Hacker News new | comments | show | ask | jobs | submit login
Inside a low-budget consumer hardware espionage implant (cking.ch)
591 points by patadune 10 months ago | hide | past | web | favorite | 92 comments

I wonder why they even bothered with such a high end processor like the MT6261. Get a bare die micro like the MSP430, and a bare die GSM chipset, and you're set. You'd have to dissolve your SIM card in acid and wire bond it to the PCB, but wire bonding machinery is pretty cheap.

Realistically, this is stupid easy for a state-level actor. A good hardware hacker worth their salt could probably set up a bug no bigger than 10mmx10mm in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.

For a state level actor, you can roll your own ASIC and just dump RF and microcontroller on one die. Package it up inside a USB flash drive controller IC, mark it with someone else's logo, and you've got a bug that you would only find by dissolving the chip in acid and looking at the die very carefully. It'll cost you a few million, but it's just not that much money when your R&D budget is 150M/y.

The weak part of all these systems is the constant GSM heartbeat, but even that is beatable.

They would never design their own. That's why it says COTS (commercial off the shelf) all over the Snowden catalogs.

The deniability from a consumer hardware part is very important for something you expect an adversary to find and dismantle.

> in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.

How do I get my hands on a wirebond machine for a few hundred? The bottom end of "old and crusty but not actually broken" seems to start at a couple thousand on eBay. If my budget were a few hundred I'd probably spend a month just machining and grinding replacement microscope parts.

I suppose you could be referring to the marginal cost of an hour on a wirebond machine at the nearest NNIN facility, but last time I priced out training options the overhead to get started would have been $500-$1k.

Yeah, it's kinda tricky -- costs could be much higher. Wire bonders aren't exactly hot ticket items; very few people are using manual machines. A cheap Chinese made one from Taobao/Alibaba costs around $250, but add in shipping, and you're close to $500 already. Something made in the USA from eBay will be of similar price, just two decades older.

If you're lucky enough to already be in China, I can't imagine it would be to difficult to get a small run made for a much lower cost, although I've never done so. Lots of factories making high volume, low end products use wire bonders to attach bare die to a PCB -- think calculators, gift cards, etc.

The simple fact is there's no comparable level of electronics manufacturing in the US, making it hard to get the parts and machinery necessary.

I feel part of the reason is that processors such as MT6261 are getting cheaper and cheaper. The marginal benefit of producing a simpler and smaller design is likely going to go away quickly.

It is the end-game for hardware. Software has already been gobbled up by language designs which are less and less hardware-near for the very same reason.

I was thinking purely from a power consumption / die size / support stand point.

Not sure what the MT6261 quiescent current is, but I'd expect it to be in the 100s of uA. An MSP430 can get down to 0.1uA, which is much more difficult to detect.

If I had to guess, the MSP430 die is probably about 1/4 the size of the MT6261 die.

Most importantly, I can't find a MT6261 datasheet anywhere except for taobao. This just makes development harder.

> The weak part of all these systems is the constant GSM heartbeat, but even that is beatable.

Curious: how do you beat that? Do you listen to other signals and try to transmit at the same time (if you must)?

You can broadcast on a timer, you can switch to a low frequency, low bandwidth transmitter, you can store locally and pick up the device later, etc. It all depends on the environment.

Or burst mode. That's been the speculated reasoning I've heard behind the USA's onerous POI restrictions on exported RTSAs.

That's probably the better option.

I found an article about the export restrictions here.


seems like it has to do with the fact it's guaranteed to intercept a signal all the way down to 1.2 uS

Wow: " This is probably not an elaborate scheme to harvest phone numbers and send them to China, but rather the way the default manufactured SIM code was implemented and it was never trimmed down to the needs of this device. Nevertheless, I found it interesting seeing how the device is accessing virtually everything on the SIM. " I agree, but it's rare to see someone not go fake ballistic claiming phone book capture for page views...

Ah, come on. It's not like consumers are going to insert their sims into this device anyway.

And it's not like in 2017 anybody stores their contacts in their SIM

What's especially creepy is that many devices (e.g. laptops) with USB ports continue sending power to those ports even when the device is off.

So someone bugged with something like this implant could fully power off their laptop when discussing sensitive information, and if they left a bugged USB drive plugged in, they could still be compromised.

You can check the BIOS to see if there is an option to disable it.

The average user should not need to muck around with the BIOS.

The average user wants their phone to keep charging, even if they turn their computer off.

The non-average user should have no problem mucking around in BIOS settings.

The simple solution to this is using a physical switch instead of hiding that functionality in a BIOS setting. A clever designer could even design it into/near the port itself so each port can be switched independently.

And those switches can go next to the ones for power to the camera, microphone, wifi, bluetooth, speakers, and anything else that I might want to be electrically disable-able, right?

Physical switches for the USB ports sound like they'd be as confusing for most people as the physical wifi switch was, when that was common. I think that means that if some manufacturer decides to introduce them, they won't be around long.

I can just imagine the call to technical support for a laptop like that. "Have you tried turning it off and on again?" times a dozen switches

The average user has an almost zero risk of having to worry about being bugged via their USB. Is your Aunt Irma a target for espionage?

I guess the answer to that question depends on if you or someone else that irma is associated with is the target of espionage

Nothing to hide, what’s the problem?

It's not nothing to hide, it's realistic threat model. But if these things become more popular and in more and more devices they'll just hoover up all the data they can get like already happens with web software. The average user probably should not have to learn what an extension is and figure out which adblocker to install, but this is the inelegant world we live in, and anyway I'm still on the fence for whether I really want to expect more from the average user or not.

This argument is similar to saying you don't care about someone else's freedom of speech because you have nothing to say.

Facebook will mass deploy these to serve targeted advertising based on conversations it hears.

This is sarcasm, right? (dozen apps already listening the mic in our pockets).


We've asked you already to post substantively or not at all, and we ban accounts that won't. Would you please take a look at the guidelines and try to change this?


That is a different issue. The article was about an external USB device.

Also I don't understand the concern with people not trusting Intel. By using their hardware in any form you are inherently trusting them. Unless you are able to check their design and fabrication process, they could easily hide something in there to disable protections in Windows or Linux based on certain patterns of network traffic.

Say that we trust Intel completely. Does that somehow make AMT not a security concern? For the ME itself, especially if it's not connected to any networking hardware: Whatever. It seems more like a theoretical threat than a practical problem. AMT sounds like something that I don't want running on my machine, even if I trust Intel itself completely.

Perhaps others are not so trusting and do not want to legitimize surveillance and would like to hold these companies to account.

Privacy is not just some option, it is law. Surveillance and hidden surveillance of users is illegal in most countries and any technology with the capability to do so has to be disclosed with end user control.

Sure but most don't seem to value their privacy enough that they continue using Intel products. As such nothing will change.

Please stop blaming the victim for being ignorant and/or falling prey to marketing.

> most don't seem to value their privacy

Most people do value their privacy, but are either ignorant of how strongly technology can damage their privacy[1] or fee there isn't any other option or alternative.

> nothing will change

It will change when the people that do understand technology work to preserve privacy over profit and convenience, educate the general public about privacy issues, and inform them of privacy respecting alternatives.

[1] Businesses tend to encourage ignorant and/or misleading beliefs when they promise impressive features backed u[p with useless promises to "take security seriously".

I don’t think “don’t blame the victim” applies to voluntary transactions. Consumers have shown we will not sacrifice much for privacy or security. That’s a trade-off made in the market by millions of people, independently, every day.

I think a CPU that has no mini PC inside it is much easy to verify, you can try a lot of inputs and see if the output gets weird, I think this technique was used to discover some hidden switches in Intel that the government uses to work around the ME on their own systems.

Okay lets say that the ethernet MAC has some gates that detect a particular 1024-bit random bit pattern in packets and that triggers a behavior change in certain sequence of instructions common in Windows security code to bypass it. How would you discover this?

What do you mean the ethernet card triggers changes in Windows instructions? Do you mean it can scan the RAM and do some changes? I am not familiar with how recent hardware works but I would be worried if hardware could scan RAM and edit executable code bypassing the kernel and drivers, so more reasons to get open hardware and drivers.

There are good reasons why USBs have been banned in the DOD for over a decade.

What they still use PS/2?

The other poster meant USB sticks. Manning’s leaks were the reason they changed the rules.

I believe you have to use CDs instead for a lot of cases.

Bug or feature?

Feature. It allows, among other things, for a computer to be woken up via the (USB-connected) keyboard.

Also a branding/design feature.

I've encountered extended color coding on multiple gaming oriented motherboards: Black for USB 2, Blue for USB 3.1 (so far so standard), Red for persistently powered.

That way you can have your phone connected to that port and have it charge overnight, etc.

Or USB connected IR/RF remote (think media center PC's)

I’d call it a feature. I sometimes need to harvest energy from my computer’s power supply to charge my phone without the computer being on (waste of energy)

Configurable option. Charge my iPhone, don’t power a bug.

This kind of thing would immediately stick out like a sore thumb to a lot of technical users. In the world of USB cables it’s HUGE, even though technically I know it’s very small for it’s purpose. Very cool nevertheless!

How often do people look behind their desks at the usb cables plugged into their systems. Many do not.

As someone who was involved with redteaming: ~nobody does. It's very rare to get caught after bugging someone's equipment. Bugs like these blend in seamlessly with the massive amounts of cables behind most desks.

Found the picture of the ethernet bug. https://twitter.com/nblr/status/928526534226391040

That I would never notice behind a desk

Also, in the usb cable with cell https://twitter.com/nblr/status/929132160602296320

It is scary as heck. I could be behind a desk and almost certainly would overlook this, or the mic I saw online embedded within an Ethernet cable the other day.

What if you just package it as usb hub & memory stick and hand it out for free?

I guess from this point on, given the extra space, it would be relatively trivial to also send the file structure.

Off topic, but still: is that a price of almost 2 EUR per minute of call? (to that stranger's phone - 3333333) I thought calls inside EU are price-limited? Or is this some really old post?

You can usually trade off monthly fees and per-unit costs for SIM cards. You can get one for $50/month that includes unlimited calling or one for $3/month that has high per-minute costs.

I found that odd too. I live in Denmark and i pay a fixed amount and can call as much as i want.

How are remotely monitored sensors and devices, like weather stations and power meters, that need to send a small amount of data periodically, and that use the cellular network for that handled in Europe?

Those fixed price for unlimited calling plans that are great for human to human communication would suck for low data sensors and devices.

In the US these are handled by special plans that have zero or close to zero fixed monthly cost, but have a high per byte or per minute rate so that they are quite cheap for their intended use (e.g., power meter daily usage report) but are too expensive to use for high data applications.

If there are similar things in Europe, maybe that number was one of those?

https://particle.io and https://hologram.io have almost worldwide availability for SIM's designed for this. There are probably older less-hip suppliers as well.

> have almost worldwide availability for SIM's designed for this.

They are great if you have sensors travelling to different countries or your volume isn't large enough to negotiate with a local telco.

If you are deploying many devices in one country it will be far cheaper to talk to a local telco about getting a custoomized data package for your SIM cards.

https://eseye.com is another company supplying these roaming SIM cards.

I’ve seen these before on eBay and really wondered what they were all about. Thanks to the person who took the time to write this up! It’s crazy how cheap and small these devices are.

I wonder what voltage is required to kill the Mediatek chip? Maybe a simple jig that put -24v through it could fry it?

Of course, if you're expecting it, this device should be relatively simple to stop. I can imagine more stealthy variants however.

If you already know it's there, you probably don't need to go through the trouble of destroying it, unless you just want to fry random USB devices.

The idea is that you would apply a high voltage to just the cable, with nothing else attached. If it's just a cable, no harm no foul. On the other hand, if you start seeing smoke from the embedded electronics, you may want to use a different cable.

Unfortunately, that approach will become less useful in the future, as all USB-C cables that support USB 3 and/or high power contain a chip to advertise that fact[1]. (And then there are Thunderbolt cables, which look the same but require even more sophisticated electronics.)

[1] https://e2e.ti.com/blogs_/b/analogwire/archive/2016/03/07/wh...

If anything this is just more reason to avoid USB-C.

You could also just use one of those cheap USB power/voltage monitors as the author does. Obviously a cable alone should not be drawing power.

Maybe an innovative company could add warnings for USB ports that draw power but have no recognized device. For the advanced ports with charging support and so on they should have power monitoring already.

or you could unplug it, take it home and keep it as a pet

Or even better, take out the SIM and find to whom the number is registered to. In many countries numbers require registration, ie. you can't get one without showing personal papers. Of course intel agencies aren't required to do that, so that if you can't get a real name for that SIM then you're 100% sure you're being watched by people a bit more powerful and dangerous than your suspicious wife (unless your wife works for them :^). Using cellphones or anything related to them, especially if you don't plan to recover the device, is not good for spying because you're leaving behind tracks almost as important as DNA. Nice article though. If some of you want to experiment with these devices, you can get a SIM800 or A6 GSM modules then pair it with a small uC for a lot less than €10.





>If you can't get a real name for that SIM then you're 100% sure you're being watched by people a bit more powerful and dangerous than your suspicious wife

If you conveniently "forget" or show heavy reluctance to give your info and papers when buying a new phone, you can get an unregistered SIM. Just promise them you'll give the info "later". The salespeople don't like the hassle and just want to secure the sale.

You can also easily give fake info and "forget" your ID card, since it's not verified, but that's dangerous if you get caught.

Simple social engineering.

Good luck with that, it not hard to convince random homeless guy to register sim card on his name, even for wife.

Simply removing the SIM would sort you out to stop it doing much, it seems.

This is obviously not good, but I'm not sure it is particularly useful for something "important".

Any target of high value will be pursued and observed by trained humans with advanced tools. The amount of data collected, I suspect, would be less but more accurate.

A device like this just lowers the bar (really low) on tracking. However, it increases the noise/inaccuracy. If combined with some key logger and other devices, it could provide a very detailed picture of someone's communications and movements. But it would include a lot of noise as well, which would still require a lot of sifting and organizing to make sense of the data (and especially to filter out the noise).

If anything, I think these devices are more a money grab on the "spies" than a significant intrusion on the targets.

It's another layer of attack surface. You think attackers use just one bug? They use as many as they feasibly can to add redundancy and improve attack success rate.

I think it would be pretty easy actually, to keep up with the data - you could just get a Bluetooth headset and set your phone to automatically accept calls from your spying device, then listen in while you go about your day.

Or hook it up to a Twilio and receive text notifications when a new recording is available. Optionally auto-transcribe and do topic modeling to extract only discussions of interest.

+1 for the thought -100 for the thought...

But at the end of the day, we dont want to encourage the deep surveillance state... but we techie always look at this sort of thing and then say "hmmm... wouldnt it be interesting if..."

I don't think products like this encourage the "deep surveillance state" - if anything, they weaken it by loosening their monopoly on high-tech covert surveillance. These things can be used for good as well as evil - you could spy on a corrupt official or catch someone cheating just as easily as anything else.

Agreed. Anything that renders the previously invisible (state surveillance techniques) visible via consumer availability is anathema to state surveillance.

The majority of these techniques are allowed in the US because Congress doesn't know / care.

The more popular exploits of insecure technologies we get, the more security becomes an economically beneficial differentiator. And the more concerned calls your local Congressperson receives.

As others pointed out, this is unlikely to be used by "the deep state" - would you ever get a USB data cable from a public officer of any sort?

This is for jealous spouses.

"would you ever get a USB data cable from a public officer of any sort?"

Nope. But if somebody replaced the cable while you weren't looking ...

That sort of op has better tools already.

But the low quality audience for this device is likely incapable of doing such a thing. Now, a company with questionable ethics could facilitate this for clients...

> Now, a company with questionable ethics could facilitate this for clients...

OK, I will bite. I would not call any company doing what is already possible more convenient for users a company with questionable ethics. That, to me, is perfectly OK.

In my book what is questionable (despicable, actually) is making a product that, as a byproduct, generates side-effects undesired by users (such as easy tracking) and does not try to allow the user who cares to turn such features off.

The use case for this is going to primarily be someone who suspects their partner is cheating. This isn't for Jason Bourne.

It's probably great for abusive spouses who track their partner.

The capacitor and power requirement are very small for a GSM device. My SIM800 experiments needed always a way beefier power supply.

Looks like the site got killed.

The antenna could be better.

Judging by the screenshots, the author uses Silence SMS app and you should too

It's actually Signal, see bottom of the long image [1]

[1] https://ha.cking.ch/s8_data_line_locator/images/10_01_cmds.j...

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact