Threat from Hardware Trojans: Study shows Manipulation Possibilities
On behalf of the German Federal Office for Information Security (BSI), experts from the IHP - Leibniz Institute for High Performance Microelectronics prepared the study "Analysis of Hardware Manipulations in Distributed Manufacturing Processes (PANDA)". The result: Safety properties or functionality can be negatively affected in all sub-steps.
Hardware Trojans could become a threat. On behalf of the German Federal Office for Information Security (BSI), experts from the IHP - Leibniz Institute for High Performance Microelectronics prepared the study "Analysis of Hardware Manipulations in Distributed Manufacturing Processes (PANDA)". The result: Safety properties or functionality can be negatively affected in all sub-steps. In order to increase security in the IT landscape, the experts inform IT manufacturers and service providers about the potential threat and advise companies to invest in trustworthy manufacturing processes and providers as well as in their own employees.
"Software Trojans are common knowledge, most of us use anti-virus software, check senders carefully before opening email attachments and only download apps to our mobile phones from official sources. However, when the journal Bloomberg Businessweek first reported on a Hardware Trojan in 2018, there was a great deal of uncertainty, especially among companies," says Prof Peter Langendörfer, project leader for the recently published PANDA study. Trojans, the term goes back to the Greek legend of the Trojan horse, are deliberate manipulations that are inserted by an attacker.
"Globalisation means that more and more steps in the production chain are being outsourced, and the cheapest suppliers are often awarded the contract. When IT companies send their chip designs to production, they could still be modified. When assembling circuit boards, they could be manipulated, for example by attaching additional chips that then pick up and send information," says Prof Peter Langendörfer, outlining two possible scenarios. The IT security expert heads the "Wireless Systems" department at IHP and is also a professor specialising in "Wireless Systems" at BTU Cottbus-Senftenberg.
The BSI made a conscious decision in favour of IHP for the PANDA study. On the one hand, the research institute can map numerous steps in the production chain thanks to its vertical concept. On the other hand, a relationship of trust already existed due to previous collaboration. The IHP experts based the study on both literature research and practical experiments in the production chain, particularly in the implementation of cryptographic functions in FPGAs and in the production of circuit boards. For example, the mainboard of a laptop was prepared in order to test whether these manipulations could be detected by optical methods, e.g. in quality control on receipt of a delivery. Additional chips were hidden under coils and capacitors. These are barely noticeable on microscopic examination and even on X-ray due to the numerous metal layers. Solder points and additional conductor tracks can reveal the additional chips. However, if these are wired as chip-on-board with aluminium bonds, they are almost invisible.
"Our study makes it clear: manipulation is possible at any time and IT manufacturers must react. Because once a hardware Trojan is there, it is incredibly difficult to find," says Prof Peter Langendörfer.
Wissenschaftlicher Ansprechpartner:
Prof. Dr. Peter Langendörfer
Originalpublikation:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/PANDA/PANDA.pdf?__blob=publicationFile&v=4