In the world of cyberespionage, there is plenty to blame on China. But the recent discovery by a postdoctoral student in the U.K. of a backdoor in a chip is apparently not one of them.
The consensus of numerous security experts, along with the student himself, Sergei Skorobogatov, is that while the FPGA (Field Programmable Gate Array) chip was manufactured in China, there is no evidence that the Chinese put it there, or that it was intended for cyberespionage.
Skorobogatov, a senior research associate in the Security Group at the Computer Laboratory of the University of Cambridge, generated a firestorm last week with the description of his findings. He posted on his website a letter he sent to "interested government parties," which began: "UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment."
He then reported finding a backdoor in the Actel/Microsemi ProASIC3 chip, said it was "military grade," noted that while it was designed by an American company it was manufactured in China, and wrote that this, "previously unknown backdoor [was] inserted by the manufacturer."
He added: "This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure."
Skorobogatov has since backed off considerably, saying readers misinterpreted him or projected their own agendas on his writing. He wrote on his website that it was Actel, not a Chinese manufacturer, that inserted the backdoor.
"The claims about [the] Chinese being involved, was made up by someone who originally made the post at Reddit," he said. "We never said the Chinese have put a backdoor inside Actel's chips and it does not say so in our papers. It is as though people have put two and two together and made four or five or six, depending on what their agenda is."
However, Skorobogatov did say earlier that the chip was "manufactured in China" and it was the "manufacturer" that inserted the backdoor.
Skorobogatov told CSO by email he did not mean that the Chinese were the manufacturer. "Yes, the chip was fabricated in Taiwan Republic of China, but the chip manufacturer is Actel (owned by Microsemi), who developed the chip design," he wrote. "Our findings show that the traces of the backdoor can be found in the development software files."
But Microsemi disputes that. ZDNet's Michael Lee reported that Microsemi has denied that it put the backdoor in the chip. "Microsemi can confirm that there is no designed feature that would enable the circumvention of the user security," the company wrote.
Sign up for CIO Asia eNewsletters.