[dan000892]

This stuff is rad. I took a class on hardware implants with Joe Fitz a couple years back—on the heels of that wholly unsubstantiated Bloomberg article about China embedding rice grain-sized hardware implants into Supermicro motherboards that magically found their way only to select F100s and gov’t agencies—where we made a PCB to interface an ATtiny85 to an unpopulated UART header on some IoT device but instead of soldering it down we just taped it with this.

(The UART provided a root shell and enough power to “boot” the ATtiny which simply waited a few seconds and then ran some commands to initiate a reverse shell to a server under our control every time the device was powered on. Thanks to this tape and the device’s tool-less case (and convenient unpopulated header with space around it), it was enlightening how trivially easy it’d be to develop and deploy such an implant to an operating device (with the caveat that I wouldn’t consider the connection robust enough to survive transport).

It’s also useful to connect SMD EEPROMs to unpopulated/desoldered pads for testing without installing a socket.

[mardifoufs]

Yep! But it sadly cannot replace soldering for denser pinout layouts, unless a lot of pressure is applied. Someone tried though;

https://tomverbeure.github.io/2019/11/21/Z-tape.html

(A bit off topic but that Bloomberg story is still such a mystery to me. It went into quite a bit of details and claimed it had tons of sources, so even if it was a completely false story whoever fabricated it must have put insane amounts of efforts/identity fraud into the set up)

[kadoban]

The Bloomberg story, my thinking is that it was probably true, but someone from national security forced them to clam up.

[javajosh]

Yep. For the CIA or NSA or whomever quashing that story is a good short-term solution (protecting your spy IP - spy P?) and also medium-term (harming Bloomberg's reputation), but the longer term side-effects (harming media's reputation in general) probably ended up doing far greater harm to the US. Trust is so easy to destroy, and takes a very long time to build up again.

[timschmidt]

It was also quite a plausible hack. The faker, if indeed anything was faked, knew more than most. Enough to have done the thing for real.

[djrogers]

It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

[derefr]

> processing power; networking

Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

[tablespoon]

>> It was completely implausible - the chip that was identified could not possibly carry enough processing ability to do anything useful as far as espionage goes, had no connectivity to networking, and there was never any evidence of communication from these devices to anything suspicious or unknown.

> Could the device not simply get the host to do these things for it, by e.g. rootkit-ing the server’s BMC? A “hardware virus”, per se.

IIRC, that's exactly what was alleged in the article. It was an implant that sat on the BMC ROM bus, fiddling with bits as the ROM was read during bootup. No need for any networking or processing ability beyond what was needed to that. This guy actually did a POC of that: https://trmm.net/Modchips/.

So totally plausable.

[exikyut]

My understanding was that it sat between the BMC and its boot flash and (assuming it was real) was designed to bit-twiddle regions of the firmware as it flew past over SPI. So basically streaming strpos() (or maybe even counting bytes) and then sending some alternate sequence of data.

That would require some processing chops to handle whatever speed the SPI bus ran at, and a bit of space to store the replacement bytes. Firmly within the margin for plausibility with even basic off-the-shelf kit. Honestly depressing really.

[luma]

Not at all implausible, it was reported to be connected to the BMC which are often notoriously insecure and which could conceivably grant it network access.

[rob_c]

No adding components activates different hardware features on the chipset its connected to. I.e. remote debug access via a reserved data line when pinX is high/low... all that would need is a single surface mount resistor or frankly tin-foil.

[peter_retief]

Had me fooled, I got quite excited reading it, ashamed to admit.

[franga2000]

UART pins! That is such a good idea!! I need to get some of this stuff and make some stick-on connectors so I don't have to solder pins whenever I need a UART for 30 seconds to unbrick a router or something

[londons_explore]

Springy pogo pins are what you want.

Hold them on with one hand while you type a few commands over the serial connection with the other.

If you have more in depth debugging to do, get a 'helping hand' to hold it in place.