The July 2022 issue of IEEE Spectrum is here!

IEEE websites place cookies on your device to give you the best user experience. By using our websites, you agree to the placement of these cookies. To learn more, read our Privacy Policy.

In 2018, an article in Bloomberg ­Businessweek made the stupendous assertion that Chinese spy services had created back doors to servers built for Amazon, Apple, and others by inserting millimeter-size chips into circuit boards. 

This claim has been roundly and specifically refuted by the companies involved and by the U.S. Department of Homeland Security. Even so, the possibility of carrying out such a stupendous hack is quite real. And there have been more than a dozen documented examples of such system-level attacks.

We know much about malware and counterfeit ICs, but the vulnerabilities of the printed circuit board itself are only now starting to get the attention they deserve. We’ll take you on a tour of some of the best-known weak points in printed-circuit-board manufacturing. Fortunately, the means to shore up those points are relatively straightforward, and many of them simply amount to good engineering practice.

In order to understand how a circuit board can be hacked, it’s worth reviewing how they are made. Printed circuit boards typically contain thousands of components. (They are also known as printed wiring boards, or PWBs, before they are populated with components.) The purpose of the PCB is, of course, to provide the structural support to hold the components in place and to provide the wiring needed to connect signals and power to the components.

PCB designers start by creating two electronic documents, a schematic and a layout. The schematic describes all the components and how they are interconnected. The layout depicts the finished bare board and locates objects on the board, including both components and their labels, called reference designators. (The reference designator is extremely important—most of the assembly process, and much of the design and procurement process, is tied to reference designators.)

Not all of a PCB is taken up by components. Most boards include empty component footprints, called unpopulated components. This is because boards often contain extra circuitry for debugging and testing or because they are manufactured for several purposes, and therefore might have versions with more or fewer components.

Once the schematic and layout have been checked, the layout is converted to a set of files. The most common file format is called “Gerber,” or RS-274X. It consists of ASCII-formatted commands that direct shapes to appear on the board. A second ASCII-formatted file, called the drill file, shows where to place holes in the circuit board. The manufacturer then uses the files to create masks for etching, printing, and drilling the boards. Then the boards are tested.

Next, “pick and place” machines put surface-mount components where they belong on the board, and the PCBs pass through an oven that melts all the solder at once. Through-hole components are placed, often by hand, and the boards pass over a machine that applies solder to all of the through-hole pins. It’s intricate work: An eight-pin, four-resistor network can cover just 2 millimeters by 1.3 mm, and some component footprints are as small as 0.25 mm by 0.13 mm. The boards are then inspected, tested, repaired as needed, and assembled further into working products.

1. Small Components: Hardware hacks might need the inclusion of an extra, surreptitious component. In that case, a spot on the board with many small components is the place to hide it. Modern passive components can be mere millimeters in size and invisible to the unassisted eye. This component can be added in production (very difficult); during the “rework” step, when faulty boards are fixed (easier); or in a warehouse before or during delivery to the customer (even easier).

2. Power Controller: This chip is a particularly fruitful target because it acts as the controller for all of the DC voltages that power the CPU, the graphics card, and more. It is under the control of the System Management Bus. So if a hack enables people to seize control of the SMBus, they could reset voltages in order to damage a computer or limit its operation. Control of the SMBus could also allow a hacker to interfere with communication between the CPU and onboard sensors, and that might also lead to damage.

3. Low Pin Count Bus: The connector above is attached to the LPC bus, which can link the CPU to certain legacy devices as well as to the fans and physical switches on the chassis. Perhaps just as important to hackers, the LPC bus can connect to a secure microcontroller called a Trusted Platform Module (TPM), which deals with encryption keys and various other security functions. While the TPM would very likely remain secure even if the LPC bus is compromised, a hacker could observe the traffic going to and from the TPM.

4. BIOS Flash Memory: The Basic Input/Output System (BIOS) flash memory holds the data needed to initialize hardware during boot up. It sits on the Serial Peripheral Interface (SPI) bus. Seizing control of the SPI bus would enable a hacker to alter hardware configurations so that a path would be open to inserting malicious code into the computer.  

5. Super I/O Chip: The Super I/O chip controls the inputs to a variety of low-bandwidth devices, sometimes including keyboards, the mouse, certain sensors, fans, and floppy disks. The chip sits on the Low Pin Count (LPC) bus. Seizing control of the LPC bus could let hackers reduce the fan speed so that a computer will overheat. It could also let them introduce false temperature and voltage readings that could damage or shut the system down.

Attacks can be made at every one of these design steps. In the first type of attack, extra components are added to the schematic. This attack is arguably the hardest to detect because the schematic is usually regarded as the most accurate reflection of the designer’s intent and thus carries the weight of authority.

A variation on this theme involves adding an innocuous component to the schematic, then using a maliciously altered version of the component in production. This type of attack, in which seemingly legitimate components have hardware Trojans, is outside the scope of this article, but it should nevertheless be taken very seriously.

In either case, the countermeasure is to review the schematic carefully, something that should be done in any case. One important safeguard is to run it by employees from other design groups, using their “fresh eyes” to spot an extraneous component.

In a second type of attack, extra components can be added to the layout. This is a straightforward process, but because there are specific process checks to compare the layout to the schematic, it is harder to get away with it: At a minimum, a layout technician would have to falsify the results of the comparison. And combatting this form of attack is simple: Have an engineer—or, better, a group of engineers—observe the layout-to-­schematic comparison step and sign off on it.

In a third type of attack, the Gerber and drill files can be altered. There are three important points on the Gerber and drill files from a security perspective: First, they’re ASCII-formatted, and therefore editable in very common text-editing tools; second, they’re human-readable; and third, they contain no built-in cryptographic protections, such as signatures or checksums. Since a complete set of ­Gerber files can be hundreds of thousands of lines, this is a very efficient mode of attack, one that is easily missed.

In one example, an attacker could insert what appears to be an electrostatic discharge diode. This circuit’s design files are made up of 16 Gerber and drill files. Of the 16 files, nine would need altering; of those nine, seven would vary in a total of 79 lines, and two files need changes in about 300 lines each. The latter two files specify the power and ground planes. A more skilled attack, such as one adding vertical connections called vias, would dramatically reduce the number of lines that needed rewriting.

Unprotected Gerber files are vulnerable to even a single bad actor who sneaks in at any point between the designing company and the production of the photolithographic masks. As the Gerber­ files are based on an industry standard, acquiring the knowledge to make the changes is relatively straightforward.

One might argue that standard cryptographic methods of protecting files would protect Gerber files, too. While it is clear that such protections would guard a ­Gerber file in transit, it is unclear whether those protections hold when the files reach their destination. The fabrication of circuit boards almost always occurs outside the company that designs them. And, while most third-party manufacturers are reputable companies, the steps they take to protect these files are usually not documented for their customers.

One way to protect files is to add a digital signature, cryptographic hash, or some other sort of authentication code to the internal contents of the file in the form of a comment. However, this protection is effective only if the mask-making process authenticates the file quite late in the process; ideally, the machines that create the photolithography masks should have the ability to authenticate a file. Alternatively, the machine could retain a cryptographic hash of the file that was actually used to create the mask, so that the manufacturer can audit the process. In either case, the mask-making machine would itself require secure handling.

If bad actors succeed at one of these three attacks, they can add an actual, physical component to the assembled circuit board. This can occur in three ways.

First, the extra component can be added in production. This is difficult because it requires altering the supply chain to add the component to the procurement process, programming the pick-and-place machine to place the part, and attaching a reel of parts to the machine. In other words, it would require the cooperation of several bad actors, a conspiracy that might indicate the work of a corporation or a state.

Second, the extra component can be added in the repair-and-rework area—a much easier target than production. It’s common for assembled circuit boards to require reworking by hand. For example, on a board with 2,000 components, the first-pass yield—the fraction of boards with zero defects—might be below 70 percent. The defective boards go to a technician who then adds or removes components by hand; a single technician could easily add dozens of surreptitious components per day. While not every board would have the extra component, the attack might still succeed, especially if there was a collaborator in the shipping area to ship the hacked boards to targeted customers. Note that succeeding at this attack (altered Gerber files, part inserted in repair, unit selectively shipped) requires only three people.

Third, a component can be added by hand to a board after production—in a warehouse, for instance. The fact that an in-transit attack is possible may require companies to inspect incoming boards to confirm that unpopulated parts remain unpopulated.

Kn owing how to sabotage a PCB is only half the job. Attackers also have to know what the best targets are on a computer motherboard. They’ll try the data buses, specifically those with two things in common—low data rates and low pin counts. High-speed buses, such as SATA, M.2, and DDR are so sensitive to data rates that the delay of an extra component would very likely keep them from working correctly. And a component with a smaller number of pins is simpler to sneak into a design; therefore, buses with low pin counts are easier targets. On a PC motherboard, there are three such buses.

The first is the System Management Bus (SMBus), which controls the voltage regulators and clock frequency on most PC motherboards. It’s based on the two-wire Inter-IC (I2C) standard created by Philips Semiconductor back in 1982. That standard has no encryption, and it allows a number of connected devices to directly access critical onboard components, such as the power supply, independently of the CPU.

A surreptitious component on an SMBus could enable two types of attacks against a system. It could change the voltage settings of a regulator and damage components. It could also interfere with communications between the processor and onboard sensors, either by impersonating another device or by intentionally interfering with incoming data.

The second target is the Serial Peripheral Interface (SPI) bus, a four-wire bus created by Motorola in the mid-1980s. It’s used by most modern flash-memory parts, and so is likely to be the bus on which the important code, such as the BIOS (Basic Input/Output System), is accessed.

A well-considered attack against the SPI bus could alter any portion of the data that is read from an attached memory chip. Modifications to the BIOS as it is being accessed could change hardware configurations done during the boot process, leaving a path open for malicious code.

The third target is the LPC (Low Pin Count) bus, and it’s particularly attractive because an attack can compromise the operation of the computer, provide remote access to power and other vital control functions, and compromise the security of the boot process. This bus carries seven mandatory signals and up to six optional signals; it is used to connect a computer’s CPU to legacy devices, such as serial and parallel ports, or to physical switches on the chassis, and in many modern PCs, its signals control the fans.

The LPC bus is such a vulnerable point because many servers use it to connect a separate management processor to the system. This processor, called the baseboard management controller (BMC), can perform basic housekeeping functions even if the main processor has crashed or the operating system has not been installed. It’s convenient because it permits remote control, repair, and diagnostics of server components. Most BMCs have a dedicated Ethernet port, and so an attack on a BMC can also result in network access.

The BMC also has a pass-through connection to the SPI bus, and many processors load their BIOS through that channel. This is a purposeful design decision, as it permits the BIOS to be patched remotely via the BMC.

Many motherboards also use the LPC bus to access hardware implementing the Trusted Platform Module (TPM) standard, which provides cryptographic keys and a range of other services to secure a computer and its software.

Start your search for surreptitious components with these buses. You can search them by machine: At the far end of the automation is a system developed by Mark M. Tehranipoor, director of the Florida Institute for Cybersecurity Research, in Gainesville. It uses optical scans, microscopy, X-ray tomography, and artificial intelligence to compare a PCB and its components with the intended design. Or you can do the search by hand, which consists of four rounds of checks. While these manual methods may take time, they don’t need to be done on every single board, and they require little technical skill.

In the first round, check the board for components that lack a reference designator. This is a bright red flag; there is no way that a board so hobbled could be manufactured in a normal production process. Finding such a component is a strong indication of an attack on the board layout files (that is, the Gerber and drill files), because that step is the likeliest place to add a component without adding a reference designator. Of course, a component without a reference designator is a major design mistake and worth catching under any circumstances.

In the second round of checks, make sure that every reference designator is found in the schematic, layout, and bill of materials. A bogus reference designator is another clear indication that someone has tampered with the board layout files.

In the third round, focus on the shape and size of the component footprints. For example, if a four-pin part is on the schematic and the layout or board has an eight-pin footprint, this is clear evidence of a hack.

The fourth round of checks should examine all the unpopulated parts of the board. Although placing components in an unpopulated spot may well be the result of a genuine mistake, it may also be a sign of sabotage, and so it needs to be checked for both reasons.

As you can see, modern motherboards, with their thousands of sometimes mote-size components, are quite vulnerable to subversion. Some of those exploits make it possible to gain access to vital system functions. Straightforward methods can detect and perhaps deter most of these attacks. As with malware, heightened sensitivity to the issue and well-planned scrutiny can make attacks unlikely and unsuccessful.

Samuel H. Russ is an associate professor of electrical engineering at the University of South Alabama. Jacob Gatlin is a Ph.D. candidate at the university.

Startup TyFast aims for 3-minute charging, 20,000-cycle life

Prachi Patel is a freelance journalist based in Pittsburgh. She writes about energy, biotechnology, materials science, nanotechnology, and computing.

Startup Tyfast is making batteries based on a new anode material that allow it to charge in minutes and last for several thousands of charge cycles

To fulfill the vision of EVs that travel a thousand miles or phones that run for days on a single charge, most battery developers are racing to make batteries that can pack twice the energy in the same weight.

Not startup Tyfast, which is “approaching next-generation battery development in a counter-current direction,” says GJ la O’, CEO and cofounder of the 2021 spinoff from the University of California, San Diego.

The company wants to make a battery based on a new vanadium-based anode material that can charge in 3 minutes and run for 20,000 charging cycles at the expense of energy density, which la O’ says could be 80 to 90 percent that of present-day batteries. La O' and company cofounder and chief technical officer Haodong Liu plan to develop a commercial product with the help of a new Activate fellowship they were awarded in early June. “Our high-level focus is 20 times faster charging and 20 times longer life than today’s lithium batteries. We’re saying we’ll deliver the same runtime as the previous-generation device, but charge really, really fast such that you forget about the size and energy density.”

That compromise works for their intended always-on, high-utilization applications such as autonomous warehouse or delivery robots that need to work nearly 24/7. Tyfast’s battery could enable that with very short fast-charging stops.

“Today’s robot platforms have battery packs that run 8 to 10 hours,” he says. “If you have a faster-charging battery you could have a 4- to 5-hour battery pack. A smaller pack would mean the robot carries more load per trip so it would be more productive.”

The charge time of lithium-ion batteries is limited by how quickly lithium ions flow in and out of the anode. The graphite used typically for anodes now has a planar structure with ions slipping in between the layers.

Tyfast instead uses an anode made of lithium vanadium oxide, a material with a 3D crystal structure similar to table salt. Ions move through the crystals in three dimensions, enabling 10 times as fast transport as in graphite.

The LVO anode, first reported by UCSD nanoengineers and Tyfast cofounders Ping Liu and Shyue Ping Ong in 2020 in the journal Nature, also expands and contracts less than graphite when it charges and discharges. Graphite changes volume by up to 10 percent whereas LVO expands less than 2 percent. That translates to less mechanical and chemical damage of the anode, allowing longer battery life, la O’ explains. “Our technology is trying to overcome this material limitation that graphite has set.”

Graphite can, however, hold more ions than LVO by weight, giving a higher battery energy density. Several companies are developing nanoengineered silicon or lithium-metal anodes that would have twice the energy density of even graphite, in order to enable longer EV driving range. The challenge with those materials is also their very high volumetric expansion that can crack the anode.

Tyfast’s LVO anode might be more robust, but its higher cost could be its downside. It is almost twice as expensive as graphite at over US $20 per kilogram. A battery with an LVO anode and nickel-manganese-cobalt [NMC] cathode would be 30 to 50 percent more expensive than a graphite-NMC cell, says la O’. But LVO’s longer life could make up for its higher cost. “If you were to use it in an always-on application like autonomous robots, LVO lasts longer, so you’re at a lower cost per charging cycle,” he adds.

Before robots, the company is initially targeting the wearables market. It has several customers lined up, la O’ says, including a major consumer-electronics brand. In its laboratory, it is building batteries the size of credit cards and sugar packets. These prototypes use LVO anodes and commercial NMC cathodes and electrolytes so far last for over 2,000 charge cycles and charge in under 15 minutes.

By the end of the year, the team plans to reach 20,000 cycles and under 3-minute charging. “The vision is consumer-electronics devices that get you back to life faster with a Tyfast battery,” he says. “If you take a coffee break, by the time you’re done with your cup, your device is fully charged.”

Kids can build robots, write code, and design video games

Kathy Pretz is editor in chief for The Institute, which covers all aspects of IEEE, its members, and the technology they're involved in. She has a bachelor's degree in applied communication from Rider University, in Lawrenceville, N.J., and holds a master's degree in corporate and public communication from Monmouth University, in West Long Branch, N.J.

These youngsters are checking out one of their local library’s IEEE-funded science activity kits.

More than 150 public libraries throughout the central United States now lend out activity kits that let children explore just about any aspect of science, technology, engineering, and mathematics. The kids can check them out just like they would a book. The kits teach youngsters what engineers do, as well as how to code, build robots, design video games, and create animations.

The collections have been made possible by the IEEE Region 4 Science Kits for Public Libraries program with funding from Region 4 members and corporate sponsors. The SKPL program is the brainchild of IEEE Life Senior Member John A. Zulaski, the chair of the SKPL committee.

Activity kits aren’t new to libraries, but STEM kits didn’t exist 10 years ago. Nowadays large, well-funded libraries might have them, but that’s not the case for many small and midsize ones, Zulaski says.

He says he is on a mission to encourage other IEEE entities to make the kits available at local libraries. Only public libraries in IEEE Region 4 currently are eligible for an SKPL grant.

“This is the perfect project for IEEE life members or young professionals to undertake,” Zulaski says. “The kits get kids interested in pursuing a technical career—which, by the way, helps increase IEEE membership down the road.”

Currently all 80 branches of the Chicago Public Library have the kits, as do libraries in Illinois, Indiana, Iowa, Minnesota, Michigan, Nebraska, North Dakota, Ohio, and Wisconsin.

After Zulaski retired as director of electronic products at S&C Electric, in Chicago, he became a trustee for his local library, in Mount Prospect, Ill. During his visits there, he noticed cloth bags filled with puzzles and other activities, but none were specific to STEM. He recalled the wonderful experiences he had as a child playing with Erector sets, Lincoln Logs, and other activity kits, and he realized many children today are not so fortunate. In 2009 he talked to the library’s executive director, Marilyn Genther, about creating science kits that could be circulated. She was interested but said she didn’t have the US $2,000 in her budget she estimated it would take to create such a collection.

Zulaski ran the idea past the IEEE Chicago Section, which agreed to provide funding. Assembled by youth librarians and IEEE volunteers, 12 kits were created for children in Grades 1 through 5. They included hands-on off-the-shelf STEM projects, instructions written by the librarians, and a recommended list of books, DVDs, videos, and other reference material from the library, Genther says. All the items were stowed in backpacks.

Genther says having libraries offer the kits makes a lot of sense. There is no curriculum for students to follow, so they can learn at their own pace and pick topics they find interesting.

“The kits get into the hands of children who may not have an opportunity to learn about STEM otherwise,” she says. Genther has since retired and is now a member of the IEEE SKPL committee.

Zulaski says the prototype kits were flying off the shelves—which persuaded the IEEE Chicago Section to launch the SKPL project in 2010. Through the generosity of the section’s members and a few corporate donors, more than 25 libraries in the Chicago area began circulating the science kits.

The kits get into the hands of children who may not have an opportunity to learn about STEM otherwise.

Kids aren’t the only ones checking out the collections. Teachers, Boy Scout leaders, parents who homeschool their children, and libraries that have in-house STEM programs do as well.

The kits are tailored to the needs of the local children, Zulaski says.

“We decided early on that we did not want to dictate to the libraries what should be in their kits,” he says. “They are in a better position to make that determination because they can look at their records on STEM-related books that have been checked out and see what subjects seem to be most popular.”

In 2011 the project received funding from the IEEE Foundation and the IEEE Life Members Committee to enable 26 libraries in the Midwest to build science kit collections.

The SKPL committee set up a formal application process for granting money to libraries. The number of libraries applying for SKPL grants has grown. This year the committee has received 79 applications, up from 40 last year. It awarded 15 grants of up to $2,000.

In a testimonial about the SKPL grant received by the Batavia Public Library, in Illinois, its youth services librarian, Amanda Vanderwerf, said, “The deeper understanding that comes from sustained engagement with these kits is something we are proud to offer to our patrons, and we thank you for this opportunity. The Batavia community, the library staff, and especially the youth services department thanks IEEE for allowing us to be part of this fantastic opportunity to create circulating science kits.”

S&C Electric made a substantial donation to provide SKPL collections to the entire Chicago Public Library system. The company also makes an annual donation to maintain the existing kits and add new ones to the collection. Other corporate donors include American Transmission, Eaton, Elite Electronics, Emerson Electric, and Milwaukee Tool. IEEE-USA, the IEEE Professional Activities Committee, and the IEEE Electromagnetic Compatibility Society’s Chicago chapter also have donated money.

With cash Zulaski received in 2015 from the IEEE New Initiatives Committee , the SKPL committee created a marketing campaign to promote the project, developed fundraising initiatives, and built its website.

The 2023 submission period for SKPL grant applications period begins 1 November 2022 and closes 15 January.

Zulaski says Region 4 members are making their libraries aware of the opportunity. He says he hopes that by this time next year, other IEEE groups will be offering grants. To help make that happen, funding is being sought to create a toolkit to train other IEEE entities how to implement their own SKPL program.

“Hopefully this can be accomplished by the end of this year, assuming major donors step forward,” Zulaski says. “There are around 10,000 public libraries in the United States alone and hundreds of thousands around the world. Much remains to be accomplished.”

If your IEEE entity is interested in offering the SKPL program, complete this form.

Donations to the program are welcome.

Through case studies and data visualizations, this webinar will show you how to leverage IP and scientific data analytics to identify emerging business opportunities

Business and R&D leaders have to make consequential strategic decisions every day in a global marketplace that continues to get more interconnected and complex. Luckily, the job can be more manageable and efficient by leveraging IP and scientific data analytics. Register for this free webinar now!

Join us for the webinar, Harnessing the power of innovation intelligence, to hear Clarivate experts discuss how analyzing IP data, together with scientific content and industry-specific data, can provide organization-wide situational awareness and reveal valuable business insights.

Through case studies and data visualizations, they will show you how to cut through the noise, link data and generate intelligence to help anticipate and evaluate emerging opportunities and potential threats.