
Three Ways to Hack a Printed Circuit Board - anarbadalov
https://spectrum.ieee.org/computing/hardware/three-ways-to-hack-a-printed-circuit-board
======
dg246
Bunnie Huang gave an excellent talk on this subject at BlueHat IL 2019 that
goes very deep, including showing technical details of how attacks like this
can be pulled off. Well worth the 45 minutes -
[https://www.bunniestudios.com/blog/?p=5519](https://www.bunniestudios.com/blog/?p=5519)

------
mindslight
That started off accurate, but then it got painful. Of course files can be
modified. This has nothing to do with being "ASCII" plain text. By the way the
article meanders, it seems the author is a pure EE who thinks there could be
some software pixie dust that could assure integrity without doing the full
work of either trusting the fab house or checking their output. Sorry, there
isn't.

Based on the title, I had thought this was going to be about ways to create a
trojan by modifying only the unpopulated PCB. Once you're playing with
components, you can just stick a second chip on the SPI bus that eg corrupts a
few firmware instructions to avoid setting critical processor feature flags.
The footprint likely already exists for supplier diversity. Although by now
attackers have probably made integrated chips that contain the flash and the
implant in a single package.

------
jimmyswimmy
Authors propose to mess with circuit board runs by adding components and
modifying connections. There is no security on the design files, so they are
trivially modified, though it is annoying to do so if you don't have the
original design files. The outputs - Gerbers or ODB++ databases - can be
imported into a design tool and modified.

They also propose to detect such changes by looking for missing refdes. That's
farcical. Duplicate refdes are much harder to identify, or a new one could be
added. But the true way to hide a "hack" in a PCB is to replace an IC with a
counterfeit part.

A combination of a modern APT - even some of the things published around the
same time as Stuxnet - could be used to activate a hidden feature in a
counterfeit IC, and would be undetectable by almost any method short of high-
resolution xray comparison to a golden board.

Fun stuff to think about though.

~~~
rkagerer
APT?

~~~
tlack
APT is an Advanced Persistent Threat, or more casually known as a good hacking
group. :)

------
lmilcin
One way this could be remediated a little bit would be if vendors for these
devices were not so bent on not giving away any details and to prevent
repairability.

If there were schematics available and devices were made to be disassembled
and looked at there would be more people "auditing" devices in the field to
give an alert when something is out of norm.

\---

A bit unrelated:

The hardware attacks, I have seen one over a decade ago when working on
software for credit card terminals. We started getting shipments of terminals
with nefarious hardware injected. These terminals had built in fuse that could
be checked to see if device was tampered with (opened). These small boards had
to be added in the assembly somewhere in China and it was a problem to detect
them because opening the device meant it became useless as ones with tamper
flag are not allowed in production. The attackers learned to scrape some
plastic from the device to make the weight match exactly.

This was rather primitive attack (there was separate board of questionable
quality glued inside enclosure and visibly wired to the main board) but it was
rather problematic for us. I shudder to think if attackers had better hang of
technology.

------
mNovak
Seems insufficient that the conclusion is just to check the received board
against the schematic and BOM.

~~~
lmilcin
It is not, but having access to schematics, bom and description of how it
works would mean more people looking at it and probing it. This would be
helpful in preventing large scale attacks to go for a long time but would not
prevent directed attacks (like infecting a single shipment to a single
customer).

Also, I always thought bypass capacitors an excellent way to inject malicious
hardware. Everybody is practically trained to ignore them and does not expect
them to do anything. Yet they have access to almost all signal lines and
technically possibility to inject or disrupt signal.

~~~
imtringued
>Also, I always thought bypass capacitors an excellent way to inject malicious
hardware. Everybody is practically trained to ignore them and does not expect
them to do anything. Yet they have access to almost all signal lines and
technically possibility to inject or disrupt signal.

Call me jaded but the fact that Bloomberg essentially made a fake report about
this type of attack made me completely disinterested in this type of attack.
It's just some sensationalist crap that is meant to destroy the reputation of
a company. It was never about the practicality of the attack. Just replace an
entire IC and be done with it.

It's easy to image an Amazon seller replacing a microcontroller with one that
contains ransomware. If you try to do the same thing with a bypass capacitor
then you massively increase the amount of effort needed to execute the attack.
The microcontroller attack could be as simple as emulating a keyboard and
opening a virus site in internet explorer.

I don't know how many people actually pay the ransom but lets say 5% of the
buyers end up paying a $500 ransom. That would be $25 extra profit per
mainboard. If your mainboard is $10 cheaper than the competition customers
will flock to your products and you can easily scale out your operation.

~~~
lmilcin
Well... this doesn't have to be as overt as you described.

For example, bypass cap could monitor the line and detect when a security
feature to prevent tampering with the device turns on and just disrupt that
feature. Or maybe it could prevent the phone from turning off when it should
to keep that pesky covert monitoring software running even after you think you
have switched your phone off. Or maybe it will cause camera light to be turned
off when a particular radio signal is detected so that you don't know you are
watched. Dunno.

Just because Bloomberg report turned out to be fake doesn't necessarily mean
the attack vector is fake or pointless.

There are millions of engineers/hackers smarter than me and I can imagine
somebody will put together a working and useful attack, eventually.

------
canada_dry
Guess the Psychlos should have read this when designing their teleportation
technology.

