Combating Counterfeit Chips

The harsh reality is that today, the authenticity of chips is often impossible to guarantee. The counterfeit chip market is sizeable and growing with a worldwide value estimated at $75B in 2019. Those counterfeits are believed to have been integrated into more than $169B of electronic devices. Recent confirmed incidents of counterfeit parts found in electronic systems include defibrillators, airport landing lights, intravenous (IV) drip machines, and braking systems for high speed trains. With electronic devices critical to nearly every aspect of modern life, the risk of counterfeits can range from an inconvenience to injury or loss of life.

Some counterfeit semiconductors are simply ‘gray market’ versions of authentic products. They often originate from overbuilds or reworked failures. While these gray market chips function similar to the authentic versions, they are inherently dangerous in that it is impossible to guarantee their reliability.

Counterfeits are often “harvested” from electronic waste using crude and poorly controlled processes that result in counterfeit semiconductors having far higher failure rates than the genuine articles. Some of these ‘harvested’ chips will fail immediately when electrically tested or first used, while others will fail after days, months or years in the field.

While gray market and harvested chips are bad, rogue versions may be even worse. Rogue counterfeit chips are manufactured to look exactly like authentic chips, with identical packages, markings, and electrical interfaces. Impossible to visually distinguish from authentic, there is often no way to understand how they will actually perform in a system until it’s too late.

Counterfeit rogue chips can exfiltrate or corrupt data or cause a system malfunction. Given the increasing complexity of SoCs, it’s highly problematic to detect malicious functions hidden among the legitimate ones for which the chip is intended. The origin of such chips, and the intention of their manufacturers, can remain completely obscured once they are introduced into the supply chain.

With society’s deep reliance on electronics, the impact of rogue chips can be incredibly devastating. A rouge processor in an advanced fighter could record telemetry that an adversary could use for developing surface-to-air missile defenses. Rogue code inside a fake chip could expose a network to infiltration. A criminal could use malware inside a counterfeit chip to remotely take control of a car or brick its systems in a ransomware attack. The multitude of ways a counterfeit semiconductor could catastrophically affect us beggars the imagination.

What is to be done? Accepting the status quo is untenable given the great and growing risks. The good news is there are solutions available now that provide secure identity for chips. Trust in a semiconductor’s authenticity starts at the silicon level, at the time of manufacture. With cloud-based services, that authenticity can be verified over the entire life of the chip.

Trust is established by many large semiconductor OEMs through factory provisioning services. Rambus’ CryptoManager Provisioning is such a solution that is field-proven and enables the basis of authenticity for over 1.8 billion chips annually.

During fabrication, each chip is provisioned with a unique cryptographic key (or other secure data) into a known-secure area of the chip. This known-secure area can be a secure root of trust (such as the CryptoManager Root of Trust), a secure memory location, one-time programmable (OTP) memory in the main processor, etc. This secure provisioning can be implemented during wafer fabrication, device test, or device packaging. The provisioning process is completely automated requiring no human intervention. Keys are securely generated in air-gapped systems, and only known to a single party: the chipmaker.

Keys provisioned during manufacturing form the basis of the chip’s identity. These keys, stored and encrypted in the secure area, are never exposed to other areas of the chip or the larger system. They are not cloneable or copiable. They are unique to the individual chip. Keys are not retrievable through typical counterfeit activities such as de-capping or delayering of chips. Further, they can be protected from side-channel attacks like differential power analysis (DPA) and fault injection (FI) through the use of a tamper-resistant security core such as the CryptoManager Root of Trust.

Secure provisioning cryptographically binds the device keys to their identity details. This allows for the authenticity of the chip (and by extension, the electronic system that the chip is contained within) to be verified at any time using a cloud-based Key Management Service (KMS). Through a cryptographic process, the chip’s authenticity can be challenged and confirmed. Even if a counterfeit chip was provisioned with a key, the cryptographic mechanisms of the KMS would immediately identify it as a fake, generating an alert for appropriate action.

Finally, the trust established in manufacturing provides the basis for in-field secure updates that allow for semiconductor device function changes. In-field updates allow a service provider to change the way a chip operates. Features can be enabled or disabled, firmware upgraded or replaced, speed grades or interfaces adjusted. Using in-field updates, a single version of a chip can serve multiple purposes depending on the equipment in which it’s installed. At end of life, a ‘brick’ command issued to the device (using the in-field provisioning function) can ensure a chip can’t be harvested and resold into the gray market.

The deployment of secure provisioning across the electronics supply chain would ensure that semiconductor device identities could be authenticated and attested to over their entire lifecycle. The risks of counterfeit chips to the operation of electronic systems, and to the privacy and safety of users, would be eliminated.