Starbleed: Low-level security gap in hardware of many IT and OT systems

25. May, 2020

Field Programmable Gate Arrays (FPGAs) are programmable additional circuits. They are often key components of security-relevant system functions and are used, for example, in servers in data centers, in routers or in firewalls. They are also frequently found in workstation computers and more complex industrial and IoT systems, where they monitor and control essential logical functions.

A big advantage of FPGA chips is the flexible programming of the required logical connections and functions. In contrast to fixed logic circuits, the same device can be configured differently and can also be expanded or adapted afterwards. The configuration is mapped via the so-called “bitstream” and secured by encryption to prevent unauthorized access and manipulation.

Fundamental weakness in chip design

Until now, FPGA chips were considered very secure, which is why they were often used for deep system functions. However, a joint research project by the Horst Götz Institute at the Ruhr University of Bochum and the Max Planck Institute demonstrates a fundamental security gap.[1] The special feature of this weakness, known as ” Starbleed”, is that the problem lies in the design of the chips and can only be solved by replacing them.

The error in the programming and update process allows functions to be read out and modified program sequences to be inserted. Theoretically, the vulnerability can also be exploited remotely. The tools required for an attack are usually available directly in the affected systems.

Manufacturer provides recommendations for protection

In a statement, Xilinx as the manufacturer of the affected chips confirms the basic findings of the researchers, but also points out how important system-related safeguards of the access and programming interfaces are. In accordance with the recommendations, the components should only have protected remote access options.

Subsequent protection of affected systems should be at least partially possible. For critical systems that cannot receive an update or patch, the only option is to replace or physically upgrade the affected subcomponents, e.g. the mainboard. Newer versions of the FPGA chips should not be vulnerable. [2]

It is therefore particularly important in the first step to identify the systems affected by the vulnerability in order to make appropriate decisions and initiate necessary measures. Please refer to the publications of your suppliers!



Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download