I'm imagining a "stealth" wifi controller on one of the custom chips, hung onto a pin connected to an internal antenna realized on an internal copper layer of the motherboard. If you used a non-standard frequency and protocol, who would know?
You could probably get an okay transmit-only signal with fairly unremarkable on-chip hardware (say, a simple PCM) and something that didn't look too much like an antenna even if you X-ray'd the board. I'm guessing that a similarly stealthy receiver would be noticeable due to required external discrete components (e.g., amplifiers, filter networks).
Plonking down a whole chip for "secret wifi" is likely overkill.
…something that didn't look too much like an antenna…
The Raspberry Pi Zero W has a perfectly serviceable antenna which is simply a cavity formed between layers of copper and two tiny capacitors which look about like grains of salt.
Antenna design is not black magic. There are a few well-understood basic patterns and you parametrize those. Some of those look quite exciting and tuning the matching network is annoying if you've never done it before but typically you use a template for an antenna design and set the parameters to what gets you best simulation results, then prototype and measure and set the matching network to match your measurements. It's not magic, it's normal everyday engineering.
Coming up with new fundamental antenna designs feels a bit black magicky to us lowly electronics people, but that's just because it's more applied physics than engineering. Here's an example of how new antenna pattern design is done: http://sci-hub.tw/https://www.sciencedirect.com/science/arti...
Slightly related, an FPGA circuit designed by a genetic algorithm which ended working due to analogue effects and hardware-specific magnetic flux interference.
For this or other successful genetic algorithms, it would seem clear you still can’t know if it’s an optimal design simply because in most cases the number of designs tested would be a small fraction of the possible designs.
However, things like useful sound recognition being done with only a small number of logic gates (commenter below provided a nice article, thank you) make it hard to imagine doing much better.
I wonder if the process can be shown theoretically to offer any help in guaranteeing minimum bounds w.r.t. the optimal case, even if can’t be fully proven to be optimal.
The NSA developed their own networking protocol, separate from TCP or UDP, which operates just above the physical layer.
The idea is that you rewrite the network card firmware so that there’s an NSA MITM running on it. The host computer never knows, because as far as the computer is concerned the network card is sending exactly the data you would expect. And even if you hook up network monitoring tools externally, you wouldn’t be able to notice anything wrong apart from a slightly reduced total bandwidth.
The value of such a tool is that it can be installed remotely, with no physical presence.
They also have all kinds of gadgets to defeat airgaps. IIRC one of them was a replacement keyboard that looks identical to the normal one, but provides the stealth wifi you mention.
One way to get an idea of what the NSA is up to is to look at their job listings. They can fake everything else, but not those.
So at the link layer? If so, what you described does not sound like an effective technique to exfiltrate data over the internet, unless the NSA also controls the LAN/internal network the target device is on.
Why? Because any non-standard protocol data will be thrown out by the first switch or router on the path out of the target LAN. In other words, the exfiltrated data will not be forwarded on to the next router or switch, simply because the next router/switch will not have support for the NSA's custom protocol in its network stack.
"Why? Because any non-standard protocol data will be thrown out by the first switch or router on the path out of the target LAN. "
That's not necessarily true. Misconfigurations and weird issues in networking gear caused vendors to be kind of permissive about some things. Depending on the vendor, they might drop it or pass it through. Network security folks in the field, in or away from NSA, probably have a good idea of what things make it through most often plus fall-back options. They might even keep current documentation of it based on field reports over time. They'd just use that stuff. Also, intelligence work is very difficult and opportunistic already. A method doesn't have to work all the time: just enough to keep trying it.
One thing the NSA is very good at is getting access to virtually every type of networking card. If they achieve access to a target, it's likely they control a path to it.
If the target is a wifi device, the custom protocol becomes doubly effective: Exfiltration is a matter of having a receiver anywhere in the vicinity. And that receiver can amplify the signal to blast it a few miles. There are tools to sweep the EM spectrum looking for anomalies like this, but they seem to be rare, for the moment.
> If they achieve access to a target, it's likely they control a path to it.
Without specific, documented cases this is speculation of course. But I don't see why they'd use a link level protocol. 1. It requires patching multiple networking devices in the path, which is not very quiet. 2. It sticks out in any monitoring (via mirror ports) more than a UDP packet to a random host. DNS or ntp as a transport would be much simpler to hide.
And what exactly would be the problem for the NSA with patching networking devices? They even mention how it's useful specifically for these hard targets
>"some of the most productive operations in TAO because they pre-position access points into hard target networks around the world."
Yes. I used both header fields and delays as covert channels in the past since I know security professionals never looked for them. I derived them by just applying a standard, covert-channel analysis on the protocol. Others have described some methods publicly:
The oldest methods of finding stuff like this are Kemmerer's Shared Resource Matrix (1983) for storage channels and Wray's updated characterization (1991) that were used in DOD's security certification (TCSEC). They work for hardware, too, since it's how they found cache-based, timing channels in hardware hosting the VAX Security Kernel in 1992.
For transport, military-grade security often mandated fixed-size, fixed-rate transmission with error handling itself not able to leak stuff. Tricky on error part, inefficient other part. A primitive software defense is to clear the storage channels while throttling and randomizing the timing of delivery. Works best on non-real-time or already-slow configurations. Idea fit for store-and-forward messaging, which was preferred for high-assurance security. Another option from 1990's high security was to have a PCI card or something running a security kernel do the actual transfer from a labeled source. As in, the source can be as malicious as it wants with it unlikely to effect secure kernel. The kernel might prevent it, detect it, shut it down, or preserve logs for traceability. There was also the "force everything over link/network encryptor" concept to attempt to cheat. Leaves some metadata which can be mitigated or obfuscated by other means including prior transmission method.
Hope that helps. Current work uses models or languages to track shared resources for automatically detecting storage or timing channels among other things. I'll dig some out of my collection if anyone wants them.
Note: This is a great overview with plenty of terms you can use to find modern work. It's branching out in all these areas. Key words to use include "non-interference", "static analysis," "covert channels," "labels," "confidentiality," and "side channels."
Note: Used in Civitas secure voting app. Links to Sif and Fabric are down the page a bit.
Note 2: You should be noticing by now that the Cornell teams (a) are pretty awesome and (b) were way ahead of most on this stuff.
Deterministically Deterring Timing Attacks in Deterland (2016)
Note: Thanks to a few events, there are piles of work on hardware ranging from invididual components to whole chips. So, I'm just grabbing examples of different types. This one is on VM's in cloud.
Øzone: Efficient Execution with Zero Timing Leakage for Modern Microarchitectures (2017)
Note: Throwing an attempt in that's trying to avoid secure processors. Only read abstract since I just found it. I'm always skeptical if commodity chips are involved, though. Best I've seen are hardware I.P. that reuse optimized processors sort of sitting between their cores and the decoders or RAM. Plus, multicore without shared caches or multiprocessing with each core/chip a security domain.
So, there's some different things for you. Kemmerer and Wray are definitive, older works. Sabelfield and Myers best overview of new stuff. After Meltdown/Spectre, the rest is coming so fast I'm not even tracking it. I'm glad someone asked justifying an attempt at a survey. Found some good links. :)
Why wouldn't an organization fake their job postings to lead people astray? Like if the FSB started hiring string theorists or telekinesthetics positions to waste the NSA's time figuring out why they're doing that.
You could put the whole thing in a faraday cage and look at the emissions with a spectrum analyzer. There's probably a bunch of wide spectrum noise though, thanks to all those squarewaves running at various frequencies. If you were smart, you might try modulating one of those signals(sort of like the 'spread-spectrum' feature of many BIOSes, but with information doing the modulation and not just noise). You might be able to sneak other signals in amongst all the noise. Hell, spread spectrum signals can sit below the noise floor... I don't really think there's a way you could be 100% certain that the laptop wasn't exfiltrating data.
We’re not sure exactly what the technicians did to remove the chip – heat gun, maybe? – but it came off cleanly and you wouldn’t notice it was missing unless you were specifically looking for it on the board.
Almost certainly, or more precisely, a "hot air rework station". For someone with experience, it only takes a few minutes to remove and replace BGAs with one.
This story made me realize: I haven't seen the phrase "tin-foil hat" used much in the past couple of years. Huh.
Which reminded me of a quote:
"For a while you wondered whether the fools were pretending to be fools as some kind of deception, or whether there was a real efficient service somewhere else. Later in my fiction, I invented one. But alas the reality was the mediocrity." — Le Carre
David Cornwell served in MI5/MI6 in the '50s and '60s, when the game was pretty different from today. Certainly the mediocrity is still present in intelligence agencies at some level (as testified by the Manchester attack), but Snowden proved that their technical capabilities for surveillance are as good as, or even better than, a lot of people feared. This is why casually dismissing the paranoid as tinfoil-hatter is out of fashion. You will likely notice the same happening to Godwin Law right now.
> certain frequencies are in fact greatly amplified [by the helmets]
Oh, interesting!
> These amplified frequencies coincide with radio bands reserved for government use
I mean, if you take all of the common RF spectrum and look at what is reserved for civilian use, the vast majority is not freely usable. I'm not surprised it's within licensed spectrum.
> the use of helmets may in fact enhance the government's invasive abilities
Right.
> We speculate that the government may in fact have started the helmet craze for this reason.
Riiiiight.
This went from fun project to three levels of conspiracy theory real fast.
And looking at the contents (instead of the summary/abstract) more critically, they investigated >=10kHz waves. The brain waves that I know of are in the range of 1-150Hz: https://en.wikipedia.org/wiki/Neural_oscillation
... actually, this page is a joke, right? The more I read on the page, no way that this is serious.
The great Tin Visionary Stewart Butterfield saw the writing on the wall a long time ago. Tin is in his blood, but nary a sheet of tin has rolled of his own production lines in over 30 years.
In Apple's computers the web cam light cannot be disabled, because the web cam is controlled by a co-processor as demoed here. In the newer Pros with Touchbar Apple uses their own chip for this same function.
On a lot of PC webcams, you can run the camera without the light or visa versa[0].
Previous hacks of the iSight cam involved rewriting the firmware of that separate microcontroller. IIRC there was also a delay at one point, so that it was possible to take a picture really fast before the LED turned on.
Correct, since 2009 roughly, the sensor power was tied into the LED, so if the sensor had enough power to register an image, the LED would have to be on. Apple modified the circuitry specifically because of the old exploit.
Man, oh man can he ever be cynical though. At some point,l I have to believe it’s because he’s playing for the camera. Or, at least, I hope so. I’ve seen him get extremely stressed out over the silliest things.
I've never had a negative interaction with Louis personally, nor has anyone I've known. A friend birthed a repair store from his videos, and Louis' personality is very bright. His comments on the style of videos that Linus Tech Tips puts out compared to his own were hilarious.
I really enjoy Louis' videos. His decision of swapping from edited video to raw streams mostly as well is quite nice. Seeing his channel grow, and every trait that he has grow with that has been an interesting process. Maybe this is because I am quite cynical as well, but I have no idea. In 2 years he has grown from 40k subs to 442k, so he's doing something right.
I think everyone can get stressed over silly things.
uhhh...how does this prove that the chip doesn't have radio functionality? they didn't figure out any information about the chip's actual functionality beyond its PCI device name, which would ostensibly not be "SUPER SECRET DATA EXFILTRATION RADIO FOR NSA". they just took it off, unplugged the wifi card, and then said "well, it doesn't connect to wifi networks now. must be fine".
This alone wouldn't be enough sure. But you can get more data to say that it isn't doing any RF by looking at the circuit board and looking for antennas, they've got some fairly distinct shapes to be able to radiate efficiently. Of course they could still be inefficient radiators on purpose to prevent them from being found, but that also then means that they'd have to be even closer to pick up the signal. You can take xrays of the board to confirm the construction matches the schematics you can find from various websites (i don't know them myself, but I know repair shops get them). You can then decap the chip to examine it for any intentional radiators, which you'd need at that scale to be able to get any signal out. All that combined with a metal case, and you're unlikely to sneak in a transmitter that way. It'd be far easier to compromise the wifi firmware which is a binary blob anyway, and just use it to dma data off main ram directly. It's already built to do it, and it's got antennas that are expected already.
I don't know if you're being sarcastic, but there's nothing specialized or Kali Linux specific about lspci. Every linux distro I've seen comes with the lspci (also, lsusb, lsmem). system_profiler on OSX is probably the closest to all of these and more, rolled into one command line tool.
As far as I can tell, the only reason they thought it was a wifi chip is that iFixit labeled it as such and it's made by Broadcom. It could conceivably have a secret wifi chip hidden inside it, but so could any other component from the battery to the USB port; there's no reason to think that they do.
... so we deemed this information reliable and immediately raised some critical questions: Is there a wireless chipset soldered onto the MacBook Air’s logic board that we didn’t know about? If so, is it not actually possible to properly air gap a MacBook Air?
And their methodology is a bit flawed. This made me shudder:
We took out the Air’s logic board to see if we could pry the chip off with a screwdriver. We quickly decided this was a bad idea. We also considered “disabling” the chip by drilling a few holes through it with a Dremel tool or by melting it a bit with a soldering iron.
I'm an amateur in electronics, and I would consider using a heat gun to desolder the BGA-looking chip (which basically means I know what a heat gun does and I know what BGA looks like). The article author's skill level is "I saw some electronics once".
True. But you could transmit a variety of RF frequencies at the device and try to detect resonance in the antenna. Unfortunately WiFi uses direct conversion rather than IF demodulation, but there is no reason to assume a covert transmitter would use wifi, which is easily spotted by off the shelf equipment. https://youtu.be/ZxyU_1xUOWc
Not sure why you were down voted. The test only showed removing the chip disabled the camera. The chip BCM15700A2 is a WLAN/Bluetooth chip used on Intel 8260 cards and lots of Dell laptops.
There is a Linux kernel driver written for this chip used for 802.11a wireless.
The 15700 is a PCIe bridge and PLX chip with some signal conversion capabilities it was never even designated as a wireless chip heck we have apple’s manuals:
338S1186
1
IC,BCM15700A2,S2 PCIE CAMERA PROCESSOR
U3900
CRITICAL
5 digit part numbers are Broadcom’s “IP bridge SoC” the BCM15900 on the iPAD pro for example handles the eDP connection with the screen IIRC and the digitizer function.
If you really need an air gapped computer, wouldn't it make a whole lot more sense to build a desktop with some variety of ATX form factor motherboard that you can examine in detail to confirm that it has zero wireless functionality?
A Macbook Air, which is pretty much designed as a wifi-dependent network terminal, would be way down my list of hardware I would choose if I had to build an airgap lab environment.
I would start with a Librem laptop as this is exactly the point of them. Hopefully all you'd have to do is verify the killswitch works as advertised. disclaimer: typing on one now.
You could probably get an okay transmit-only signal with fairly unremarkable on-chip hardware (say, a simple PCM) and something that didn't look too much like an antenna even if you X-ray'd the board. I'm guessing that a similarly stealthy receiver would be noticeable due to required external discrete components (e.g., amplifiers, filter networks).
Plonking down a whole chip for "secret wifi" is likely overkill.