Trojans are a kind of malware that carry malicious code. They can steal or change data, or mess up computers or networks. They do not replicate like viruses. In a recent report Kasperksy Labs said that several of the top 20 malicious programs on the Internet involve Trojans.

There is also risk involving hardware Trojans – a unique category of Trojans. These Trojans are hardware which could be introduced during the manufacturing of chips. A new study has outlined some of the potential risk with hardware Trojans.

“Since there have been no reported hardware Trojans in practice yet, little is known about what such a Trojan would look like, and how difficult it would be in practice to implement one,” the study explained.

So the researchers, who are from Germany, the Netherlands, Switzerland and United States, showed in the study how integrated circuits could be compromised. Alterations made in this kind of tampering of a chip would be hard to detect – even through optical inspection.


Image via Shutterstock

This can be accomplished without “any additional circuitry, transistors or other logic resources,” according to a report from Computerworld.

The study, called "Stealthy Dopant-Level Hardware Trojans," shows how a hardware Trojan can be introduced by changing the "doping" on the transistors found on chips.

Doping is a way that “electrical properties of silicon” are changed via “introducing tiny impurities like phosphorous, boron and gallium, into the crystal,” the Computerworld report said.

“By switching the doping on a few transistors, parts of the integrated circuit no longer work as they should. Because the changes happen at the atomic level, ‘the stuff is hard to detect. If you look at it optically there is nothing different,’" Christof Paar, chairman for embedded security, Department of Electrical Engineering and Information Technology at Ruhr University in Germany, was quoted by Computerworld.

“Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against golden chips,” the study explained.

The researchers inserted the Trojans into a “digital post-processing derived from Intel's (News - Alert) cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation and by exploring their detectability and their effects on security,” the study said.

To get some further explanation, look to a blog post by security researcher Bruce Schneier.

“Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor,” Schneier said about the study in his blog. “This sort of sabotage is undetectable by functional testing or optical inspection. And it can be done at mask generation – very late in the design process -- since it does not require adding circuits, changing the circuit layout, or anything else. All this makes it really hard to detect.”

This kind of tampering would be most “devastating” when used to modify a chip's random number generator, Schneier said.

“This technique could, for example, reduce the amount of entropy in Intel's hardware random number generator [RNG] from 128 bits to 32 bits. This could be done without triggering any of the built-in self-tests, without disabling any of the built-in self-tests, and without failing any randomness tests,” he added.

To prove their case, the researchers inserted Trojans into Intel’s RNG used in the Ivy Bridge processors. It was done at the sub-transistor level.

The study raises concerns for the military, organizations which use critical infrastructure, and the overall private sector. It becomes part of current risk assessment debate related to the manufacturing and distribution of hardware, much of which happens in different parts of the world.

“Detecting this new type of Trojan is a great challenge,” the study said. “They set a new lower bar on how much overhead can be expected from a hardware Trojan in practice (i.e. zero!). Future work should include developing new methods to detect these sub-transistor level hardware Trojans.”