Possible F-35 Supply Chain Weakness – Who’s building your kit ???

Here at Milliamp we were slightly surprised the other day when we turned on a TV news channel only to hear the presenter talking about PCB gerber files – not something you hear every day on mainstream media !!!  So what was the fuss about ???  It appears that GE Aviation (a defence supplier and manufacturer) and others have been subcontracting the manufacture of sensitive fighter aircraft parts to Chinese owned companies based in the UK – such as Exception PCB purchased by Shenzhen Fastprint in 2013.  Whilst there is no allegation of wrongdoing, this incident has rung security and intellectual property alarm bells around the media and politicians alike this week given the current sensitive political situation with China and the West.  Whilst in this instance it may be a bit of political hot air it does raise the question about how design data is handled in a globalised supply chain – particularly where sensitive design information is involved.

With the Exception PCB panic, there were concerns that military secrets could be gleaned from manufacturing data however various parties involved were quick to reassure that everything is fine and there is nothing to see – “This is ‘dumb’ Gerber data containing only information to enable Exception to produce only the bare PCB’s, no additional electronic information is applied or supplied” says one of the executives involved in the current saga.  Whilst this sounds reassuring, talk is cheap.  Global intellectual property theft is at it’s highest and this includes electronic design data for the latest and greatest innovations.  In the electronics manufacture world in particular, sensitive design information is often casually emailed around the world through the supply chain with little thought given to protecting the data – including the basic blueprints for electronic PCBs – their gerber files.

Customers often go to great lengths with NDA’s and audits to ensure design companies involved in the development of their products are trustworthy – and this often works.  The problem comes at the manufacturing stage – once a PCB design has been completed a gerber file is generated by the designer which is then used as the basis of the data pack that is sent to manufacturers for quote.  It is this gerber that is used to generate the phototools used to fabricate the PCB using a photo-lithographic process – and in order to even quote for a PCB, the manufacturer needs to see these files – and at this point the design data is released into the wild forever.  Whilst some say the gerbers are dumb – with the right know-how it is quite simple to reverse engineer the data and recreate a significant amount of possibly secret design circuitry. Here at Milliamp we offer this service to customers who have lost the original gerber files and we are able to relatively easily reverse engineer a bare PCB into a schematic – even multilayer boards using X-ray machines.  And if we can do it many others can too.  With newly released electronic gadgets it’s usually not long before they appear as clones on Internet shopping sites.

So – “we trust our PCB assembly house” I hear you say – well whilst many assembly CEM companies genuinely believe they hold your data securely, unfortunately they often use “brokers” to get bare PCBs made – and unfortunately some of these PCB broker companies are highly profit focused due to low margins involved and this can result in your design data ending up in places you would not expect – companies all around the world who maybe respect intellectual property less than you would like.  Often this broker supply chain is kept hidden from view else there would be no reason to use the broker !!!  The CEM has little visibility of what their broker has done with your data and often paperwork is “corrected” by brokers to suit the situation.  Ultimately you get what you pay for.

So how can we mitigate for this?  Ultimately it’s a battle with the cloners (who have a very cosy relationship with unscrupulous PCB factories in some parts of the world) – but there are solutions out there and protection can start right at the design level.  With the right technology employed, it is possible to minimise the amount of intellectual property devoted to the hardware and shift this into software as much as possible – even so far as using re-programmable logic, analog parts and similar.  This software can then be loaded onto the PCB at final assembly in a trusted environment and this can even be coupled with secure elements that allow secure provisioning, encryption and limited use programming tools.

On the manufacturing side of things due diligence is key.  Get to know your PCB assembly house and ask questions – lots of questions – like who do they send your boards out to quote with.  Ask to see their quality paperwork (Certificate of Conformity and Invoices) and make spot checks with their suppliers – actually see where your design data has ended up.  Obviously many manufacturers don’t want to give away who they are using as suppliers in case they are cut out of the loop, however if dealing with a trustworthy professional CEM , this should not be a problem.

Here at Milliamp we have significant skill in the secure design of hardware and software systems to resist software and hardware attack by remote and physical threats, including during manufacture in distant factories !  This experience includes secure crypto technology, financial EMV hardware, TPM, firmware encryption and tamper detection technology.  We are also able to ensure that our customers designs are securely manufactured and protected against modification or copyright/cloning in untrusted OEM factories, as well as being able to manage manufacture in our own trusted partner factories where we have undertaken detailed audits and built up trust over many years – as a small company we have a close relationship with our suppliers so know exactly what is going on behind the scenes.  If you would like us to take the risk out of getting your product designed and manufactured whilst rigorously protecting your IP then get in touch !!!

Posted in Tech News Tagged with: , , , ,