It’s easy to infiltrate a semiconductor chip supply chain with counterfeits. The path from the original manufacturer to the final use is notoriously weak, especially for older chip models, which are often needed for military applications. There are different types of counterfeits: they can be falsely labeled, used, broken, actual fakes, or, as we are told this week, hacked to a specific purpose by the mob.
In a blog post Tuesday, two executives from IOActive, a computer and information security company, posited that the mob could easily enter the realm of chip counterfeiting and sell insidiously hacked chips with devastating results.
It’s not a new concern, but IOActive gives it a new twist with the gangster angle. They’re not wrong about the threat, but the company’s blog post smells a little like fear mongering.
To illustrate their point, the authors dissect a chip ordered from an online electronics broker. IOActive, which investigates counterfeit claims, took the microprocessor in question apart and found that it was a ST ST19AF08 chip pretending to be a ST19XT34.
By itself, this is not surprising. Counterfeiting chips is a rampant, possibly already billion-dollar business that continues to grow, and it has, in fact, probably already been infiltrated by organized crime. The number of counterfeit incidents goes up every year, according to private companies and the US government—in part due to US legislation that is pushing companies to report finding fakes.
IOActive’s conclusion is that if it is easy to fake a chip and difficult to identify a fake, it must also be easy for criminal organizations and foreign governments to make minor modifications to chips that would never be noticed at all. A bad chip in the right place could compromise security with backdoors, malicious code, or rigged algorithms.
This is true. But getting that bad chip into that exact right place would be difficult for the same reasons that it is easy to sneak bad chips into the market in the first place. The supply chain is a mess. Chips are bought and resold frequently. A reputable purveyor of chips in a panic for a specific model might buy from an online broker, which in turn buys from anonymous sources on online forums.
Producing and selling a counterfeit chip is relatively easy. Avoiding counterfeit chips is not. Tracing a counterfeit chip back to its source is fraught with difficulties. And placing a subtlety-hacked chip in a precise place through a complicated supply chain?
It would be an “expensive and consuming proposition” but a worthwhile one to the mob, IOActive writes. They’re not wrong, but an old-fashioned bribe or broken kneecap sounds cheaper and easier.
On the other hand, it would be incredibly easy for the mob to sell bad chips to anyone and everyone via those pesky and yet necessary online brokers. And they probably already do.
Photo Credit: Richard Wheeler
