I wonder why they even bothered with such a high end processor like the MT6261. Get a bare die micro like the MSP430, and a bare die GSM chipset, and you're set. You'd have to dissolve your SIM card in acid and wire bond it to the PCB, but wire bonding machinery is pretty cheap.
Realistically, this is stupid easy for a state-level actor. A good hardware hacker worth their salt could probably set up a bug no bigger than 10mmx10mm in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.
For a state level actor, you can roll your own ASIC and just dump RF and microcontroller on one die. Package it up inside a USB flash drive controller IC, mark it with someone else's logo, and you've got a bug that you would only find by dissolving the chip in acid and looking at the die very carefully. It'll cost you a few million, but it's just not that much money when your R&D budget is 150M/y.
The weak part of all these systems is the constant GSM heartbeat, but even that is beatable.
> in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.
How do I get my hands on a wirebond machine for a few hundred? The bottom end of "old and crusty but not actually broken" seems to start at a couple thousand on eBay. If my budget were a few hundred I'd probably spend a month just machining and grinding replacement microscope parts.
I suppose you could be referring to the marginal cost of an hour on a wirebond machine at the nearest NNIN facility, but last time I priced out training options the overhead to get started would have been $500-$1k.
Yeah, it's kinda tricky -- costs could be much higher. Wire bonders aren't exactly hot ticket items; very few people are using manual machines. A cheap Chinese made one from Taobao/Alibaba costs around $250, but add in shipping, and you're close to $500 already. Something made in the USA from eBay will be of similar price, just two decades older.
If you're lucky enough to already be in China, I can't imagine it would be to difficult to get a small run made for a much lower cost, although I've never done so. Lots of factories making high volume, low end products use wire bonders to attach bare die to a PCB -- think calculators, gift cards, etc.
The simple fact is there's no comparable level of electronics manufacturing in the US, making it hard to get the parts and machinery necessary.
I feel part of the reason is that processors such as MT6261 are getting cheaper and cheaper. The marginal benefit of producing a simpler and smaller design is likely going to go away quickly.
It is the end-game for hardware. Software has already been gobbled up by language designs which are less and less hardware-near for the very same reason.
I was thinking purely from a power consumption / die size / support stand point.
Not sure what the MT6261 quiescent current is, but I'd expect it to be in the 100s of uA. An MSP430 can get down to 0.1uA, which is much more difficult to detect.
If I had to guess, the MSP430 die is probably about 1/4 the size of the MT6261 die.
Most importantly, I can't find a MT6261 datasheet anywhere except for taobao. This just makes development harder.
You can broadcast on a timer, you can switch to a low frequency, low bandwidth transmitter, you can store locally and pick up the device later, etc. It all depends on the environment.
Wow:
"
This is probably not an elaborate scheme to harvest phone numbers and send them to China, but rather the way the default manufactured SIM code was implemented and it was never trimmed down to the needs of this device. Nevertheless, I found it interesting seeing how the device is accessing virtually everything on the SIM.
"
I agree, but it's rare to see someone not go fake ballistic claiming phone book capture for page views...
What's especially creepy is that many devices (e.g. laptops) with USB ports continue sending power to those ports even when the device is off.
So someone bugged with something like this implant could fully power off their laptop when discussing sensitive information, and if they left a bugged USB drive plugged in, they could still be compromised.
The simple solution to this is using a physical switch instead of hiding that functionality in a BIOS setting. A clever designer could even design it into/near the port itself so each port can be switched independently.
And those switches can go next to the ones for power to the camera, microphone, wifi, bluetooth, speakers, and anything else that I might want to be electrically disable-able, right?
Physical switches for the USB ports sound like they'd be as confusing for most people as the physical wifi switch was, when that was common. I think that means that if some manufacturer decides to introduce them, they won't be around long.
It's not nothing to hide, it's realistic threat model. But if these things become more popular and in more and more devices they'll just hoover up all the data they can get like already happens with web software. The average user probably should not have to learn what an extension is and figure out which adblocker to install, but this is the inelegant world we live in, and anyway I'm still on the fence for whether I really want to expect more from the average user or not.
We've asked you already to post substantively or not at all, and we ban accounts that won't. Would you please take a look at the guidelines and try to change this?
That is a different issue. The article was about an external USB device.
Also I don't understand the concern with people not trusting Intel. By using their hardware in any form you are inherently trusting them. Unless you are able to check their design and fabrication process, they could easily hide something in there to disable protections in Windows or Linux based on certain patterns of network traffic.
Say that we trust Intel completely. Does that somehow make AMT not a security concern? For the ME itself, especially if it's not connected to any networking hardware: Whatever. It seems more like a theoretical threat than a practical problem. AMT sounds like something that I don't want running on my machine, even if I trust Intel itself completely.
Perhaps others are not so trusting and do not want to legitimize surveillance and would like to hold these companies to account.
Privacy is not just some option, it is law. Surveillance and hidden surveillance of users is illegal in most countries and any technology with the capability to do so has to be disclosed with end user control.
Please stop blaming the victim for being ignorant and/or falling prey to marketing.
> most don't seem to value their privacy
Most people do value their privacy, but are either ignorant of how strongly technology can damage their privacy[1] or fee there isn't any other option or alternative.
> nothing will change
It will change when the people that do understand technology work to preserve privacy over profit and convenience, educate the general public about privacy issues, and inform them of privacy respecting alternatives.
[1] Businesses tend to encourage ignorant and/or misleading beliefs when they promise impressive features backed u[p with useless promises to "take security seriously".
I don’t think “don’t blame the victim” applies to voluntary transactions. Consumers have shown we will not sacrifice much for privacy or security. That’s a trade-off made in the market by millions of people, independently, every day.
I think a CPU that has no mini PC inside it is much easy to verify, you can try a lot of inputs and see if the output gets weird, I think this technique was used to discover some hidden switches in Intel that the government uses to work around the ME on their own systems.
Okay lets say that the ethernet MAC has some gates that detect a particular 1024-bit random bit pattern in packets and that triggers a behavior change in certain sequence of instructions common in Windows security code to bypass it. How would you discover this?
What do you mean the ethernet card triggers changes in Windows instructions? Do you mean it can scan the RAM and do some changes? I am not familiar with how recent hardware works but I would be worried if hardware could scan RAM and edit executable code bypassing the kernel and drivers, so more reasons to get open hardware and drivers.
I've encountered extended color coding on multiple gaming oriented motherboards: Black for USB 2, Blue for USB 3.1 (so far so standard), Red for persistently powered.
That way you can have your phone connected to that port and have it charge overnight, etc.
I’d call it a feature. I sometimes need to harvest energy from my computer’s power supply to charge my phone without the computer being on (waste of energy)
This kind of thing would immediately stick out like a sore thumb to a lot of technical users. In the world of USB cables it’s HUGE, even though technically I know it’s very small for it’s purpose. Very cool nevertheless!
As someone who was involved with redteaming: ~nobody does. It's very rare to get caught after bugging someone's equipment. Bugs like these blend in seamlessly with the massive amounts of cables behind most desks.
It is scary as heck. I could be behind a desk and almost certainly would overlook this, or the mic I saw online embedded within an Ethernet cable the other day.
Off topic, but still: is that a price of almost 2 EUR per minute of call? (to that stranger's phone - 3333333) I thought calls inside EU are price-limited? Or is this some really old post?
You can usually trade off monthly fees and per-unit costs for SIM cards. You can get one for $50/month that includes unlimited calling or one for $3/month that has high per-minute costs.
How are remotely monitored sensors and devices, like weather stations and power meters, that need to send a small amount of data periodically, and that use the cellular network for that handled in Europe?
Those fixed price for unlimited calling plans that are great for human to human communication would suck for low data sensors and devices.
In the US these are handled by special plans that have zero or close to zero fixed monthly cost, but have a high per byte or per minute rate so that they are quite cheap for their intended use (e.g., power meter daily usage report) but are too expensive to use for high data applications.
If there are similar things in Europe, maybe that number was one of those?
https://particle.io and https://hologram.io have almost worldwide availability for SIM's designed for this. There are probably older less-hip suppliers as well.
> have almost worldwide availability for SIM's designed for this.
They are great if you have sensors travelling to different countries or your volume isn't large enough to negotiate with a local telco.
If you are deploying many devices in one country it will be far cheaper to talk to a local telco about getting a custoomized data package for your SIM cards.
https://eseye.com is another company supplying these roaming SIM cards.
I’ve seen these before on eBay and really wondered what they were all about. Thanks to the person who took the time to write this up! It’s crazy how cheap and small these devices are.
The idea is that you would apply a high voltage to just the cable, with nothing else attached. If it's just a cable, no harm no foul. On the other hand, if you start seeing smoke from the embedded electronics, you may want to use a different cable.
Unfortunately, that approach will become less useful in the future, as all USB-C cables that support USB 3 and/or high power contain a chip to advertise that fact[1]. (And then there are Thunderbolt cables, which look the same but require even more sophisticated electronics.)
You could also just use one of those cheap USB power/voltage monitors as the author does. Obviously a cable alone should not be drawing power.
Maybe an innovative company could add warnings for USB ports that draw power but have no recognized device. For the advanced ports with charging support and so on they should have power monitoring already.
Or even better, take out the SIM and find to whom the number is registered to. In many countries numbers require registration, ie. you can't get one without showing personal papers. Of course intel agencies aren't required to do that, so that if you can't get a real name for that SIM then you're 100% sure you're being watched by people a bit more powerful and dangerous than your suspicious wife (unless your wife works for them :^).
Using cellphones or anything related to them, especially if you don't plan to recover the device, is not good for spying because you're leaving behind tracks almost as important as DNA.
Nice article though. If some of you want to experiment with these devices, you can get a SIM800 or A6 GSM modules then pair it with a small uC for a lot less than €10.
>If you can't get a real name for that SIM then you're 100% sure you're being watched by people a bit more powerful and dangerous than your suspicious wife
If you conveniently "forget" or show heavy reluctance to give your info and papers when buying a new phone, you can get an unregistered SIM. Just promise them you'll give the info "later". The salespeople don't like the hassle and just want to secure the sale.
You can also easily give fake info and "forget" your ID card, since it's not verified, but that's dangerous if you get caught.
This is obviously not good, but I'm not sure it is particularly useful for something "important".
Any target of high value will be pursued and observed by trained humans with advanced tools. The amount of data collected, I suspect, would be less but more accurate.
A device like this just lowers the bar (really low) on tracking. However, it increases the noise/inaccuracy. If combined with some key logger and other devices, it could provide a very detailed picture of someone's communications and movements. But it would include a lot of noise as well, which would still require a lot of sifting and organizing to make sense of the data (and especially to filter out the noise).
If anything, I think these devices are more a money grab on the "spies" than a significant intrusion on the targets.
It's another layer of attack surface. You think attackers use just one bug? They use as many as they feasibly can to add redundancy and improve attack success rate.
I think it would be pretty easy actually, to keep up with the data - you could just get a Bluetooth headset and set your phone to automatically accept calls from your spying device, then listen in while you go about your day.
Or hook it up to a Twilio and receive text notifications when a new recording is available. Optionally auto-transcribe and do topic modeling to extract only discussions of interest.
But at the end of the day, we dont want to encourage the deep surveillance state... but we techie always look at this sort of thing and then say "hmmm... wouldnt it be interesting if..."
I don't think products like this encourage the "deep surveillance state" - if anything, they weaken it by loosening their monopoly on high-tech covert surveillance. These things can be used for good as well as evil - you could spy on a corrupt official or catch someone cheating just as easily as anything else.
Agreed. Anything that renders the previously invisible (state surveillance techniques) visible via consumer availability is anathema to state surveillance.
The majority of these techniques are allowed in the US because Congress doesn't know / care.
The more popular exploits of insecure technologies we get, the more security becomes an economically beneficial differentiator. And the more concerned calls your local Congressperson receives.
But the low quality audience for this device is likely incapable of doing such a thing. Now, a company with questionable ethics could facilitate this for clients...
> Now, a company with questionable ethics could facilitate this for clients...
OK, I will bite. I would not call any company doing what is already possible more convenient for users a company with questionable ethics. That, to me, is perfectly OK.
In my book what is questionable (despicable, actually) is making a product that, as a byproduct, generates side-effects undesired by users (such as easy tracking) and does not try to allow the user who cares to turn such features off.
Realistically, this is stupid easy for a state-level actor. A good hardware hacker worth their salt could probably set up a bug no bigger than 10mmx10mm in a couple of months for a few hundred, less if they already have a wire bonding machine and microscope.
For a state level actor, you can roll your own ASIC and just dump RF and microcontroller on one die. Package it up inside a USB flash drive controller IC, mark it with someone else's logo, and you've got a bug that you would only find by dissolving the chip in acid and looking at the die very carefully. It'll cost you a few million, but it's just not that much money when your R&D budget is 150M/y.
The weak part of all these systems is the constant GSM heartbeat, but even that is beatable.