. “Some of that probing has come from places where a lot of our electronics are being manufactured,” Flamm says. “And if you’re a responsible defense person, you would be stupid not to look at some of the stuff they’re assembling, to see how else they might try to enter the network.”

John Randall, a semiconductor expert at Zyvex Corp., in Richardson, Texas, elaborates that any malefactor who can penetrate government security can find out what chips are being ordered by the Defense Department and then target them for sabotage. “If they can access the chip designs and add the modifications,” Randall says, “then the chips could be manufactured correctly anywhere and still contain the unwanted circuitry.”

So what’s the best way to kill a chip? No one agrees on the most likely scenario, and in fact, there seem to be as many potential avenues of attack as there are people working on the problem. But the threats most often mentioned fall into two categories: a kill switch or a backdoor.

A kill switch is any manipulation of the chip’s software or hardware that would cause the chip to die outright—to shut off an F-35’s missile-launching electronics, for example. A backdoor, by contrast, lets outsiders gain access to the system through code or hardware to disable or enable a specific function. Because this method works without shutting down the whole chip, users remain unaware of the intrusion. An enemy could use it to bypass battlefield radio encryption, for instance.

Depending on the adversary’s degree of sophistication, a kill switch might be controlled to go off at a set time, under certain circumstances, or at random. As an example of the latter, Stanford electrical engineering professor Fabian Pease muses, “I’d nick the [chip’s] copper wiring.” The fault, almost impossible to detect, would make the chip fail early, due to electromigration: as current flowed through the wire, eventually the metal atoms would migrate and form voids, and the wire would break. “If the chip goes into a defense satellite, where it’s supposed to work for 15 years but fails after six months, you have a very expensive, inoperative satellite,” Pease says.

But other experts counter that such ideas ignore economic realities. “First and foremost, [the foundries] want to make sure their chips work,” says Coleman. “If a company develops a reputation for making chips that fail early, that company suffers more than anyone else.”

A kill switch built to be triggered at will, as was allegedly incorporated into the European microprocessors, would be more difficult and expensive to pull off, but it’s also the more likely threat, says David Adler, a consulting professor of electrical engineering at Stanford, who was previously funded by DARPA to develop chip-testing hardware in an unrelated project.

To create a controlled kill switch, you’d need to add extra logic to a microprocessor, which you could do either during manufacturing or during the chip’s design phase. A saboteur could substitute one of the masks used to imprint the pattern of wires and transistors onto the semiconductor wafer, Adler suggests, so that the pattern for just one microchip is different from the rest. “You’re printing pictures from a negative,” he says. “If you change the mask, you can add extra transistors.”

Or the extra circuits could be added to the design itself. Chip circuitry these days tends to be created in software modules, which can come from anywhere, notes Dean Collins, deputy director of DARPA’s Microsystems Technology Office and program manager for the Trust in IC initiative. Programmers “browse many sources on the Internet for a component,” he says. “They’ll find a good one made by somebody in Romania, and they’ll put that in their design.” Up to two dozen different software tools may be used to design the chip, and the origin of that software is not always clear, he adds. “That creates two dozen entry points for malicious code.”

Collins notes that many defense contractors rely heavily on field-programmable gate arrays (FPGAs)—a kind of generic chip that can be customized through software. While a ready-made FPGA can be bought for $500, an application-specific IC, or ASIC, can cost anywhere from $4 million to $50 million. “If you make a mistake on an FPGA, hey, you just reprogram it,” says Collins. “That’s the good news. The bad news is that if you put the FPGA in a military system, someone else can reprogram it.”

Almost all FPGAs are now made at foundries outside the United States, about 80 percent of them in Taiwan. Defense contractors have no good way of guaranteeing that these economical chips haven’t been tampered with. Building a kill switch into an FPGA could mean embedding as few as 1000 transistors within its many hundreds of millions. “You could do a lot of very interesting things with those extra transistors,” Collins says.

The rogue additions would be nearly impossible to spot. Say those 1000 transistors are programmed to respond to a specific 512-bit sequence of numbers. To discover the code using software testing, you might have to cycle through every possible numerical combination of 512-bit sequences. That’s 13.4 × 10153 combinations. (For perspective, the universe has existed for about 4 × 1017 seconds.) And that’s just for the 512-bit number—the actual number of bits in the code would almost certainly be unknown. So you’d have to apply the same calculations to all possible 1024-bit numbers, and maybe even 2048-bit numbers, says Tim Holman, a research associate professor of electrical engineering at Vanderbilt University, in Nashville. “There just isn’t enough time in the universe.”

Those extra transistors could create a kill switch or a backdoor in any chip, not just an FPGA. Holman sketches a possible scenario: suppose those added transistors find their way into a networking chip used in the routers connecting the computers in your home, your workplace, banks, and military bases with the Internet. The chip functions perfectly until it receives that 512-bit sequence, which could be transmitted from anywhere in the world. The sequence prompts the router to hang up. Thinking it was the usual kind of bug, tech support would reset the router, but on restart the chip would again immediately hang up, preventing the router from connecting to the outside world. Meanwhile, the same thing would be happening to similarly configured routers the world over.

The router scenario also illustrates that the nation’s security and economic well-being depend on shoring up not just military chips but also commercial chips. An adversary who succeeded in embedding a kill switch in every commercial router could devastate national security without ever targeting the Defense Department directly.

A kill switch or backdoor built into an encryption chip could have even more disastrous consequences. Today encoding and decoding classified messages is done completely by integrated circuit—no more Enigma machine with its levers and wheels. Most advanced encryption schemes rely on the difficulty that computers have in factoring numbers containing hundreds of digits; discovering a 512-bit type of encryption would take some machines up to 149 million years. Encryption that uses the same code or key to encrypt and decrypt information—as is often true—could easily be compromised by a kill switch or a backdoor. No matter what precautions are taken at the programming level to safeguard that key, one extra block of transistors could undo any amount of cryptography, says John East, CEO of Actel Corp., in Mountain View, Calif., which supplies military FPGAs.

“Let’s say I can make changes to an insecure FPGA’s hardware,” says East. “I could easily put a little timer into the circuit. The timer could be programmed with a single command: ’Three weeks after you get your configuration, forget it.’ If the FPGA were to forget its configuration information, the entire security mechanism would be disabled.”

Alternately, a kill switch might be programmed to simply shut down encryption chips in military radios; instead of scrambling the signals they transmit, the radios would send their messages in the clear, for anybody to pick up. “Just like we figured out how the Enigma machine worked in World War II,” says Stanford’s Adler, “one of our adversaries could in principle figure out how our electronic Enigma machines work and use that information to decode our classified communications.”

Chip alteration can even be done after the device has been manufactured and packaged, provided the design data are available, notes Chad Rue, an engineer with FEI, based in Hillsboro, Ore., which makes specialized equipment for chip editing (albeit for legitimate reasons). FEI’s circuit-editing tools have been around for 20 years, Rue says, and yet “chip designers are still surprised when they hear what they can do.”

Skilled circuit editing requires electrical engineering know-how, the blueprints of the chip, and a $2 million refrigerator-size piece of equipment called a focused-ion-beam etching machine, or FIB. A FIB shoots a stream of ions at precise areas on the chip, mechanically milling away tiny amounts of material. FIB lab workers refer to the process as microsurgery, with the beam acting like a tiny scalpel. “You can remove material, cut a metal line, and make new connections,” says Rue. The process can take from hours to several days. But the results can be astonishing: a knowledgeable technician can edit the chip’s design just as easily as if he were taking “an eraser and a pencil to it,” says Adler.

Semiconductor companies typically do circuit editing when they’re designing and debugging prototypes. Designers can make changes to any level of the chip’s wiring, not just the top. “It’s not uncommon to dig through eight different layers to get to the intended target,” says Rue.The only thing you can’t do with a FIB is add extra transistors. “But we can reroute signals to the transistors that are already there,” he says. That’s significant because chips commonly contain large blocks of unused circuitry, leftovers from previous versions of the design. “They’re just along for the ride,” Rue says. He thinks it would be possible to use a FIB to rewire a chip to make use of these latent structures. To do so, an adversary would need a tremendous amount of skill with digital circuitry and access to the original design data. Some experts find the idea too impractical to worry about. But an adversary with unlimited funds and time—exactly what the Defense Science Board warned of—could potentially pull it off, Rue says.

In short, the potential for tinkering with an integrated circuit is almost limitless, notes Princeton’s Lee. “The hardware design process has many steps,” she says. “At each step, you could do something that would make a particular part of the IC fail.”

Clearly, the companies participating in the Trust in IC program have their work cut out for them. As Collins sees it, the result has to be a completely new chip-verification method. He’s divided up the Trust participants into teams: one group to create the test chips from scratch; another to come up with malicious insertions; three more groups, which he calls “performers,” to actually hunt for the errant circuits; and a final group to judge the results.

To fabricate the test chips, Collins chose the Information Sciences Institute at the University of Southern California, Los Angeles. He picked MIT’s Lincoln Laboratory to engineer whatever sneaky insertions they could devise, and he tapped Johns Hopkins University Applied Physics Laboratory, in Laurel, Md., to come up with a way to compare and assess the performers’ results.

The three performers are Raytheon, Luna Innovations, and Xradia. None of the teams would speak on the record, but their specialties offer some clues to their approach. Xradia, in Concord, Calif., builds nondestructive X-ray microscopes used widely in the semiconductor industry, so it may be looking at a new method of inspecting chips based on soft X-ray tomography, Stanford’s Pease suggests. Soft X-rays are powerful enough to penetrate the chip but not strong enough to do irreversible damage.

Luna Innovations, in Roanoke, Va., specializes in creating antitamper features for FPGAs. Princeton’s Lee suggests that Luna’s approach may involve narrowing down the number of possible unspecified functions. “There are ways to determine where such hardware would be inserted,” she says. “Where could they gather the most information? Where would they be least likely to be noticed? That is what they’re looking for.” She compares chip security to a barricaded home. The front door and windows might offer vaultlike protection, but there might be an unknown window in the basement. The Luna researchers, she speculates, may be looking for the on-chip equivalent of the basement window.

Raytheon, of Waltham, Mass., has expertise in hardware and logic testing, says Collins. He believes the company will use a more complex version of a technique called Boolean equivalence checking to analyze what types of inputs will generate certain outputs. Normally, applying specific inputs to a circuit will result in specific, predictable outputs, just as hitting a light switch should always cause the light to turn off. “Now look at that process in reverse,” says Collins. Given a certain output (the lights go out), engineers can reconstruct what made it happen (someone hit a switch). Collins says this could help avoid cycling through infinite combinations of inputs to find a single fatal response.

In January, the performers were given a set of four test chips, each containing an unknown (to them) number of malicious insertions. Along with a thorough description of the chips, Collins says, “we told them precisely what the circuits were supposed to be.”

Each team’s success will be gauged by the number of malicious insertions it can spot. The goal is a 90 percent detection rate, says Collins, with a minimum of false positives. The teams will also have to contend with red herrings: to trip them up, the test set includes fully functioning, uncompromised chips. By the end of this month, the performers will report back to DARPA. After Johns Hopkins has tallied the results, the teams will get a second set of test chips, which they’ll have to analyze by the end of the year. Any performer that doesn’t pass muster will be cut from the program, while the methods developed by the successful ones will be developed further. By the program’s end in 2010, Collins hopes to have a scientifically verifiable method to categorically authenticate a circuit. “There’s not going to be a DARPA seal of approval on them,” says Collins, but both the Army and the Air Force have already expressed interest in adopting whatever technology emerges.

Meanwhile, other countries appear to be awakening to the chip threat. At a January hearing, a U.S. House Committee on Foreign Affairs addressed Pakistan’s ongoing refusal to let the United States help it secure its nuclear arsenal with American technology. Pakistan remains reluctant to allow such intervention, citing fears that the United States would use the opportunity to cripple its weapons with—what else?—a kill switch.

To Probe Further
For a comprehensive look into the failure of the Syrian radar, see “Cyber-Combat’s First Shot,”Aviation Week & Space Technology, 26 November 2007 by David A. Fulghum, Robert Wall, and Amy Butler.

The DARPA Trust in Integrated Circuits Program is described in greater detail on DARPA’s Web site:http://www.darpa.mil/MTO/solicitations/baa07-24/Industry_Day_Brief_Final.pdf.

An interesting take on the remote-kill-switch debate is in Y. Alkabani, F. Koushanfar, and M. Potkonjak’s “Remote Activation of ICs for Piracy Prevention and Digital Rights Management.”Proceedings of the IEEE/ACM International Conference on Computer-Aided Design 2007 (5–8 November 2007).

A February 2005 Defense Science Board report, “Task Force on High Performance Microchip Supply,” arguably sparked the DARPA program. You can download it free of charge athttp://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf.
 
Last edited:
.
This article completely demolishes everything you have said on this thread. Your own military is concerned about this, and you are trying to lul to sleep my countrymen by feeding them false information. I'll edit this post later to copy the article itself.

https://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
You are just like most on this forum -- do not read their sources.

For starter...

Nor can chip makers afford to test every chip. From a batch of thousands, technicians select a single chip for physical inspection, assuming that the manufacturing process has yielded essentially identical devices.
I know for a FACT that Micron Technology literally test every die on a wafer. I used to work for Micron. There is no separate manufacturing line for memory products destined for military contractors but any batch that is destined for a military contractor is diverted to my desk for additional verification that every wafer, every extracted die, every wire bonded die, and every encapsulated die is tested with additional criteria prior to shipment to said contractor.

Hmmm...Come to think about it, I must have been an unwitting member in this conspiracy to build 'at will' degradation feature in our foreign sales weapons systems. :lol:

Next...

But other experts counter that such ideas ignore economic realities. “First and foremost, [the foundries] want to make sure their chips work,” says Coleman. “If a company develops a reputation for making chips that fail early, that company suffers more than anyone else.”
So in order to make a 'chip', a word that those in the industry rarely uses as the preferred word is 'die', must be designed in such a way that this 'at will' disabling feature is reliable despite long periods of dormancy, the 'chip' must be custom fabricated, something foundries do not like to do and some are not even configured to do. Foundries are mass producers and as such, a foundry fab cannot afford to idle a production line to fabricate a limited run of custom 'chips'.

Next...

To create a controlled kill switch, you’d need to add extra logic to a microprocessor, which you could do either during manufacturing or during the chip’s design phase.
Bingo...!!!

This reinforced what I said earlier about the need to have parallel production lines. One for 'standard' products and one for these custom products. The two lines must never meet. A masking layer step must be taken offline, its chemicals changed, and a new mask that contains these secret logic circuits installed. Then once a batch of these custom secret wafers that contains 'kill switch dies' are done, the machine must be taken offline again and return to what is call 'process of record' (POR) recipes. This is a time consuming, inefficient, and costly step that no foundry want to do.

Just in case you think I made up that POR initials...

https://www.lawinsider.com/dictionary/process-of-record
..."POR" means documents and/or systems that specify a series of operations that a semiconductor wafer must process through. The POR includes the process recipes and parameters at each operation for the specified Tool of Record.

Next...

For a microprocessor destined for use in a cellphone, for instance, the chip maker will check to see whether all the phone’s various functions work. Any extraneous circuitry that doesn’t interfere with the chip’s normal functions won’t show up in these tests.
This is technically half wrong. The first statement is correct, the second statement is that half wrong.

Semiconductor functional and parametric testing...

https://semiengineering.com/how-much-testing-is-enough/
At that time, there was also a major shift from functional to structural test in the industry. Unlike functional test, structural test deals with issues at the chip level.
A functional test is when the die is tested for the things the design is supposed to do. A structural test, aka parametric, is when the die is tested for the various structures that make up the components of the designs. Common components like resistor, capacitor, and transistor. Each structure, like a wall or pit that was built by the chemicals, must pass certain voltage and amperage criteria. The output is extrapolated to mean the physical dimensions of those structures.

In order for me to verify my custom design -- that contains these kill switches -- works, I must have have a parallel functional and parametric testing regime and this regime must be kept secret from standard production flow. If I put a custom die under standard testing, of course the kill switch would not show up. But I cannot let these custom dies go without testing, so I must recruit engineers for these secret testing regimes and swears them to secrecy, pay them more, etc...etc...

Anyone who has any experience in R/D and manufacturing WILL see the increased production line complexity. You obviously do not see.

I could go on and on about this article, where it is correct and where it is lacking, but the focus of the article is about 'chips' manufactured outside the US. Maybe you should start looking at the JF-17, after all. :enjoy:
 
.
You are just like most on this forum -- do not read their sources.

For starter...


I know for a FACT that Micron Technology literally test every die on a wafer. I used to work for Micron. There is no separate manufacturing line for memory products destined for military contractors but any batch that is destined for a military contractor is diverted to my desk for additional verification that every wafer, every extracted die, every wire bonded die, and every encapsulated die is tested with additional criteria prior to shipment to said contractor.

Hmmm...Come to think about it, I must have been an unwitting member in this conspiracy to build 'at will' degradation feature in our foreign sales weapons systems. :lol:

Next...


So in order to make a 'chip', a word that those in the industry rarely uses as the preferred word is 'die', must be designed in such a way that this 'at will' disabling feature is reliable despite long periods of dormancy, the 'chip' must be custom fabricated, something foundries do not like to do and some are not even configured to do. Foundries are mass producers and as such, a foundry fab cannot afford to idle a production line to fabricate a limited run of custom 'chips'.

Next...


Bingo...!!!

This reinforced what I said earlier about the need to have parallel production lines. One for 'standard' products and one for these custom products. The two lines must never meet. A masking layer step must be taken offline, its chemicals changed, and a new mask that contains these secret logic circuits installed. Then once a batch of these custom secret wafers that contains 'kill switch dies' are done, the machine must be taken offline again and return to what is call 'process of record' (POR) recipes. This is a time consuming, inefficient, and costly step that no foundry want to do.

Just in case you think I made up that POR initials...

https://www.lawinsider.com/dictionary/process-of-record


Next...


This is technically half wrong. The first statement is correct, the second statement is that half wrong.

Semiconductor functional and parametric testing...

https://semiengineering.com/how-much-testing-is-enough/

A functional test is when the die is tested for the things the design is supposed to do. A structural test, aka parametric, is when the die is tested for the various structures that make up the components of the designs. Common components like resistor, capacitor, and transistor. Each structure, like a wall or pit that was built by the chemicals, must pass certain voltage and amperage criteria. The output is extrapolated to mean the physical dimensions of those structures.

In order for me to verify my custom design -- that contains these kill switches -- works, I must have have a parallel functional and parametric testing regime and this regime must be kept secret from standard production flow. If I put a custom die under standard testing, of course the kill switch would not show up. But I cannot let these custom dies go without testing, so I must recruit engineers for these secret testing regimes and swears them to secrecy, pay them more, etc...etc...

Anyone who has any experience in R/D and manufacturing WILL see the increased production line complexity. You obviously do not see.

I could go on and on about this article, where it is correct and where it is lacking, but the focus of the article is about 'chips' manufactured outside the US. Maybe you should start looking at the JF-17, after all. :enjoy:

Right. The IEEE Spectrum, a premier American publication read by thousands of highly rigorous and technical engineers around the world, has inaccuracies in an article that talks about a highly contrntious topic. And no one in the past 10 years thought about pointing them out. So now as an educated, conscientious, highly technical, and knowledgeable person, it stands as your ethical, moral, professional duty to write to them and point out these inaccuracies. And given you are the very definition of veracity and authenticity, we will soon see an apology by IEEE, along with a retraction of that article.

And if that doesn't happen, forever more, you will be seen as a propagandist who is using disinformation to advance a pro-American agenda to the detriment of Pakistan.
 
.
Right. The IEEE Spectrum, a premier American publication read by thousands of highly rigorous and technical engineers around the world, has inaccuracies in an article that talks about a highly contrntious topic. And no one in the past 10 years thought about pointing them out. So now as an educated, conscientious, highly technical, and knowledgeable person, it stands as your ethical, moral, professional duty to write to them and point out these inaccuracies. And given you are the very definition of veracity and authenticity, we will soon see an apology by IEEE, along with a retraction of that article.

And if that doesn't happen, forever more, you will be seen as a propagandist who is using disinformation to advance a pro-American agenda to the detriment of Pakistan.
Like I said -- you do not read your sources. Maybe you should take time and read the comments below the articles.

Something like this: An effective remote kill switch is something that virtually impossible to do at the low level component level.

Maybe Mr. Dror Harari know his stuff.

Or how about Mr. Alan Martin who said: Conspiracy hocus pocus. Manufacturers do test full functionality of every chip sold to the DOD. Altering a design is not as simple as just "throwing in" somthing additional. Buying ICs from qualified suppliers is safe.

Thousands of engineers around the world and they are in complete agreement with one article? Now your claim to have work in the technical field is COMPLETELY demolished as far as I am concerned.
 
.
Like I said -- you do not read your sources. Maybe you should take time and read the comments below the articles.

Something like this: An effective remote kill switch is something that virtually impossible to do at the low level component level.

Maybe Mr. Dror Harari know his stuff.

Or how about Mr. Alan Martin who said: Conspiracy hocus pocus. Manufacturers do test full functionality of every chip sold to the DOD. Altering a design is not as simple as just "throwing in" somthing additional. Buying ICs from qualified suppliers is safe.

Thousands of engineers around the world and they are in complete agreement with one article? Now your claim to have work in the technical field is COMPLETELY demolished as far as I am concerned.

After freely handing out dung, you have now started rolling about in it. Did the IEEE take any notice of these comments? Did the author update her article as a result?

But of course, instead of contacting IEEE you must make lame excuses. So, just to humor you, what percentage of comments is denying the accuracy of the article?

You, sir, are an absolute charlatan selling snake oil. Show a bit of shame and quit it already.
 
.

Pakistan Affairs Latest Posts

Back
Top Bottom