Millions of server & devices affected. Starbleed vulnerability in FPGA chips

Field Programmable Door Arrays (FGPA) are flexible programmable chips that are considered highly secure components for various applications, mentioning specialists in cloud computing security services.

In a joint research project, scientists from the Horst Gortz Institute, Ruhr-Universitat Bochum and the Max Planck Institute for Security and Privacy have now discovered that a critical vulnerability in these chips.  Investigators dubbed this security flaw as “Starbleed”.

By exploiting this vulnerability, threat actors can gain complete control over the chips and their full features. Because the flaw is built into the hardware, it is impossible to release software updates; In other words, the security risk can only be eliminated by replacing these chips. The manufacturer company has already been notified by researchers of cloud computing security services.

FPGA chips are widely used by many applications critical to computer security, from cloud data centers and mobile carrier base stations, to encrypted USB sticks and industrial control systems. Its wide use lies in its reprogrammability, unlike conventional chips.

Being reprogrammable, these chips also allow their basic components to be modified freely; to do this, the key is bit stream, a process that can be used to program the FPGA chip. For the protection of these devices, manufacturers implemented bit stream encryption.

Cloud computing security services experts in charge of this research discovered a method to decrypt this protected bit stream, gaining access to the contents of the file and modifying it for their own purposes.

Specialists were able to take advantage of the reprogramblity of these chips through an upgrade and recovery function in the FPGA, employed as a vulnerability. Experts might manipulate the encrypted bit stream during the setup process to redirect its decrypted content to the WBSTAR configuration log, which can be read after a reboot.

“The advantage of individually reprogramming the chips became a disadvantage. If a malicious hacker gains access to the bit stream, he also gains full control over the FPGA,” the specialists say. This attack will allow you to steal intellectual property in the bit stream, as well as the injection of malicious code into the FPGA hardware, among other malicious actions.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.