The recent supply chain issues with chip shortages and long lead times have prompted system makers to turn to second-tier suppliers and distributors to fulfill their semiconductor needs. This, in turn, has put a spotlight on the growing concern of fraudulent or counterfeit ICs. Counterfeit ICs can have many sources of origin. They may be devices manufactured using less stringent quality standards, they may have come from excess inventory and they may also have old date codes or outdated revisions. These counterfeit devices may have failed test procedures or perhaps they were scavenged from recalled or broken system boards. While the method of entry into the supply chain may be murky, the consequences of these devices are much clearer. They may not meet performance specifications, they may also have poor reliability, shorter lifetimes and they may have experienced supply chain security breaches, along with being susceptible to hacking or trojan circuitry.
This, however, is not a new problem. Various publications and researchers have studied this subject over the years and concluded that this is indeed a real and serious problem, causing concern to system makers and especially those involved in mission-critical, security, defense and government applications. In a 2014 IEEE publication,1 the authors estimated the revenue loss due to counterfeiting to be in the range of $100 billion with up to 1 percent of all semiconductor sales estimated to be counterfeit. A U.S. Chamber of Commerce report2 cites that the Organisation for Economic Co-operation and Development estimated in 2016 that 2.5 percent of the world trade, or $461 billion, is related to counterfeiting. A 2017 study by the U.S. Air Force3 (USAF) warns of growing concern about counterfeit devices contaminating the U.S. Department of Defense (DOD) and USAF supply chains. The study goes on to say that these counterfeit devices may be responsible for a loss of USAF personnel and the USAF has called for the DOD to take countermeasures. In response, the DOD and National Security Technology Accelerator (NSTXL) have initiated multiple programs such as RAMP4 to implement supply chain security in offshore manufacturing environments with commercial participants such as Qualcomm5 and Intel.6
Counterfeit IC Motivation, Sources and Risks
In an economic environment of supply shortage and long lead times, buyers can be tempted to turn to secondary suppliers or distributors to source the ICs needed for their products. This increases their exposure to counterfeit ICs. Even understanding the risks, there can be multiple motivations for suppliers to sell counterfeit ICs. These include:
- Improving gross margins by selling a lower-cost device at a higher price
- Winning a price and availability battle against competing distributors and resellers
- Selling a restricted device in an unapproved region or to a banned application
- Selling a digital rights management-disabled device into a content-sensitive market or application
- Contaminating a sensitive supply chain with hacked devices or with devices containing trojan circuits.
These counterfeit ICs can come from multiple sources:
- Second-source ICs that were manufactured at lower-cost manufacturing facilities or manufacturers with lower quality standards
- Recycled ICs that failed production line testing but were salvaged and repackaged as good units
- Retired ICs that were returned to companies as return material authorizations or disassembled from discarded or used system boards
- End-of-life or replaced ICs that were announced as obsolete and replaced with an updated revision
- A hostile entity trying to exploit a vulnerability in the supply chain to inject hacked or trojan devices.
By using counterfeit ICs, system makers and users are exposed to various risks such as:
- Faulty, low performance or buggy ICs that may not perform as expected and can cause permanent or intermittent system failures
- Lower quality products that may fail prematurely in the field
- Backdoors that enable hostile entities to take over sensitive applications and data.
Best-Known Methods and Limitations
Like identification cards or passports that contain a unique ID that distinguishes one person from another, detecting counterfeiting is based on a type of ID and a secured database of legitimate IDs. The most obvious way to track an individual IC is by assigning it a chip ID that is a unique identifier, commissioned to the IC’s non-volatile memory. This may be accomplished with an e-fuse or a one-time programmable memory area at the end of the manufacturing line.
A limitation of this method is that offenders may obtain a stock of non-commissioned devices and program them with an ID of a legitimate unit. This is known as cloning a device. Another weakness is that often, the method of commissioning the ID into the device is by burning a bit and modifying its default value. While it is impossible to change a logical one to a logical zero, the converse may be possible. This means that an offender can change logical zero bits into logical ones and turn an illegitimate ID into a seemingly legitimate one.
Like using biometric methods to counter fake ID cards or passports, an inherent identifier that is not dependent on the commissioning of IDs is needed to counter IC supply chain vulnerabilities. Such a method is called a physically unclonable function (PUF). The most common method of PUF is an uninitialized SRAM. Each bit in an SRAM that was not previously written or initialized has a certain tendency to be read as a zero or a one. Research shows that implementing noise cancelation techniques and reading a large enough uninitialized SRAM can result in a very high probability that different devices will read different values but multiple reads from the same device will return the same value on each read.
A flow diagram for a Root of Trust system used to provide trusted verification for human and IC identification and verification is shown in Figure 1. This diagram introduces the concept of a PUF. It comes from a work based on an SRAM implementation of a PUF.7
Unfortunately, after some amount of time in the field, there is a good chance that this PUF device will experience aging and wear-out. This is likely to affect the PUF signature and the device will start advertising a different value. Another limitation of this approach is that devices that were manufactured at an illegitimate foundry, devices that have had additional circuits inserted or devices with an older revision do not map back to an IC design or process data. This limits the ability of a PUF to detect these counterfeit parts. The solution to this challenge requires a new PUF method that provides the benefits of an SRAM-based PUF while also offering value for additional use cases and attack schemes.
Some industries are looking to use a split manufacturing concept as a means to segment the silicon manufacturing process into identifiable untrusted and trusted portions.8 In this concept, the advanced process node foundry for the transistors can be an untrusted generic front-end-of-line foundry process. In this implementation, the back-end-of-line of the process, where the metal interconnect layers turn the transistors into circuits, would be a trusted process. However, this process concept is difficult to manage with limited functionality and it may not be feasible with newer silicon technologies.
As shown in Figure 1, the system needs to do more than just generate unique IDs. There is also a need for a cloud-based and secured data platform to store and maintain the database of valid device signatures. Existing chip ID databases are often not secure enough, siloed or not accessible throughout the supply chain.