[amagumori]

uhhh...how does this prove that the chip doesn't have radio functionality? they didn't figure out any information about the chip's actual functionality beyond its PCI device name, which would ostensibly not be "SUPER SECRET DATA EXFILTRATION RADIO FOR NSA". they just took it off, unplugged the wifi card, and then said "well, it doesn't connect to wifi networks now. must be fine".

[simcop2387]

This alone wouldn't be enough sure. But you can get more data to say that it isn't doing any RF by looking at the circuit board and looking for antennas, they've got some fairly distinct shapes to be able to radiate efficiently. Of course they could still be inefficient radiators on purpose to prevent them from being found, but that also then means that they'd have to be even closer to pick up the signal. You can take xrays of the board to confirm the construction matches the schematics you can find from various websites (i don't know them myself, but I know repair shops get them). You can then decap the chip to examine it for any intentional radiators, which you'd need at that scale to be able to get any signal out. All that combined with a metal case, and you're unlikely to sneak in a transmitter that way. It'd be far easier to compromise the wifi firmware which is a binary blob anyway, and just use it to dma data off main ram directly. It's already built to do it, and it's got antennas that are expected already.

[Sidnicious]

The cable to the camera could also serve as an antenna.

[cozzyd]

Don't you see, they used Kali Linux which contains the specialized lspci hacker tool.

[woadwarrior01]

I don't know if you're being sarcastic, but there's nothing specialized or Kali Linux specific about lspci. Every linux distro I've seen comes with the lspci (also, lsusb, lsmem). system_profiler on OSX is probably the closest to all of these and more, rolled into one command line tool.

[angry_octet]

It is definitely sarcasm.

[PhasmaFelis]

As far as I can tell, the only reason they thought it was a wifi chip is that iFixit labeled it as such and it's made by Broadcom. It could conceivably have a secret wifi chip hidden inside it, but so could any other component from the battery to the USB port; there's no reason to think that they do.

[monochromatic]

there’s no way to conclusively prove what you suggest. This article isn’t about proving that though, it’s about “hey I wonder what this chip is for.”

[teh_klev]

> This article isn’t about proving that though

Um the article kinda is:

... so we deemed this information reliable and immediately raised some critical questions: Is there a wireless chipset soldered onto the MacBook Air’s logic board that we didn’t know about? If so, is it not actually possible to properly air gap a MacBook Air?

And their methodology is a bit flawed. This made me shudder:

We took out the Air’s logic board to see if we could pry the chip off with a screwdriver. We quickly decided this was a bad idea. We also considered “disabling” the chip by drilling a few holes through it with a Dremel tool or by melting it a bit with a soldering iron.

Jeezo.

[PhasmaFelis]

You're judging their methodology by what they chose not to do?

[RX14]

If they considered it for long enough to put in the article then its clear they are amateurs in electronics.

[StavrosK]

I'm an amateur in electronics, and I would consider using a heat gun to desolder the BGA-looking chip (which basically means I know what a heat gun does and I know what BGA looks like). The article author's skill level is "I saw some electronics once".

[garmaine]

Use an RF antenna to see if it is putting out any signal.

[iancarroll]

Could very well not tx until it receives a wake up message.

[angry_octet]

True. But you could transmit a variety of RF frequencies at the device and try to detect resonance in the antenna. Unfortunately WiFi uses direct conversion rather than IF demodulation, but there is no reason to assume a covert transmitter would use wifi, which is easily spotted by off the shelf equipment. https://youtu.be/ZxyU_1xUOWc

Micropatch antennas are super hard to detect, even with x-ray, and newer types even harder. https://www.nature.com/articles/s41467-017-00343-8

[dsmithatx]

Not sure why you were down voted. The test only showed removing the chip disabled the camera. The chip BCM15700A2 is a WLAN/Bluetooth chip used on Intel 8260 cards and lots of Dell laptops.

There is a Linux kernel driver written for this chip used for 802.11a wireless.

[dogma1138]

The 15700 is a PCIe bridge and PLX chip with some signal conversion capabilities it was never even designated as a wireless chip heck we have apple’s manuals:

338S1186 1 IC,BCM15700A2,S2 PCIE CAMERA PROCESSOR U3900 CRITICAL

5 digit part numbers are Broadcom’s “IP bridge SoC” the BCM15900 on the iPAD pro for example handles the eDP connection with the screen IIRC and the digitizer function.

[simcop2387]

Got a source for that? I can't find any references to the 15700A2 being on intel 8260 cards.