The danger of counterfeit microchips

From hoverboards to cars, counterfeit microchips are cropping up in many electronic devices that permeate our daily lives. These chips are so small that they’re easily overlooked by consumers, but as more and more faulty parts infiltrate the market, Carnegie Mellon professor Ken Mai advises it’s time to take notice.

TRANSCRIPT

From hoverboards to cars, counterfeit microchips are cropping up in many electronic devices that permeate our daily lives.

These chips are so small that they're easily overlooked by consumers, but as more and more faulty parts infiltrate the market, Carnegie Mellon professor Ken Mai advises it's time to take notice.

Professor Mai, thanks for joining us.

So, microchips are in all kinds of things around our households, around our lives.

What's the difference if there's a counterfeit versus a real one?

Well, there are a number of dangers that can crop up from a counterfeit design.

I mean, the first sort of most benign one would be that it performs less well or is less reliable.

But if you have a counterfeit part in something like a charger for a battery of a cellphone or a toy, that can start a fire in your house.

Or if it's a counterfeit part that has malicious things inserted in it, then you can have information loss, identity theft.

And in worst case, your hardware can get taken over remotely by a malicious entity.

What's the incentive to put a counterfeit one in there?

Just because it's cheaper?

Largely, the counterfeiters, they're driven by a profit motive.

So it is cheaper for them to, for example, recycle a part from some e-waste and then scrub it, make it look like a little bit better part, and then sell it back into the supply chain.

How prevalent is this?

Unfortunately, it's incredibly prevalent.

The DoD has done a number of studies where they've found, actually, counterfeit parts in deployed military systems.

And there have been wholesale counterfeit systems, routers, that have been sold into the government supply chain.

And so, in 2008, for example, entire Cisco routers were found to be entirely counterfeit, sold to a number of government agencies.

When you talk about the electronic supply chain, it's huge, right?

There's so many different vendors that are responsible for this and that part, and, 'Well, I'll make the casing and you make the battery.'

Mm-hmm.

Right, so, how do you tackle a problem that stretches this far?

The government's tried some regulatory fixes, but the supply chain is so complicated and global that it's nearly impossible to fix it that way.

So both the government and academia have been looking at different ways you can solve it from a technical side, but, again, the supply-chain issues mentioned is so complex that you can't solve it from a regulatory standpoint.

So [Chuckles] is there a solution to the problem?

I think, like many things, there are solutions that can help, but there's no panacea, right?

There's no one thing you can do that's gonna fix the entire problem and solve it once and for all.

Okay, so, you've been working on something at Carnegie Mellon, a 'chip odometer'? What is that?

Right.

So what we've been working on is a circuit block that you can put onto new chips that essentially emulates a VIN number, the odometer, and a flight-data recorder for a chip so that you can authenticate its provenance, know exactly when it was manufactured, what kind of chip it's supposed to be, and how old it is and how long it's been in the supply chain.

And so this will foil things like chip recycling, where there are entities that will take e-waste, rip the chips off of the e-waste, scrub them up, often mark them as newer or better chips than they were, and then sell them back into the supply chain.

So, how do you protect yourself from this if this is so pervasive?

From a consumer standpoint, this is very difficult, right?

This is really something that the equipment manufacturers and assemblers need to work on.

But as a consumer, you can look at the source of your electronics.

You know, maybe you don't buy it off eBay.

You buy it from a big-box store.

But even then, if you buy it from a big-box store, if it's been returned, swapped with a counterfeit part, it's also difficult to tell.

Is there a connection between the new credit-card chips that everyone's getting in their credit cards as the credit-card companies update?

The connection there is mainly from the standpoint of security through hardware.

So, the new credit cards have a small chip inside of them that's read by the reader that you have to shove your card into, and it takes a couple extra seconds.

But that does a secure information exchange, and that is certainly better than just feeding your credit-card number through the machine through the magnetic stripe.

Unfortunately, the U.S. is somewhat behind the rest of the world in that type of technology.

I think many people probably just recently got issued their smart-card-enabled credit cards, but in Europe and in Asia, that's been popular for a number of years.

So, you've got a prop there, two chips.

What's on there?

So, there's one counterfeit chip, and there's one genuine chip.

And the point of the prop is just to show that they look nearly identical.

And unfortunately for manufacturers, sometimes they go through different batch runs, so often even the manufacturer can't tell -- without completely taking the chip apart -- which one's real and which one's not.

And that would take a ton of time and money.

That's right.

It's extremely difficult to tell, and, again, often they'd require a scanning electron microscope scanning of the surface or completely taking the chip apart and de-layering it in order to know which one's counterfeit and which one's not.

Is the microchip industry or the semiconductor industry doing something to stop this?

Up till now, the economic concern hasn't been large enough that they've been doing modifications of the chips and that sort of thing on a large scale, but there are certain companies that do secure chips that have worked on this problem before.

All right.

Ken Mai from Carnegie Mellon University.

Thanks so much for joining us.

All right. Thank you.