
Inside a low-budget consumer hardware espionage implant - patadune
https://ha.cking.ch/s8_data_line_locator/
======
Hasz
I wonder why they even bothered with such a high end processor like the
MT6261. Get a bare die micro like the MSP430, and a bare die GSM chipset, and
you're set. You'd have to dissolve your SIM card in acid and wire bond it to
the PCB, but wire bonding machinery is pretty cheap.

Realistically, this is stupid easy for a state-level actor. A good hardware
hacker worth their salt could probably set up a bug no bigger than 10mmx10mm
in a couple of months for a few hundred, less if they already have a wire
bonding machine and microscope.

For a state level actor, you can roll your own ASIC and just dump RF and
microcontroller on one die. Package it up inside a USB flash drive controller
IC, mark it with someone else's logo, and you've got a bug that you would only
find by dissolving the chip in acid and looking at the die very carefully.
It'll cost you a few million, but it's just not that much money when your R&D
budget is 150M/y.

The weak part of all these systems is the constant GSM heartbeat, but even
that is beatable.

~~~
jjoonathan
> in a couple of months for a few hundred, less if they already have a wire
> bonding machine and microscope.

How do I get my hands on a wirebond machine for a few hundred? The bottom end
of "old and crusty but not actually broken" seems to start at a couple
thousand on eBay. If my budget were a few hundred I'd probably spend a month
just machining and grinding replacement microscope parts.

I suppose you could be referring to the marginal cost of an hour on a wirebond
machine at the nearest NNIN facility, but last time I priced out training
options the overhead to get started would have been $500-$1k.

~~~
Hasz
Yeah, it's kinda tricky -- costs could be much higher. Wire bonders aren't
exactly hot ticket items; very few people are using manual machines. A cheap
Chinese made one from Taobao/Alibaba costs around $250, but add in shipping,
and you're close to $500 already. Something made in the USA from eBay will be
of similar price, just two decades older.

If you're lucky enough to already be in China, I can't imagine it would be to
difficult to get a small run made for a much lower cost, although I've never
done so. Lots of factories making high volume, low end products use wire
bonders to attach bare die to a PCB -- think calculators, gift cards, etc.

The simple fact is there's no comparable level of electronics manufacturing in
the US, making it hard to get the parts and machinery necessary.

------
lnanek2
Wow: " This is probably not an elaborate scheme to harvest phone numbers and
send them to China, but rather the way the default manufactured SIM code was
implemented and it was never trimmed down to the needs of this device.
Nevertheless, I found it interesting seeing how the device is accessing
virtually everything on the SIM. " I agree, but it's rare to see someone not
go fake ballistic claiming phone book capture for page views...

~~~
strictfp
Ah, come on. It's not like consumers are going to insert their sims into this
device anyway.

~~~
porfirium
And it's not like in 2017 anybody stores their contacts in their SIM

------
zbentley
What's especially creepy is that many devices (e.g. laptops) with USB ports
continue sending power to those ports _even when the device is off_.

So someone bugged with something like this implant could fully power off their
laptop when discussing sensitive information, and if they left a bugged USB
drive plugged in, they could still be compromised.

~~~
QAPereo
Bug or feature?

~~~
avian
Feature. It allows, among other things, for a computer to be woken up via the
(USB-connected) keyboard.

~~~
ThePadawan
Also a branding/design feature.

I've encountered extended color coding on multiple gaming oriented
motherboards: Black for USB 2, Blue for USB 3.1 (so far so standard), Red for
persistently powered.

That way you can have your phone connected to that port and have it charge
overnight, etc.

------
matt_wulfeck
This kind of thing would immediately stick out like a sore thumb to a lot of
technical users. In the world of USB cables it’s HUGE, even though technically
I know it’s very small for it’s purpose. Very cool nevertheless!

~~~
beached_whale
How often do people look behind their desks at the usb cables plugged into
their systems. Many do not.

~~~
sillysaurus3
As someone who was involved with redteaming: ~nobody does. It's very rare to
get caught after bugging someone's equipment. Bugs like these blend in
seamlessly with the massive amounts of cables behind most desks.

~~~
beached_whale
Found the picture of the ethernet bug.
[https://twitter.com/nblr/status/928526534226391040](https://twitter.com/nblr/status/928526534226391040)

That I would never notice behind a desk

Also, in the usb cable with cell
[https://twitter.com/nblr/status/929132160602296320](https://twitter.com/nblr/status/929132160602296320)

------
amenod
Off topic, but still: is that a price of almost 2 EUR per minute of call? (to
that stranger's phone - 3333333) I thought calls inside EU are price-limited?
Or is this some really old post?

~~~
MyDamnUser
I found that odd too. I live in Denmark and i pay a fixed amount and can call
as much as i want.

~~~
tzs
How are remotely monitored sensors and devices, like weather stations and
power meters, that need to send a small amount of data periodically, and that
use the cellular network for that handled in Europe?

Those fixed price for unlimited calling plans that are great for human to
human communication would suck for low data sensors and devices.

In the US these are handled by special plans that have zero or close to zero
fixed monthly cost, but have a high per byte or per minute rate so that they
are quite cheap for their intended use (e.g., power meter daily usage report)
but are too expensive to use for high data applications.

If there are similar things in Europe, maybe that number was one of those?

~~~
mastax
[https://particle.io](https://particle.io) and
[https://hologram.io](https://hologram.io) have almost worldwide availability
for SIM's designed for this. There are probably older less-hip suppliers as
well.

~~~
kogepathic
_> have almost worldwide availability for SIM's designed for this._

They are great if you have sensors travelling to different countries or your
volume isn't large enough to negotiate with a local telco.

If you are deploying many devices in one country it will be far cheaper to
talk to a local telco about getting a custoomized data package for your SIM
cards.

[https://eseye.com](https://eseye.com) is another company supplying these
roaming SIM cards.

------
eyeareque
I’ve seen these before on eBay and really wondered what they were all about.
Thanks to the person who took the time to write this up! It’s crazy how cheap
and small these devices are.

------
new299
I wonder what voltage is required to kill the Mediatek chip? Maybe a simple
jig that put -24v through it could fry it?

Of course, if you're expecting it, this device should be relatively simple to
stop. I can imagine more stealthy variants however.

~~~
vpribish
or you could unplug it, take it home and keep it as a pet

~~~
squarefoot
Or even better, take out the SIM and find to whom the number is registered to.
In many countries numbers require registration, ie. you can't get one without
showing personal papers. Of course intel agencies aren't required to do that,
so that if you can't get a real name for that SIM then you're 100% sure you're
being watched by people a bit more powerful and dangerous than your suspicious
wife (unless your wife works for them :^). Using cellphones or anything
related to them, especially if you don't plan to recover the device, is not
good for spying because you're leaving behind tracks almost as important as
DNA. Nice article though. If some of you want to experiment with these
devices, you can get a SIM800 or A6 GSM modules then pair it with a small uC
for a lot less than €10.

[https://github.com/carrascoacd/ArduinoSIM800L](https://github.com/carrascoacd/ArduinoSIM800L)

[http://simcom.ee/documents/SIM800/SIM800_Hardware%20Design_V...](http://simcom.ee/documents/SIM800/SIM800_Hardware%20Design_V1.08.pdf)

[http://www.electrodragon.com/w/GSM_GPRS_A6_Module](http://www.electrodragon.com/w/GSM_GPRS_A6_Module)

[https://www.makerfabs.com/desfile/files/A6_A7_A6C_datasheet-...](https://www.makerfabs.com/desfile/files/A6_A7_A6C_datasheet-
EN.pdf)

~~~
jhiska
>If you can't get a real name for that SIM then you're 100% sure you're being
watched by people a bit more powerful and dangerous than your suspicious wife

If you conveniently "forget" or show heavy reluctance to give your info and
papers when buying a new phone, you can get an unregistered SIM. Just promise
them you'll give the info "later". The salespeople don't like the hassle and
just want to secure the sale.

You can also easily give fake info and "forget" your ID card, since it's not
verified, but that's dangerous if you get caught.

Simple social engineering.

------
blunte
This is obviously not good, but I'm not sure it is particularly useful for
something "important".

Any target of high value will be pursued and observed by trained humans with
advanced tools. The amount of data collected, I suspect, would be less but
more accurate.

A device like this just lowers the bar (really low) on tracking. However, it
increases the noise/inaccuracy. If combined with some key logger and other
devices, it could provide a very detailed picture of someone's communications
and movements. But it would include a lot of noise as well, which would still
require a lot of sifting and organizing to make sense of the data (and
especially to filter out the noise).

If anything, I think these devices are more a money grab on the "spies" than a
significant intrusion on the targets.

~~~
Oxitendwe
I think it would be pretty easy actually, to keep up with the data - you could
just get a Bluetooth headset and set your phone to automatically accept calls
from your spying device, then listen in while you go about your day.

~~~
carbocation
Or hook it up to a Twilio and receive text notifications when a new recording
is available. Optionally auto-transcribe and do topic modeling to extract only
discussions of interest.

~~~
samstave
+1 for the thought -100 for the thought...

But at the end of the day, we dont want to encourage the deep surveillance
state... but we techie always look at this sort of thing and then say "hmmm...
wouldnt it be interesting if..."

~~~
Oxitendwe
I don't think products like this encourage the "deep surveillance state" \- if
anything, they weaken it by loosening their monopoly on high-tech covert
surveillance. These things can be used for good as well as evil - you could
spy on a corrupt official or catch someone cheating just as easily as anything
else.

~~~
ethbro
Agreed. Anything that renders the previously invisible (state surveillance
techniques) visible via consumer availability is anathema to state
surveillance.

The majority of these techniques are allowed in the US because Congress
doesn't know / care.

The more popular exploits of insecure technologies we get, the more security
becomes an economically beneficial differentiator. And the more concerned
calls your local Congressperson receives.

------
ju-st
The capacitor and power requirement are very small for a GSM device. My SIM800
experiments needed always a way beefier power supply.

------
VectorLock
Looks like the site got killed.

------
madengr
The antenna could be better.

------
slim
Judging by the screenshots, the author uses Silence SMS app and you should too

~~~
kardos
It's actually Signal, see bottom of the long image [1]

[1]
[https://ha.cking.ch/s8_data_line_locator/images/10_01_cmds.j...](https://ha.cking.ch/s8_data_line_locator/images/10_01_cmds.jpg)

