[cookiengineer]

> pcb's today contain too much 'made by hand' to hide much without the designer noticing...

Doesn't mean the layers have to be rendered with the modified/malicious version of KiCAD. They could just try to hide it if they detect a layer with id=spyware.

I'm just saying that this would be a very sneaky way to infiltrate the hardware industry, because currently all installed versions rely on the old domain - and that's where they will pull their updates from, too. So pushing out a newer release with that "spyware" modification would be super easy to realize.

[extrapickles]

Adding an extra layer is expensive (and done in pairs). As others mentioned, when you go to manufacture your boards, you export each layer into its own file, zip them all up and then send/upload the files to your manufacturer. Either you will notice the extra files, or when you put in your order, the manufacturer will reject the order as you gave them the wrong number of files (eg: you paid for 4 layers, but sent them 6). The file format of the layers is basically a vector in ASCII of each trace, so there is little opportunity to hide extra stuff.

More and more manufacturers with online ordering show you images of what they think each layer looks like, and any modifications unless they are very slight will be detected then. You always review each layer in the manufacturers tool as there is a host of things that can go wrong (layer ordering, mirroring, alignment, copper vs solder mask vs silkscreen layer types).

Adding extra components is out too, as the Bill of Materials is exported to CSV, then imported into several component suppliers websites. Any non-basic component is carefully scrutinized for need as they are expensive (and these days hard to get) and to make sure you have everything you need to actually build the board as any non-trivial board requires multiple suppliers to provide all of the components. Even if you missed it then, assembly charges a significant amount per unique component they have to place on the board (eg: placing same resistor twice is cheaper than 2 different resistors).

Once the board is assembled, it will then likely undergo EMI testing to comply with various countries limits on how much RF can leak out of the product. In quite a few cases, final testing is done by a 3rd party lab. This basically limits whatever data exfiltration method to be short range.

If someone wanted to be evil, they would have much better luck on the software side of the product rather than at the board level.

[avian]

As a part of a highly targeted attack on a single device, maybe. It would have to involve specialist knowledge and manual work to do it. For example, something simple like sabotaging a "mic on" or "camera on" LED on might be possible on a complicated design without anyone noticing for a while. Seems a lot of work for little effect though.

Blanket automated modifying of hardware designs to add "spyware in hardware form"? I would say even "automated" part is impossible at the moment. I've never heard of automation that would understand a hardware design on a level that would be required for that.

In the end, the only modification with a good chance of being missed by the designer is the copper artwork on existing PCB layers. You might add an extra trace, or break an existing trace somewhere. But as soon as your hacked Kicad starts adding BOM items (like an extra "spyware" microprocessor or something) or even extra layers, I guarantee someone is going to notice very soon. If not for other reasons then because these things will add extra $ on someone's bill.

[theunamedguy]

There is no way this could work. The EDA tool (e.g. KiCAD) is only the first step of the fabrication process - you generate Gerbers from your KiCAD board layout, which are a highly standardized format that can be viewed in a variety of independent pieces of software. There are also multiple stages of design validation - both in the design phase, and then in the physical phase of actually inspecting your fabricated boards. The chances of any "malicious" circuitry slipping in are next to nil.

[okl]

What kind of spyware do you imagine? Rogue copper traces? Any extra parts to populate suddenly appearing on the BOM, that would be obvious.

[cookiengineer]

Well, depends on how the Q&A process is in the pipeline after the design.

What I thought of is maybe it might be feasible to sneak in some circuits that reroute e.g. a network port's traffic to a specific public IP/CnC. Depending on how complex the PCB layout is, it could be feasible to encode or modify the modulation of easy network busses (aside from ethernet).

But I guess that would involve deployment of malicious firmware or availability of a specific "malicious" chipset, too, because ethernet is quite complex in the sense that there are too many physical parts necessary to implement it in hardware form.

I was just thinking about the Q&A pipelines in the industrial process. Usually they never validate anything because of proprietary/protected intellectual property contracts, so suppliers down the line always claim it's according to specifications and that is blindly trusted by the manufacturers.

Identifying something like this is much harder in the organizational sense, because it involves a lot of time for verification down the line, and involves a lot of organizational blamestorm before anything really happens to fix it.

[okl]

If you are willing to go that far, just sell them fake ICs. No need to meddle with PCB layouts.

[londons_explore]

There are a few neat and potentially evil things you can do with copper traces alone. For example, you might be able to make a spy radio emitter[1].

Despite this, I very much doubt any software is going to be inserting those into designs automatically anytime soon!

[1]: https://en.wikipedia.org/wiki/The_Thing_(listening_device)

[mhh__]

The thing did have more than just wires, it had to have a membrane to actually work as a microphone.

[mhh__]

I think this is impossible but hypothetically you could fiddle with the EMI signature of a product to make it easier to sniff for.

Actually adding a component is a bit too james bond, although maybe you could do 1 or 2 on some enormous board but even then that's a real stretch.