Lots of unknowns will persist for decades across multiple market segments.
Substituting chips is becoming more common in the electronics industry as shortages drag on, allowing systems vendors to continue selling everything from cars to manufacturing equipment and printer cartridges without waiting for a commoditized part. But substitutions aren’t always an even swap, and they increase security risks in ways that may take years to show up or fully understand.
So far, there is no data on how widespread this practice has become or whether there has been significant fallout. Numerous industry sources confirm that chip substitutions are occurring, although not for chips directly involved in safety-critical or mission-critical functions. Still, the security concerns are real, and in some cases, vulnerabilities may be exposed a decade or more after a product ships. And as more devices — and subsystems within those devices — are interconnected, some low-level chips developed at mature process nodes potentially can be used to gain access to other parts of a system, or even devices or networks connected to those systems.
“With a lot of those chips, companies don’t have a really good basis to trust the chip in the first place,” said Mike Borza, Synopsys scientist. “You trust them because you thought you were getting them through an authorized distribution channel and everything seemed to be on the up and up. But those are the chips that are particularly vulnerable now because they’re relatively easy to knock off. The technology is a lower level than what people are using now, so it’s pretty easy to make forgeries or counterfeit chips. But it’s also easy to find them because there’s wide availability of used parts on the market. People are buying them up and putting them back into the distribution channel as if they’re new. It’s an unauthorized reuse. You don’t know what condition those chips are in or whether they came out of obsolete equipment that was taken out of service for a reason.”
In addition to being developed at older nodes that relied on outdated security technology, these substitute chips are sometimes previous-generation chips that utilize older and less-secure communications protocols, as well.
“The older chips come with older software, because you cannot run today’s software on yesterday’s chips,” said Marc Witteman, CEO of Riscure. “And what we’ve seen in the past is that vendors won’t patch their software because they know there’s a new product and they’d rather focus on the software for the new products. If they go back to the old chip, they have to re-use all of that software that wasn’t patched.”
There is no public data on this subject, and supply chain traceability remains spotty at best. And to add yet another level of murkiness, the security risks can vary by vendor, by products made by the same vendor, or depending upon availability of chips at any point in time, by manufacturing lot and time of assembly.
What can go wrong
Substitute chips are a major topic of discussion in the semiconductor security world these days, where zero trust is now considered the standard. One of the lessons from the early days of IP is that not all IP is created equal, which is one of the reasons much of the third-party IP today is developed by large companies such as Arm, Synopsys, Cadence, Rambus, or through centralized oversight of the RISC-V ecosystem.
Not all substitute chips are created equal, either. Mitchell Mlinar, vice president of engineering at Tortuga Logic, cited one case years ago in which a chip was cloned by a company in another country and chose the wrong format for sending wireless commands. “You wouldn’t even know that if you used a clone chip. All you would know is that you’re sending secure information. But if the bit is flipped, that information would be unsecure. Fast forward to today and chips are even more complex. It’s not just simple Wi-Fi with some encryption. And even though the underlying processors are well known, when you start wiring all these external devices on the SoC, you don’t know what all the interrupt protocols look like. And unless you can test how it talks to the outside world, that same defect could create problems.”
Substituting chips on a board, or in a multi-chip subsystem, is easier than in a complex SoC or advanced package, where everything has to be fully characterized for such things as noise and heat. And chips developed at advanced nodes tend to be more susceptible to physical effects. That also makes them harder to hack.
“There are more disturbances in the newest chips,” said Riscure’s Witteman. “If you have a chip with 10 networks on it and you’re interested in what one core is doing, the other nine are just noise. So, there are more disturbances, which makes your measurement and your analysis harder. It’s a filtering problem. And with older chips, a vulnerability that was hard to exploit maybe five years ago would be very easy to exploit with today’s equipment.”
On the other hand, the software is more complicated in more advanced chips. “The more complex the software, the more prone it is to mistakes,” Witteman said. “So, there will be more security problems. The question is, when will they be detected, and when will they be exploited. We don’t necessarily see new products as being more secure than older products. There is development in security architectures, but at the same time there’s a desire for user friendliness for new features, and all that adds security challenges.”
The threat is magnified when system software is used to tie everything together, and that is exacerbated when less-secure chips are substituted, particularly in automobiles. “What didn’t exist in vehicles until recently was any kind of access controls,” said Synopsys’ Borza. “Once you were in the vehicle, you were on the network, and it was relatively easy to hop from place to place on the vehicle network, like on the CAN bus. That’s a pretty serious concern from a safety and security point of view, because these chips are more vulnerable than they would be if they were properly authenticated. People are starting to understand they need to treat the automotive network like a computer network, which is really what it is. It needs to be segmented properly, and there need to be access controls that are enforced at the entry points to the more security- and safety-critical parts of the vehicle.”
Where do they come from?
That raises an important question in the supply chain about who’s responsible for ensuring that substitute chips are even what they are advertised to be.
“One of the big questions here is how do you secure the supply chain,” said Mlinar. “In automotive, where safety is an issue, you’re going to provide all the reports and confirmation that a chip has passed all these requirements and objectives. You have this validation process. ‘Here’s the testing that was done, and here’s the outcome. So, you can see, this is safe. And here are encrypted tests to confirm that it’s still working.’ That’s where the industry needs to go, and there’s some talk about that already.”
In general, the more complex the chip, the harder it is to replace it with another chip. So, a complex SoC developed for a server or the central brain in a vehicle is not going to be swapped out for another component.
“This doesn’t affect new automotive chip designs that are being started now or a year ago, because you don’t actually have any intention of seeing hardware for another three years because the design cycles are so long,” said Scott Best, technical director at Rambus. “And you hope that three years from now the supply chain situation will have worked itself out and the chip you want to manufacture is available at scale. But it’s not just silicon security. It’s supply chain security. What are the reliable ways of tracking those pieces to ensure that the system you’re building has authentic components? We have a lot more recent interest from customers about the risk to the supply chain where a counterfeit part, perhaps with malicious intent, or even a cheaper knockoff of an authentic part with the exact same part numbers, looks fully correct from the outside.”
Why now?
What exactly is driving this shortage, and when will it normalize? The simple answer is gross miscalculation on the part of consumer electronics and automakers during the pandemic. People working from home needed new laptops, better cameras for video conferencing, and much faster modems and communications equipment. And automakers misjudged demand and the need for large numbers of chips.
But the problem has many more threads to it, including:
All of these are contributing to an imbalance between supply and demand. Or looked at a different way, everyone and everything is generating more data. Some of that data needs to be processed in the cloud, but an increasing amount of it needs to be processed much closer to the source in order to reduce latency, bandwidth requirements, and the amount of energy needed to move that data. That has spiked demand for advanced chips, but even in the most complex devices, there are chips that perform simple functions that don’t require the most advanced packaging or processes. Those are the chips that are most vulnerable to shortages, because foundries have been reluctant to ramp up their investments in 200mm technologies due to market uncertainties. And because those chips have been in production for years, they also are easy to remove from discarded electronics or to clone, which fuels a gray market.
Government regulators are starting to catch on to this. In March, Europol, the European police agency, reported that “counterfeiters may try to exploit this demand and supply shortages by introducing counterfeit semiconductors, such as diodes, to the market. Supply chains are global and vulnerable to the introduction of counterfeits since typically several distributors handle components before they reach the manufacturing sites. Tracing the original supplier of the counterfeit semiconductors can be difficult when trademarked counterfeit chips are verified by the semiconductor firms.”
What’s next?
It’s naïve to expect security risks to subside with increased capacity alone. Most security experts advocate much tighter control of the supply chain, including much better tracking for individual parts. But as supplies ease up, system vendors will likely require better tracking of components.
“Every chip made these days has a unique ID internally,” said Tortuga Logic’s Mlinar. “If that is part of a blockchain that goes with it, and which is encrypted, it’s going to be hard for someone to actually replace that chip on the fly. They’re not going to know that internal ID or be able to map that to the blockchain and replace both at the same time. You don’t have to go as far as etching each chip. As long as you know where it’s built, because of the unique ID for each chip, and that’s part of some sort of tracking, we’ll be in good shape.”
This already is happening in the mil/aero world. “Over the last several months, the aerospace and defense community has been making a lot of progress on quantifiable assurance of their microelectronics supply chain,” said Rambus’ Best. “Previously, there wasn’t much uniform specification or guidelines, and you had a lot of very well-intentioned people performing at best effort. There is now a concerted effort to establish guidelines for what it means to have quantifiable assurance for how to reliably mitigate insider attacks and malware attacks that might be coming after your EDA design environment, and how to reliably provision wafer sort and follow that to final test. It’s not coming online overnight, but there’s a lot more conversation about it than a year ago, which is great.”
In the end, much of this comes down to supply chain management, and the supply chain itself is being disrupted by a number of factors. But as capacity improves and chip substitutions subside, there will be much more attention focused on avoiding these kinds of issues in the future and ensuring new problems are not created.
Related
Why It’s So Difficult — And Costly — To Secure Chips
Threats are growing and widening, but what is considered sufficient can vary greatly by application or by user. Even then, it may not be enough.
Building Security Into ICs From The Ground Up
No-click and blockchain attacks point to increasing hacker sophistication, requiring much earlier focus on potential security risks and solutions.
Protecting ICs Against Specific Threats
Considerations and fixes for hardware attacks.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply