Skip to comments.Fake Chinese Parts 'Found In US Planes'
Posted on 05/22/2012 8:42:58 AM PDT by the scotsman
click here to read article
On related topic, if you want to know why DoD system costs keep going up, a big part of it is continually more demanding parts compliance requirements. In the aerospace world, they are known as TOR’s. Its MIL-SPEC on steroids. Instead of letting the vendors build their product to meet performance specifications, they now have to ensure all parts meet part requirements in TOR’s regardless of whether or not it affects performance. These requirements and their verification flow all the way down the procurements from contractor to sub-contractor to simple parts manufacturer. Most manufacturers cant meet the requirements without significant cost increase.
Pretty much what I told the company that I later consulted for and needed the technique to make their critical and otherwise unmanufacturable part.
I don't think there was any need for us to get cross wise on this thread, and I apologize for reacting.
Not to worry, no offense taken, I appreciate the passion.
But these content free technical articles using Carl Levin and John Frakkin MCpain as the technical experts burn me up.
I don’t think that they were claiming any conspiracy by the Chinese government. When McCain said that it threatened our security, he didn’t mean intellectual security. He was talking about the threat that bogus parts not working endangering the success of an operation and the risk of life that could result.
The conspiracy probably didn’t have anything to do with the Chinese government, other than the fact the Chinese stand up for their own companies, in the same manner that unions protect worker, whether they are guilty or not.
I can assure you the PLA is not on the periphery of this issue.
It’s not like this is unknown. The subject has been publicly discussed since at least 2005.
You should at least read up before claiming the threat of counterfeit chips is simply an IP or revenue issue.
“Such tampering wouldn’t have to occur in a factory where computer components were built. In fact, repair businesses and subcontractors may pose a greater danger. “A skilled and capable adversary could replace a chip on a circuit board with a very similar one,” says John Pironti, a security expert for information technology consulting firm Getronics. “But this chip would have malicious instructions added to the programming.” The strategy wouldn’t be practical for running a broad identity-theft operation, but it might allow spies to focus an attack on a valuable corporate or government target—gaining access to equipment, then doctoring it with hidden functions”
Indeed, the SIA and international organs are drawing up protocols for verifying sources of components, because this counterfeiting is a big issue for no less than:
1. The US
3. S. Korea
and on and on and on. There’s lots of money being lost by legit vendors as a result of this grey-market crap out of the PRC. I won’t even get into the even more formidable “counterfeit bolt and steel” issue that is out there.
The one chipset(s) where I could see insertion of rogue logic are ethernet interfaces. They’re now a commodity and usually no one even thinks about whether or not they’re correct, much less genuine any more. When I was at cisco, we had quite a little “scandal” with ethernet (back then 10/100, ie, pre-gig) chipsets that didn’t implement collision back-off correctly and some chipsets would silently drop the frame or jam the wire inside the timing windows. No one else was aware of it, not even the vendors, until Xerox PARC debugged the problem on our boxes with an oscilloscope. PARC came to us and said “Look, we have conclusive evidence that these chipsets on these particular ethernet interfaces on these routers implement the spec incorrectly on collision back-off. What do you think?”
Well, what we thought after duplicating the problem(s) was to contact the chip vendors. Much stony silence ensued, until we made legal noises. Then there were some fixes... but still, we had a lot of product out there with defective chips. On lightly loaded networks, no one really noticed... but on a loaded network, oh yea, you’d see the network’s total bandwidth collapse in some situations as a result.
So could someone put a frame sniffer into an ethernet chipset? Sure. Would it be noticed before triggered? Probably not. The industry doesn’t even notice when chipsets don’t meet published specs as it is now. At least some military applications of discrete and analog components require testing in adverse environments where failures will be seen. The PC’s, laptops and routers that the DOD is buying? Feh.
And let’s not even worry about a sniffer logic package. Just insert logic that makes the interface go deaf on receipt of a “magic packet payload pattern” and spew out to a wire or multicast group broadcast address a similar packet, so all other nodes on that ethernet go deaf as well. It wouldn’t take up much in the way of gates. Get some government idiot to surf to a porn site, the response contains the magic byte pattern, the surfer’s computer goes deaf and then takes down everyone else on his switched or bridged network.
The only company I know of who really takes security seriously is IBM. They’re more serious than the DOD or government about security. eg, they ban Siri use on their networks or inside their plants..... because they don’t know for how long or where Apple is storing the voice recordings of input to Siri. Back in the 80’s, IBM was more serious about their own security than the DOD was about US security. IBM knew that DES was compromised from the get-go... and the NSA talked them into keeping the differential crypto vulnerability quiet for years...
Dave that’s a great anecdote. Indeed, in higher function chips you could indeed do quite a bit with, say, “test modes.”
However, I think you’d have to agree that it would take orders of magnitude more design skill to intentionally accomplish a malicious backoff anomaly like you described, much less a commanded problem, than is required to merely design the primary functionality.
“Never attribute to malice what can be sufficiently explained by incompetence.”
So it’s certainly possible in high level SOCs and ethernet macs, but other musings (not yours) elicited by these type articles about wakeup routines in passives and discretes is silly.
I would extend your scenario a bit, though. You’re correct that those parts are commodities. And they are generally core-limited, so the cost is proportional to die area. The only saving grace is that for the very critical commodity type parts you describe, in order for them to be a commodity by definition there has to be high volumes, and thus the front company would have to take a pretty good hit financially to pump those into the channel.
This goes back to the procurement people ought to be on the lookout for these kind of anomalies, not just Mcpain and Levin boycotting quote-unquote chicom parts.
A North Korean design house tapes out an ethernet chip with the magic packet command you’re talking about. They get it fabbed through a south korean agent in Taiwan, package it in Singapore, ship it to a USA distributor under a “FuTech” shell brand of some kind. It’s not a counterfeit. It’s not a knock off. It’s not from china. It passes functional tests.
That’s my point on here. The fraud is one thing, costing companies money. The ESPIONAGE potential is far beyond the scope of “boycotting china” which is all these political pinheads and newswriters seem to understand.
THESE CASES ARE IP OR REVENUE FRAUD. THESE CASES ARE NOT ESPIONAGE-ON-A-CHIP.
Your links go a step further in obfuscation by interchangeably mixing IP theft via soft hacking, and "fake parts" which are totally different.
As your own links show, you've got a John Pironti (a counsultant with a fax machine) and Richard Clark trying to sell some consulting.
Go ahead and focus on the PLA. Ban all "Chicom components." Then explain how that does one goddam thing to avoid true espionage as I describe above.
Get it through your head.
FAKE PARTS are fraud. Those cost companies Dollars.
Espionage parts will be LEGIT. Those cost lives.
That's the difference.
“Built the world’s first microprocessor with on chip ROM and RAM, built the world’s brightest GaAsP LED, made a silicon IR photodetector sensitive enough to force NBS to recalibrate their standards, hold 5 US patents, with several pending.”
Can you help me with gapping my ‘65 GTOs plugs and distributor points?
(Just kidding; I’m impressed.)
Sure, just remember to replace the condenser when you replace the points...
Set the plugs to 35 thousandths, screw in the points gap until the engine starts to misfire, and back it off half a turn.
Eva, you're exactly correct. And I would agree with him, except that it doesn't matter to a dead pilot if the failed parts are in-spec knockoffs from china or if they're poor-quality originals from California.
The meager content of the article provided no constraint to multiple readers' preconceived agendas about espionage etc!
The article mentions not a whit about (A) did these "fake parts" pass the rigorous qualification tests? and (B) did any of these "fake parts" actually cause any problems?
The question is pertinent to Magnum44's great post (repeated below) about how ridiculous the hoops are for milspec acceptance tests in the first place. Either these parts met those damn specs or they escaped around them. WHICH HAPPENED? I can infer (A) happened from the article because they were pulled out of service. After acceptance. There was nothing wrong with the parts, they were just sold by someone who didn't own them...IP/FRAUD.
Eva: The conspiracy probably didnt have anything to do with the Chinese government, other than the fact the Chinese stand up for their own companies, in the same manner that unions protect worker, whether they are guilty or not.
Indeed. I doubt it did at all. But the politicians like mcpain will gladly ride the indignant outrage of readers and voters against the chinese while the acquisition bureaucrats in the DoD will skate on the fraud issue, or worse, get an opportunity to expand their power due to their own incompetence.
As Magnum's post below describes, these enemies-within-purchasing could damn well take this opportunity to make it so damn hard to build a radio for a C-17 that nobody will bother. Our bureaucrats are far more dangerous to our servicemen than the PLA's chip engineers. This is, by the way, how we got $500 hammers in the 80's you know. It wasn't greedy hammer manufacturers.
Magnum44: On related topic, if you want to know why DoD system costs keep going up, a big part of it is continually more demanding parts compliance requirements. In the aerospace world, they are known as TORs. Its MIL-SPEC on steroids. Instead of letting the vendors build their product to meet performance specifications, they now have to ensure all parts meet part requirements in TORs regardless of whether or not it affects performance. These requirements and their verification flow all the way down the procurements from contractor to sub-contractor to simple parts manufacturer. Most manufacturers cant meet the requirements without significant cost increase.
I used to use a matchbook cover to gap ‘em all, but found a feeler gauge works better. I tried to turn the distributor by hand ONCE, while the car was running, and got thrown clean out of the garage. Zowie!
Thanks for the tip.
“A nation that kills its own children is a nation without hope.” Blessed John Paul II
“A nation that kills its own children is a nation without hope.” Blessed John Paul II
Oh yea, I’m all about the economic issue first and foremost.
For me, the #1 issue is that this rampant fraud on the part of importers and PRC companies undercuts *entire industries* which we, the US, should make sure we have because they’re “strategically important.”
There used to be declarations of “strategically important” industries in the US supply chain. Electronics manufactures were one such, as well as steel, munitions, etc.
At the rate this “Free trade” idiocy is going, however, I fully expect to wake up one day and find out that the DOD has allowed Alliant Techsystems to be sold to the PLA. You know, the guys who run the Lake City munitions plant? Stock ticker ATK? They make great hairy gobs of 5.56 and 7.62 ammo? There’s nothing so strategically stupid I put it beyond the ability of the “free trade uber alles” crowd to accomplish now.
That said, I agree with you that it would take some skill to accomplish a malicious, remote-commanded problem in an Ethernet chipset, but it wouldn’t be too difficult for the PLA and their minions. The logic is already there in the chip to go deaf or go promiscuous, to do all the other functions I’ve described, so all you’d need to add would be a state machine and a byte-wise scanner to look for the pattern.
Everything it could do, however, would also be easy to do it with remotely inserted s/w, and the PLA has proven that they’re quite capable in the cyber-warfare realm and quite active too. I offer the NIC chipset scenario as a possibility when (if) Microsoft and the US Government (GSA and DOD) come up with software security strong enough to make the PLA’s cyberwarfare mission so difficult they have to resort to it. Right now, there’s so many avenues in through software, hardware attacks are low on the PLA’s priority list.
The PLA front company(ies) could take huge hits financially to accomplish this. Consider the hits the PLA businesses take when they screw up, or that their government is going to take *right now* as their economy’s idiotic devotion of huge resources into “see-through cities” comes to light. By “see through cities” I mean just that: There are huge tracts of apartment/condo buildings that have been built with state-backed financing that have no occupants - because the people cannot afford them. The PRC is finding out that the “if you build it, they will come” works only when people are rich enough to have a choice of “Well, I can go to the city with my bankroll and get an apartment... or I can milk these two cows and plow my field with them, lest my family starve” is tilted towards the former option. They’ve about exhausted the number of people who can do the first option... hence the see-through cities.
In the PRC, financial losses don’t carry the same sting as they do here. There’s no investigation, the whole thing is pretty much swept under fine silk rugs and ignored. Their current account surplus with the US means they don’t have to care. Yet another “own goal” for the “free trade” movement.
As to the other things you’ve discussed on this thread: Yea, I just don’t see any credence to the idea of trying to plant something into discrete components. Sure, they’re probably utter crap, out of tolerance and without reliability.... so there are doubtless higher failure rates, but trap doors? Nah, not seeing that. To pull off the trap, I’d speculate that they pull off my method: A seemingly mundane, absolutely ubiquitous chip with higher order functionality. Ethernet or other interface chips meet this description, because as long as they work... no one is going to give a rat’s rear end what might be activated via JTAG other other interfaces...
Now in the SOC... holy crap, is there opportunity for mischief. Everyone using a SOC is usually using it for reasons of cost-cutting, so if someone with seemingly credible rep comes along offering you 10K+ pieces at 20% off... SOC users will typically leap at that deal. I saw that too... and we were one of the first router vendors using SOC’s. The first SOC router we shipped was based on Moto’s Dragonball chip. The SOC was actually the second biggest COGS in the box, the DRAM was #1. No one is going to bother trying to do anything in DRAM chips - you could peel back the container, take a look with a common optical microscope and spot the “This bunch of gates doesn’t look like all the others” in a second of cursory examination.
But stuffing something in to a SOC? Easy. IBM told us just how easy and how much room there was left over on the silicon for most SOC’s. Their Cell Power Architecture building blocks left us gob-smacked at what IBM could fit onto a commodity-sized piece of silicon... back then, they were pitching us four CPU’s (without MMU or FPU), a whole bunch of interface logic, memory and cache controllers, the DRAM for cache, etc, etc. Utterly fantastic stuff... and that was back in 2000. What was bleeding edge for IBM back then is probably idiot level stuff now.
In the end, I foresee some of the tightest security stuff going back to custom FPGA’s which are programmed by either trusted vendors or the NSA/CIA/DOD with controlled distribution. Spendy, but much more secure.
Here’s why, BTW:
Thanks for the discussion but the use of all-caps is usually a wave-off for me.
I’ll just say that the IP, revenue and equipment failure issue of counterfeit-for-profit chips is trivial compared to the threat posed by (yes, good quality -Duh) counterfeit espionage chips.
And don’t knock Richard Clarke. He’s a stand-up guy (read: principled) who knows exactly what he is talking about regarding cyber warfare.
Right now, theres so many avenues in through software, hardware attacks are low on the PLAs priority list.
Bingo. and. In the end, I foresee some of the tightest security stuff going back to custom FPGAs which are programmed by either trusted vendors or the NSA/CIA/DOD with controlled distribution. Spendy, but much more secure.
Unfortunately, bring those two together my friend. The latest rage in "hardware security" ironically is dynamically downloadable FPGAs. WHAT?! At EACH power on, the FPGAs download their programming (e.g. their functional circuitry) from local (which can be on another system...remote!) NV storage. YIKES! Talk about the ultimate in viral penetration potential. 100% legitimate chips from legitimate vendors with a wide open front door to have complete control over their functionality?!
So that's why I get in a tizzy and type ALL CAPS on these threads.
My gawd man, there's some scary shiite out there and it AIN'T KNOCK-OFF resistors and transistors and other "mislabeled" passives from China!
I still get a kick out of that. "It's a counterfeit part with a different part number stamped on it!" LOL. wth?
And fwiw, from a respectful disagreement (ALLCAPS) point of view, may I recommend that you temper your use of Pop Mechanics as a technical news source?
In past decades it was a nice Reader’s Digest of technology.
But it seems to have become the CBS Evening News of silly checkout stand nonsense.
A shame. It’s a toy balloon of content. Thin veneer with lighter-than-air inside.
The only sources I can provide are public domain via Google search. However, that is not where I receive my information. Take a clue from Mr. Clarke. He received regular, classified briefings on chip-based espionage.
You have no appreciation of the extent and capabilities of this penetration. Others who’ve received classified briefings do. A very well informed person even wrote a book about it. What more is required?
A) network/software "cybersecurity" hacking, data gathering
B) backdoor/trojan horse chip designs
C) IP Fraud/counterfeit chips
Totally different things.
Clarke talking explicitly and exclusively about A. Dumbstream media is reporting on C and inferring B.
B is economically unproductive compared to the wide open vulnerabilities in A, and C has nothing to do with B, since B can be done easier, cheaper and more surreptitiously in legitimate chips rather than risk red flags with C.
Understand, I’m still plenty pissed off by counterfeit parts from China. I’m plenty pissed off by counterfeit bolts, bolt steel, tool steel, carbide tooling, rifle scopes, etc.
Counterfeiting, knock-offs and IP theft by the PRC/PLA is costing this country’s private sector HUGE amounts of money - billions of revenue per year.
Our cowardly, supine pussies in office never, ever do anything about it - including the GOP, who thinks that making any move against China amounts to a re-enactment of Smoot-Hawley.
We cannot run our military if we have allowed all the strategic industries which supply the armed forces with parts, complete systems, etc to be put out of business by the GODDAMN COMMUNISTS. The only good communist is a DEAD one, IMO.
Only problem is that china is going to seem like Galt’s Gulch if the marxists here keep it up.
As I remember the story, there was a lot of blame put on Boeing for not following quality control standards with parts contractors. They had the same type of problem with their civilian planes, not just dept of defense contracts.
Maybe the relationship between Boeing and the dept of defense is just too cozy.
Actually, since my company makes all of the chips of consequence inside our products I am certain in what I say. Regarding the other chips, it is is irrelevant. Ls, Cs, Rs, Es, SOT23, etc, cannot be used for espionage. Our PAs come from the OEMs. What we do get via suppliers cannot be used for espionage.
I am not saying that it cannot be done and that the US should not be doing it, I’m just saying it does not happen in my companies products.
Like I was saying...
BI: Could you respond to this Errata post specifically?
1) We have made no reference to any Chinese involvement in either of the released papers or any reference to espionage. Therefore we don't agree with Robert Graham's assertion that we suggest Chinese involvement. So we have no idea why people have linked the Chinese to this as it did not come from us.
2) As far as we are concerned the back door was implemented by the manufacturers at the design stage and we suggest that in the papers.
Ok? So now we can all agree that the article of the original thread is about fraudulently copied functional equivalents, and not Chinese espionage like Sergei Impliedalotovstov says he's not alluding to. And we can agree that your rebuttal's author Sergei found a method to read out Actel's FPGA programming....which would allow certain data to be read if you could clip wires onto that physical system.
Wooptiedoo! Anyone who has ever fired up an evaluation board with a microcontroller or FPGA from Actel or Xilinx has known this for decades.
I've already mentioned upthread a more glaring, public, non-hidden problem with FPGAs which have the ability to be programmed via serial links and networks. So yeah, those systems could be vulnerable to cyberattacks from Korea or Russia or Israel or China. But that is coming from insecure design and development of the intended, advertised product MADE IN THE USA. Not Chinese "backdoors" in resistors!
But Sergei Wrotealotovrot did a smart thing by fanning the espionage flames. Otherwise his "expose" of an obvious internal exploit for a particular US design would've gotten ho-hum interest from anyone who knew anything about JTAG programming of FPGAs. BTW, you realize that the engineers who implemented that JTAG logic function have a design spec internally, and they have a Verilog or VHDL description of it, and tested it internally. Anyone who worked on that project knows everything Sergei Didalotovnada learned, and was not under any kind of military clearance, and might not have even had a non-disclosure agreement with respect to emailing it to a colleague, customer, student or chinese spy!
There is an OBD-II test port under your dash in your car. Sergei Solderingiron could go to the dealer with your car and tap on to the link while the dealer connects his diagnostic computer, and Sergei could write a paper about undocumented OBD-II registers on your particular ECM.
That ECM and/or other chips in the car may be made in part or in whole in China. Some of the components may even be fraudulent copies of legitimate chips.
Sergei may have another interesting paper, and Sergei may be able to even write some registers to lean out your engine and burn a valve if you let him in the car and let him reprogram it.
But nobody in Beijing can flip a switch and make your car go dead in an intersection!
Test Port ≠ Remote Backdoor