Realistically, this is stupid easy for a state-level actor. A good hardware hacker worth their salt could probably set up a bug no bigger than 10mmx10mm in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.
For a state level actor, you can roll your own ASIC and just dump RF and microcontroller on one die. Package it up inside a USB flash drive controller IC, mark it with someone else's logo, and you've got a bug that you would only find by dissolving the chip in acid and looking at the die very carefully. It'll cost you a few million, but it's just not that much money when your R&D budget is 150M/y.
The weak part of all these systems is the constant GSM heartbeat, but even that is beatable.
The deniability from a consumer hardware part is very important for something you expect an adversary to find and dismantle.
How do I get my hands on a wirebond machine for a few hundred? The bottom end of "old and crusty but not actually broken" seems to start at a couple thousand on eBay. If my budget were a few hundred I'd probably spend a month just machining and grinding replacement microscope parts.
I suppose you could be referring to the marginal cost of an hour on a wirebond machine at the nearest NNIN facility, but last time I priced out training options the overhead to get started would have been $500-$1k.
If you're lucky enough to already be in China, I can't imagine it would be to difficult to get a small run made for a much lower cost, although I've never done so. Lots of factories making high volume, low end products use wire bonders to attach bare die to a PCB -- think calculators, gift cards, etc.
The simple fact is there's no comparable level of electronics manufacturing in the US, making it hard to get the parts and machinery necessary.
It is the end-game for hardware. Software has already been gobbled up by language designs which are less and less hardware-near for the very same reason.
Not sure what the MT6261 quiescent current is, but I'd expect it to be in the 100s of uA. An MSP430 can get down to 0.1uA, which is much more difficult to detect.
If I had to guess, the MSP430 die is probably about 1/4 the size of the MT6261 die.
Most importantly, I can't find a MT6261 datasheet anywhere except for taobao. This just makes development harder.
Curious: how do you beat that? Do you listen to other signals and try to transmit at the same time (if you must)?
I found an article about the export restrictions here.
seems like it has to do with the fact it's guaranteed to intercept a signal all the way down to 1.2 uS
So someone bugged with something like this implant could fully power off their laptop when discussing sensitive information, and if they left a bugged USB drive plugged in, they could still be compromised.
The non-average user should have no problem mucking around in BIOS settings.
Physical switches for the USB ports sound like they'd be as confusing for most people as the physical wifi switch was, when that was common. I think that means that if some manufacturer decides to introduce them, they won't be around long.
Also I don't understand the concern with people not trusting Intel. By using their hardware in any form you are inherently trusting them. Unless you are able to check their design and fabrication process, they could easily hide something in there to disable protections in Windows or Linux based on certain patterns of network traffic.
Privacy is not just some option, it is law. Surveillance and hidden surveillance of users is illegal in most countries and any technology with the capability to do so has to be disclosed with end user control.
> most don't seem to value their privacy
Most people do value their privacy, but are either ignorant of how strongly technology can damage their privacy or fee there isn't any other option or alternative.
> nothing will change
It will change when the people that do understand technology work to preserve privacy over profit and convenience, educate the general public about privacy issues, and inform them of privacy respecting alternatives.
 Businesses tend to encourage ignorant and/or misleading beliefs when they promise impressive features backed u[p with useless promises to "take security seriously".
I believe you have to use CDs instead for a lot of cases.
I've encountered extended color coding on multiple gaming oriented motherboards: Black for USB 2, Blue for USB 3.1 (so far so standard), Red for persistently powered.
That way you can have your phone connected to that port and have it charge overnight, etc.
That I would never notice behind a desk
Also, in the usb cable with cell https://twitter.com/nblr/status/929132160602296320
I guess from this point on, given the extra space, it would be relatively trivial to also send the file structure.
Those fixed price for unlimited calling plans that are great for human to human communication would suck for low data sensors and devices.
In the US these are handled by special plans that have zero or close to zero fixed monthly cost, but have a high per byte or per minute rate so that they are quite cheap for their intended use (e.g., power meter daily usage report) but are too expensive to use for high data applications.
If there are similar things in Europe, maybe that number was one of those?
They are great if you have sensors travelling to different countries or your volume isn't large enough to negotiate with a local telco.
If you are deploying many devices in one country it will be far cheaper to talk to a local telco about getting a custoomized data package for your SIM cards.
https://eseye.com is another company supplying these roaming SIM cards.
Of course, if you're expecting it, this device should be relatively simple to stop. I can imagine more stealthy variants however.
Maybe an innovative company could add warnings for USB ports that draw power but have no recognized device. For the advanced ports with charging support and so on they should have power monitoring already.
If you conveniently "forget" or show heavy reluctance to give your info and papers when buying a new phone, you can get an unregistered SIM. Just promise them you'll give the info "later". The salespeople don't like the hassle and just want to secure the sale.
You can also easily give fake info and "forget" your ID card, since it's not verified, but that's dangerous if you get caught.
Simple social engineering.
Any target of high value will be pursued and observed by trained humans with advanced tools. The amount of data collected, I suspect, would be less but more accurate.
A device like this just lowers the bar (really low) on tracking. However, it increases the noise/inaccuracy. If combined with some key logger and other devices, it could provide a very detailed picture of someone's communications and movements. But it would include a lot of noise as well, which would still require a lot of sifting and organizing to make sense of the data (and especially to filter out the noise).
If anything, I think these devices are more a money grab on the "spies" than a significant intrusion on the targets.
But at the end of the day, we dont want to encourage the deep surveillance state... but we techie always look at this sort of thing and then say "hmmm... wouldnt it be interesting if..."
The majority of these techniques are allowed in the US because Congress doesn't know / care.
The more popular exploits of insecure technologies we get, the more security becomes an economically beneficial differentiator. And the more concerned calls your local Congressperson receives.
This is for jealous spouses.
Nope. But if somebody replaced the cable while you weren't looking ...
OK, I will bite. I would not call any company doing what is already possible more convenient for users a company with questionable ethics. That, to me, is perfectly OK.
In my book what is questionable (despicable, actually) is making a product that, as a byproduct, generates side-effects undesired by users (such as easy tracking) and does not try to allow the user who cares to turn such features off.