Whoever wrote that article is a little sketchy with his facts:
Quote: """One of the most common building-blocks is the debugger, known as JTAG. This is a standard way of soldering some wires to the chip and connecting to the USB port,"""
JTAG is just the low-level interface to a debugger. "Soldering some wires" is not the building block and USB is nowhere related to it (for example, my work-horse JTAG interface connects to Ethernet).
Quote: """Whereas companies (should) disable the debug feature in the version they send to customers, that's not so easy with chips. It requires millions of dollars for every change to chip design. Therefore, chips always have the JTAG interface enabled."""
At least parts of JTAG need to be enabled (most notably the boundary scan that allows you to read/set individual pins) for proper testing of complex circuit boards, but also this is not the problem here: It seems that they left some instructions active to read back supposedly write-only values (e.g. the AES key in question). Designing one of these internal, protected bits to be the "disable JTAG debugging" would not be that hard. CPUs with integrated flash are doing that for years: A certain signature in the internal non-volatile memory will disable flash-readout and CPU debugging, but boundary scan will stay active.
Quote: """ As real silicon chips are becoming more expensive to manufacturer, FPGAs are becoming a more popular alternative. (...) Every change to a chip design requires millions of dollars in changes to the masks that print gates onto a chip."""
Actually looking at a fixed complexity ASICs are getting cheaper to manufacture over time, just as everything else in chip-making. Or as FPGAs. And again: High-end special-technology ASICs might cost "millions of dollars", but no one in their right mind would re-design a complete ASIC for such a simple change like disabling JTAG debugging:
Chips are built in layers, and it quite common to produce a whole batch of wafers with the "lower layers" that form the actual transistors. The metal layers on top of them (those that form the wires interconnecting the transistors) may be added to say one third of the chips.
Then when errors are found during testing, one could take another wafer from the lot, apply a corrected metal-mask and check if the error could be remedied by re-wiring (often a few spare gates are spread over the wafer "just in case" one has to splice in an inverter in a signal... or such things).
Such a relatively cheap (say: 10% of the complete ASIC production run) change would be the right thing to build a chip with JTAG completely disabled, it would be impossibly to re-enable the feature from the outside, but of course, by opening the chip and re-wiring the metal (this is possible by using focused ion beams on a bare die) one could do it. But this was not the message of the quoted article.
His article might be a bit off but it is actually true that the University of Cambridge leaked document is off-base and even their official paper continues to clame there is a backdoor but in a way that negates itself:
"Ultimately, an attacker can extract the intellectual property (IP) from the device as well as make a number of changes to the firmware such as inserting new Trojans into its configuration."
Using a flaw in the system to "insert" a new trojan is not the same as an existing one. This and many other reasons that one sees when looking at both papers, the vendor response and then their response to the vendor make it pretty obvious that they stick to the backdoor claim to maintain face (perhaps for the original grant or clients).
but the best gem of the new paper is claiming that a crypto flaw that requires physical access to exploit = Denial of Service, considering you took out the chip or that you have physical access already.
He also keeps imposing the view that the Drone was "shot down" over Iran as fact. While many people have different views on how the drone was taken intact it was not "shot down".
I generally liked the article but this drone part is totally off the hook.
Consider something like the drones shot down by Iran. The reason is that they are designed to be cheap, to be frequently lost while flying over the enemy. Thus, it's likely that one of these FPGAs was inside the drone shot down by Iran. While it's unlikely the FPGA had any secrets worthwhile, issues like this make it easier for Iran to reverse engineer the drone and manufacture their own.
The RQ-170 Sentinel was developed by Lockheed Martin's Skunk Works as a stealth Unmanned Aerial Vehicle (UAV)... Few details of the UAV's characteristics have been released, but estimates of its wingspan range from approximately 65 feet (20 m)[6] to 90 feet (27 m).
Even US public doesn't know pretty much anything about it, not even wingspan, as it probably stems straight from some Black Project out of Area 51.
So it is not only VERY expensive, it also includes some of the most TOP SECRET technologies developed by USAF, like stealth and what not. In military jargon it's called high-value asset!
Quote: """One of the most common building-blocks is the debugger, known as JTAG. This is a standard way of soldering some wires to the chip and connecting to the USB port,"""
JTAG is just the low-level interface to a debugger. "Soldering some wires" is not the building block and USB is nowhere related to it (for example, my work-horse JTAG interface connects to Ethernet).
Quote: """Whereas companies (should) disable the debug feature in the version they send to customers, that's not so easy with chips. It requires millions of dollars for every change to chip design. Therefore, chips always have the JTAG interface enabled."""
At least parts of JTAG need to be enabled (most notably the boundary scan that allows you to read/set individual pins) for proper testing of complex circuit boards, but also this is not the problem here: It seems that they left some instructions active to read back supposedly write-only values (e.g. the AES key in question). Designing one of these internal, protected bits to be the "disable JTAG debugging" would not be that hard. CPUs with integrated flash are doing that for years: A certain signature in the internal non-volatile memory will disable flash-readout and CPU debugging, but boundary scan will stay active.
Quote: """ As real silicon chips are becoming more expensive to manufacturer, FPGAs are becoming a more popular alternative. (...) Every change to a chip design requires millions of dollars in changes to the masks that print gates onto a chip."""
Actually looking at a fixed complexity ASICs are getting cheaper to manufacture over time, just as everything else in chip-making. Or as FPGAs. And again: High-end special-technology ASICs might cost "millions of dollars", but no one in their right mind would re-design a complete ASIC for such a simple change like disabling JTAG debugging:
Chips are built in layers, and it quite common to produce a whole batch of wafers with the "lower layers" that form the actual transistors. The metal layers on top of them (those that form the wires interconnecting the transistors) may be added to say one third of the chips.
Then when errors are found during testing, one could take another wafer from the lot, apply a corrected metal-mask and check if the error could be remedied by re-wiring (often a few spare gates are spread over the wafer "just in case" one has to splice in an inverter in a signal... or such things).
Such a relatively cheap (say: 10% of the complete ASIC production run) change would be the right thing to build a chip with JTAG completely disabled, it would be impossibly to re-enable the feature from the outside, but of course, by opening the chip and re-wiring the metal (this is possible by using focused ion beams on a bare die) one could do it. But this was not the message of the quoted article.