Advertisement

Blog

Combating Counterfeiting

Counterfeiting continues to be a major problem in the electronics supply chain. IHS iSuppli reported last year that over 100 incidents of counterfeiting came to light each month in 2012, and that the number of high-risk suppliers increased by over 60 percent between 2002 and 2011.

More recently, US and UK organizations related to the electronics supply chain announced an initiative to share information on counterfeit and high-risk parts.

One approach to cut counterfeiting would be to adopt a business process that says that all parts must be sourced from authorized distributors. But counterfeits can be difficult to spot. They could be failed parts from an approved supplier that weren't destroyed and then diverted by criminals into the supply chain. Or, they could be lower-grade components repackaged to resemble more expensive devices.

PUF, the magic bullet
A better approach would be to build unique identifiers into components. But not all identification techniques are created equal.

A device code can identify a component as a member of a category of products. This code is easy for criminals to reverse engineer. If they figure out the marking technique, it becomes pretty much worthless.

Physically unclonable functions (PUFs) are considered to be both tamper resistant and hard to spoof. PUFs attempt to “tie a device to its mark of authenticity by leveraging inherent variations in manufacturing processes.” An untrusted supplier can't create a copy of the circuit because it's impossible to control manufacturing process variations.

PUFs take advantage of the fact that every integrated circuit on a board is somewhat different from its neighbors, even though they work the same. For example, internal static random access memory (SRAM) chips display patterns of ones and zeros when they are first powered up, which are random from one die to the next, but which are consistent for any one particular die. This pattern can be used as an unclonable device fingerprint. Unclonability means that it is “infeasible to produce two PUFs that are indistinguishable.”

Trust but verify
Testing for authenticity involves querying the certification circuitry with challenges and receiving responses consistent with a public key supplied by the manufacturer. That process requires the presence of specific hardware, such as embedded non volatile memory (eNVM) — memory that can retain stored information when not powered — to store the data, and a communications interface to allow the data to be read.

With this hardware in place, together with sufficient computational capability to implement cryptography, the manufacturer injects a secret key into the device at the point where the wafer is tested, followed by a digital certificate bound to the secret key at the assembly stage. This provides a certificate that has been signed by the original component manufacturer and which supports downstream anti-counterfeiting measures. The certificate can be interrogated at any point in the supply chain, allowing suppliers and end users to trace the authenticity of the components and providing a counterfeit-free downstream supply chain.

Related posts:

12 comments on “Combating Counterfeiting

  1. prabhakar_deosthali
    May 7, 2013

    PUF seems to be a foolproof way to ensure unique identity for a semiconductor part. However the software which does the authentication could be vulnerable to tampering by malware.

  2. owen
    May 7, 2013

     …internal static random access memory (SRAM) chips display patterns of ones and zeros when they are first powered up…”

    Must chips be powered-up in order to verify authenticity?  

  3. SunitaT
    May 7, 2013

     the number of high-risk suppliers increased by over 60 percent between 2002 and 2011.

    @Peter, thanks for the post. I am curious to know where can companies find the list of high-risk suppliers so that they can avoid such suppliers ? Do we have any ratings given to the suppliers based on the risk factor ?

  4. SunitaT
    May 7, 2013

    Must chips be powered-up in order to verify authenticity?

    @owen, I think the chips must be powered-up else SRAM chips wont generate required patterns which is must to check the authenticity of the product.

  5. SunitaT
    May 7, 2013

    However the software which does the authentication could be vulnerable to tampering by malware.

    @prabhakar_deosthali, I am not sure if software will have any impact on this.  I think its hard to mimic PUFs because they take advantage of inherent variations in manufacturing processes. I dont see how malwares can impact such inherent variations.

  6. SP
    May 7, 2013

    That's a smart way to comabat counterfeiting. Can we do it for all the electronic devices? How about passives??

  7. t.alex
    May 8, 2013

    This is an interesting concept. I think other issues need to be taken into consideration, such as the distribution of the verifying software/tools has to be done via some secure channel as well.

  8. Adeniji Kayode
    May 9, 2013

    @tirlapur

    Don,t you think its better to ask forthe list of highly recomemded suppliers than to ask for the list of high-risk suppliers.

    It's a bit risky if you do not have access to the names of suppliers to be avoided especially  if you could not enlist all of them but a list of good suppliers will do a better job.

  9. garyk
    May 10, 2013

    This is an interesting comment.

    One approach to cut counterfeiting would be to adopt a business process that says that all parts must be sourced from authorized distributors . But counterfeits can be difficult to spot. They could be failed parts from an approved supplier that weren't destroyed and then diverted by criminals into the supply chain. Or, they could be lower-grade components repackaged to resemble more expensive devices.

    Make it simple, to start, use Authorized Distributors and Manufactures. don't let CM's buy from where ever they want. We can't control the CM's owned by CHINA. Stop purchasing COTS product not made from an Authorized manufacturer. Start publishing where counterfeit units have been purchased from. 

    They could be failed parts from an approved supplier that weren't destroyed and then diverted by criminals into the supply chain. Or, they could be lower-grade components repackaged to resemble more expensive devices. This statement is not likely, but I would be willing to this chance. The Authorized Distributor or Manufacture is not going to re-package the units. START SIMPLE. Remmber a shake of the hand, a non-disclosure agreement or sign Purchasing Agreement mean nothing to CHINA.

     

  10. Tom Murphy
    May 20, 2013

    Adeniji: I completely agree. In fact, I think most buyers do rely on recommended suppliers — or those that they know already.  The counterfeiting problem is so insidious that it goes much deeper than that.

    Every once in a while, I get a $100 bill in my hands. Not often. But when I do, I realize I would never know whether or not it is counterfeit. And there are millions of those in circulation. There are probably hundreds of thousands of counterfeits. If people can't spot funny money, how is a fast-paced industry supposed to spot well designed counterfeit electronic components?

  11. Hailey Lynne McKeefry
    May 31, 2013

    On the surface, this integrated identifier seems like a good idea and one that has been tested in other industries for security. I find myself wondering, though, how long it will take the counterfitters to replicate the identifier to push through fake components. The problem always remains that the bad guys have the same technology as the good guys so they can stay a step ahead. Anyone one to take a guess and start a pool?

  12. jesse_securecomponents
    December 6, 2013

    We agree that authorized distirbutors should be the first place buyers go for components. However, recently there was a situation where a franchise distributor shipped suspect counterfeit parts to two separate customers. It turns out the franchise distrubutor shipped parts that another customer had RMA'd – those parts were suspect counterfeit.

     

    At the end of the day there is no way to eliminate human error. With that said, buyers and managers can make sure that they stay current with their audit schedules, utilize authorized suppliers and when parts are not available through authorized suppliers engage a broker who has been AS6081 certified or approved by the DLA.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.