Who vets the supplier's supplier?
US military's fake chips battle
The US Department of Defense (DoD) has passed new rules designed to weed out the use of counterfeit hardware. Worried that fake gear such as chips or antenna parts could prove unreliable or pose a security risk (for example, be equipped with spyware by a foreign government), the DoD rules that government organizations and …
-
Friday 5th August 2016 21:45 GMT Suricou Raven
I see where this is going.
The military will be obliged to set up elaborate tracking systems whereby components are monitored from factory to end use, with checking of the packaging at multiple points and a chain of custody maintained by elaborate paperwork signed in triplicate. It's the only way to be sure that none of the parts were switched for fakes, or fakes inserted to pad-out an undersized order.
And then, in a few years, some congressman is going to ask why the military has to spend $250 to buy a component he can find online for ten bucks.
-
Friday 5th August 2016 22:30 GMT bazza
Re: I see where this is going.
Never mind the military, there's plenty of electronics that we all rely on. How many fake components in the airliner you last flew on, or in your car, or in medical equipment, etc.
It's not just small components either - I've seen fake FPGAs that worked well enough to pass a cursory examination...
-
Sunday 7th August 2016 15:58 GMT Anonymous Coward
Re: I see where this is going.
Taking this a level lower, even genuine equipment, such as "smart meters", is a potential conduit for bad things to happen, not so much spying as physical damage. Firmware upgrades are obviously done by wi-fi (sending a tech out to change the firmware in each meter would defeat most of the purpose of these golems). Possibly with the help of a sample among millions that fell off the delivery truck, a bit of spying, and brute force computational methods, you figure out how to insert your own firmware upgrade. Then you "upgrade" a few tens of millions of the units and apply your own physio-therapy to the grid. For example, you might cycle the power to each meter, twice a second. It is conceivable that this could be done even without upgrading the firmware. It might be as simple as copying the header of a message "turn down the baseboard heating to 67 between 9 am and 2 pm Monday to Friday" and substituting a message "cycle power on the fridge every 2 seconds. Don't stop if you smell smoke." The Good (or at least Reassuring) News in this is that China and Russia seem to be deploying smart meters almost as fast as the West. No word on North Korea, though. Okay, it's not as simple a picture as I'm painting it, but the cyberwar rewards are o so great.
-
-
-
Saturday 6th August 2016 00:20 GMT Starace
Who are they buying from then?
Unless they're going to some really dodgy sorts I remember that the whole purchasing system involved (and still does) a ton of certification and QA on all the parts for a military or aircraft manufacturing process. Almost exactly like Suricou Raven suggested could happen; it all ready did.
Which is why everything turned out to be so expensive to buy due to the volume of paper and process involved all the way through.
It also made life interesting if you wanted small quantities of something (say 50 chips) where you could get them easily enough - maybe even free - from the manufacturer but then you had to insist on the full purchasing & QA process on a really tiny order when the usual MOQ was 1000.
Maybe that has broken down recently for some of their suppliers or maybe the military's purchasing side have been deciding things were too expensive from the official source, gone grey market or to broker then finding out where the saving actually came from.
-
-
Sunday 7th August 2016 19:18 GMT Anonymous Coward
Re: Simple fix
My first reaction is "ermagherd, dats brilliant". But everyone will have to know that they got the parts directly from the gov in order to not simply create another counterfeiting target, which means the gov has to become essentially another DigiKey, and I doubt they're in the mood.
Anyway if the gov officially validated some pre-existing network of trust and ended up just using DigiKey (or whoever) to sell, that could work out neatly.
-
-
Saturday 6th August 2016 16:34 GMT x 7
another example of the "Buy it cheap from China" syndrome. In many cases it HAS to be bought from China because their predatory pricing has undercut and bankrupted western electronic companies.
We should simply ban the imports of all electronic gear more sophisticated than a toaster from China.
-
Saturday 6th August 2016 18:39 GMT Anonymous Coward
This is what happens when you allow all manufacturing to go to the countries with the cheapest labour cost and which also have the lowest environmental protections. Are they really surprised?
Anything of Nation level interest should be manufactured by the Nation that has an interest in the safety and security of that product. Not just Military, but telecommunications, business, medical, and home users who use their computers for online purchases and banking.
Biting the hand that feeds IT
