
Air Gapping a MacBook Air: The Great BCM15700A2 Mystery - jeffo_rulez
https://tech.firstlook.media/macbook-air-broadcom-bcm15700a2-mystery
======
kabdib
I'm imagining a "stealth" wifi controller on one of the custom chips, hung
onto a pin connected to an internal antenna realized on an internal copper
layer of the motherboard. If you used a non-standard frequency and protocol,
who would know?

You could probably get an okay transmit-only signal with fairly unremarkable
on-chip hardware (say, a simple PCM) and something that didn't look _too_ much
like an antenna even if you X-ray'd the board. I'm guessing that a similarly
stealthy receiver would be noticeable due to required external discrete
components (e.g., amplifiers, filter networks).

Plonking down a whole chip for "secret wifi" is likely overkill.

~~~
shawn
The NSA developed their own networking protocol, separate from TCP or UDP,
which operates just above the physical layer.

The idea is that you rewrite the network card firmware so that there’s an NSA
MITM running on it. The host computer never knows, because as far as the
computer is concerned the network card is sending exactly the data you would
expect. And even if you hook up network monitoring tools externally, you
wouldn’t be able to notice anything wrong apart from a slightly reduced total
bandwidth.

The value of such a tool is that it can be installed remotely, with no
physical presence.

They also have all kinds of gadgets to defeat airgaps. IIRC one of them was a
replacement keyboard that looks identical to the normal one, but provides the
stealth wifi you mention.

One way to get an idea of what the NSA is up to is to look at their job
listings. They can fake everything else, but not those.

~~~
Cyph0n
> which operates just above the physical layer.

So at the link layer? If so, what you described does not sound like an
effective technique to exfiltrate data over the internet, _unless_ the NSA
also controls the LAN/internal network the target device is on.

Why? Because any non-standard protocol data will be thrown out by the first
switch or router on the path out of the target LAN. In other words, the
exfiltrated data will _not_ be forwarded on to the next router or switch,
simply because the next router/switch will not have support for the NSA's
custom protocol in its network stack.

~~~
shawn
One thing the NSA is very good at is getting access to virtually every type of
networking card. If they achieve access to a target, it's likely they control
a path to it.

If the target is a wifi device, the custom protocol becomes doubly effective:
Exfiltration is a matter of having a receiver anywhere in the vicinity. And
that receiver can amplify the signal to blast it a few miles. There are tools
to sweep the EM spectrum looking for anomalies like this, but they seem to be
rare, for the moment.

~~~
viraptor
> If they achieve access to a target, it's likely they control a path to it.

Without specific, documented cases this is speculation of course. But I don't
see why they'd use a link level protocol. 1. It requires patching multiple
networking devices in the path, which is not very quiet. 2. It sticks out in
any monitoring (via mirror ports) more than a UDP packet to a random host. DNS
or ntp as a transport would be much simpler to hide.

~~~
amoshi
And what exactly would be the problem for the NSA with patching networking
devices? They even mention how it's useful specifically for these hard targets

>"some of the most productive operations in TAO because they pre-position
access points into hard target networks around the world."

[https://arstechnica.com/tech-policy/2014/05/photos-of-an-
nsa...](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-
factory-show-cisco-router-getting-implant/)

------
userbinator
_We’re not sure exactly what the technicians did to remove the chip – heat
gun, maybe? – but it came off cleanly and you wouldn’t notice it was missing
unless you were specifically looking for it on the board._

Almost certainly, or more precisely, a "hot air rework station". For someone
with experience, it only takes a few minutes to remove and replace BGAs with
one.

~~~
monochromatic
And on top of that, it’s just about the only way it can be done non-
destructively.

~~~
dfox
Another (and for large-ish BGAs actually better) way is IR rework station.

------
8bitsrule
This story made me realize: I haven't seen the phrase "tin-foil hat" used much
in the past couple of years. Huh.

Which reminded me of a quote:

"For a while you wondered whether the fools were pretending to be fools as
some kind of deception, or whether there was a real efficient service
somewhere else. Later in my fiction, I invented one. But alas the reality was
the mediocrity." — Le Carre

~~~
cozzyd
The NSA can see through tin now. You must upgrade to superconducting hats.

~~~
thepangolino
Shhhh. Don't tell them.
[http://web.archive.org/web/20100708230258/http://people.csai...](http://web.archive.org/web/20100708230258/http://people.csail.mit.edu/rahimi/helmet/)

~~~
lucb1e
> certain frequencies are in fact greatly amplified [by the helmets]

Oh, interesting!

> These amplified frequencies coincide with radio bands reserved for
> government use

I mean, if you take all of the common RF spectrum and look at what is reserved
for civilian use, the vast majority is not freely usable. I'm not surprised
it's within licensed spectrum.

> the use of helmets may in fact enhance the government's invasive abilities

Right.

> We speculate that the government may in fact have started the helmet craze
> for this reason.

Riiiiight.

This went from fun project to three levels of conspiracy theory real fast.

And looking at the contents (instead of the summary/abstract) more critically,
they investigated >=10kHz waves. The brain waves that I know of are in the
range of 1-150Hz:
[https://en.wikipedia.org/wiki/Neural_oscillation](https://en.wikipedia.org/wiki/Neural_oscillation)

... actually, this page is a joke, right? The more I read on the page, no way
that this is serious.

~~~
rhaps0dy
>... actually, this page is a joke, right? The more I read on the page, no way
that this is serious.

Yes, I think it's very much a joke.

------
Someone1234
In Apple's computers the web cam light cannot be disabled, because the web cam
is controlled by a co-processor as demoed here. In the newer Pros with
Touchbar Apple uses their own chip for this same function.

On a lot of PC webcams, you can run the camera without the light or visa
versa[0].

[0] [https://blog.erratasec.com/2013/12/how-to-disable-webcam-
lig...](https://blog.erratasec.com/2013/12/how-to-disable-webcam-light-on-
windows.html)

~~~
Rebelgecko
Previous hacks of the iSight cam involved rewriting the firmware of that
separate microcontroller. IIRC there was also a delay at one point, so that it
was possible to take a picture really fast before the LED turned on.

~~~
Udo_Schmitz
Concerned only pre-2009 models or earlier, needed physical access as well.
AFAICR.

~~~
jsjohnst
Correct, since 2009 roughly, the sensor power was tied into the LED, so if the
sensor had enough power to register an image, the LED would have to be on.
Apple modified the circuitry specifically because of the old exploit.

------
mjlee
> This sounded reasonable, so I ventured to the streets of New York City to
> seek the help of some professionals!

If the author of the article is here - I'd suggest turning to Louis Rossmann
of YouTube fame:

[https://www.rossmanngroup.com/](https://www.rossmanngroup.com/)

[https://www.youtube.com/user/rossmanngroup](https://www.youtube.com/user/rossmanngroup)

He has the equipment and skill to repair a logic board, and may have some
valuable insights about failure modes of common chips on MacBooks.

~~~
Operyl
Man, oh man can he ever be cynical though. At some point,l I have to believe
it’s because he’s playing for the camera. Or, at least, I hope so. I’ve seen
him get extremely stressed out over the silliest things.

~~~
hhh
I've never had a negative interaction with Louis personally, nor has anyone
I've known. A friend birthed a repair store from his videos, and Louis'
personality is very bright. His comments on the style of videos that Linus
Tech Tips puts out compared to his own were hilarious.

I really enjoy Louis' videos. His decision of swapping from edited video to
raw streams mostly as well is quite nice. Seeing his channel grow, and every
trait that he has grow with that has been an interesting process. Maybe this
is because I am quite cynical as well, but I have no idea. In 2 years he has
grown from 40k subs to 442k, so he's doing something right.

I think everyone can get stressed over silly things.

------
amagumori
uhhh...how does this prove that the chip doesn't have radio functionality?
they didn't figure out any information about the chip's actual functionality
beyond its PCI device name, which would ostensibly not be "SUPER SECRET DATA
EXFILTRATION RADIO FOR NSA". they just took it off, unplugged the wifi card,
and then said "well, it doesn't connect to wifi networks now. must be fine".

~~~
monochromatic
there’s no way to conclusively prove what you suggest. This article isn’t
about proving that though, it’s about “hey I wonder what this chip is for.”

~~~
teh_klev
> This article isn’t about proving that though

Um the article kinda is:

 _... so we deemed this information reliable and immediately raised some
critical questions: Is there a wireless chipset soldered onto the MacBook
Air’s logic board that we didn’t know about? If so, is it not actually
possible to properly air gap a MacBook Air?_

And their methodology is a bit flawed. This made me shudder:

 _We took out the Air’s logic board to see if we could pry the chip off with a
screwdriver. We quickly decided this was a bad idea. We also considered
“disabling” the chip by drilling a few holes through it with a Dremel tool or
by melting it a bit with a soldering iron._

Jeezo.

~~~
PhasmaFelis
You're judging their methodology by what they chose _not_ to do?

~~~
RX14
If they considered it for long enough to put in the article then its clear
they are amateurs in electronics.

~~~
StavrosK
I'm an amateur in electronics, and I would consider using a heat gun to
desolder the BGA-looking chip (which basically means I know what a heat gun
does and I know what BGA looks like). The article author's skill level is "I
saw some electronics once".

------
walrus01
If you really need an air gapped computer, wouldn't it make a whole lot more
sense to build a desktop with some variety of ATX form factor motherboard that
you can examine in detail to confirm that it has zero wireless functionality?

A Macbook Air, which is pretty much designed as a wifi-dependent network
terminal, would be way down my list of hardware I would choose if I had to
build an airgap lab environment.

~~~
tonyedgecombe
Presumably because they wanted something portable?

~~~
bo1024
I would start with a Librem laptop as this is exactly the point of them.
Hopefully all you'd have to do is verify the killswitch works as advertised.
disclaimer: typing on one now.

------
y04nn
If you do some search you can find logic boards PCB layouts and electronic
schematics on internet.

Here is a link: [https://www.apple-schematic.se/](https://www.apple-
schematic.se/)

Edit: And to look at the PCB files I recommend
[https://openboardview.org/](https://openboardview.org/)

------
carlospwk
Can I just say how beautiful and usable this minimal styling and design on the
website is?

------
madengr
I suppose looking for the antenna is rocket science.

