Huawei, Security, and British GCHQ

(Reuters) Britain says Huawei ‘shortcomings’ expose new telecom networks risks and (Financial Times) Huawei caves in to UK security demands.

GCHQ are congratulating themselves on their due diligence. Quoting,

Senior UK security officials have repeatedly stressed that their concerns are related to technical deficiencies and not the company’s Chinese origins or any evidence of espionage or malicious activity.

It surprises that the astute heads at GCHQ would segment the Huawei threat in such an ostrich-like manner — if an ostrich could segment. It reminds me of the tongue-twister, “How much wood would a woodchuck chuck if a woodchuck could chuck wood?”

This kind of segmenting, with burial of one of the segments, is probably due to British exposure to China economic pressure. As I am not a party to the funeral, let’s spell it out. The Huawei threat has two parts, both enabled by the nature of integrated circuit design and testing:

  • Visible at the pins of the chip, as errors of protocol. This includes vulnerabilities in key exchange protocols, and the existence of chip-states that should be disallowed. These fall into the loose category of the 71% of a chip that can be tested through the external terminals. (I think this is due to Karpovsky.)
  • Buried in the chip firmware/gate arrays, invisible at the external pins of the chip. This is feasible when chips are made by a supplier affiliated with the Chinese state, such as Huawei, because the combinatorics makes testing impossible even with a  test duration on the order of the age of the universe.

Both exploits have advantages:

  • With use of the visible exploit, the attacker’s identity can frequently be concealed, or at least reduced in certainty. It’s frequently the case that multiple attack vectors can exploit the same protocol vulnerability.
  • The invisible exploit is activated by codes that are so improbable that, if detected, they point with perfect certainty to the maker of the chip. (Is there a way around this? Read down.)

Can a chip die be scanned, perhaps by a synchrotron light source, to recover the mask and completely analyze the functionality? As Huawei becomes self-sufficient in chips, reference masks will become unavailable. As chip geometries continue to shrink, with the move to 3D, scanning  becomes a very hard problem.

There remains one question. Exploits of the second type, if discovered, seem to inextricably implicate the attacker. With the application of great cleverness, is there a way to disguise this?  I think there is. Think spread-spectrum and slow data rates.

GCHQ, you may think you’ve done due diligence, but this is an error. Think of what we can do, and in your imagination, go one better.