A pencil point is a tapering edge, so I'm assuming the author is considering <1mm for "fully capable computer the size of a pencil point" being unreasonable.
Microcontrollers are not a huge amount larger than that any more:
I would note that thinning and encapsulation of bare die allows typical thicknesses of <200um. Now, if you need an smt package and a (F)PCB then everything blows up to mm total thickness. Note also that typical minimum dicing width is 6-700um and your micros layout could be re-done to be a more toothpick 3x0.66x0.2 size. Still, gotta get power in and signals out, but conformal parylene will cover ACF or wirebonds.
You can put a lot of tsvs across the border of IC and grind up to them, hoping that the wire will bond to at least one of them. And if you do bonding by hand, you can bond right to the metal if the oxide below is thick enough.
The discoverability of a hardware hack as reported makes the whole thing fail to ring true for me.
As Joe alludes to, why do something so discoverable when there are numerous other attack vectors that would preserve plausible deniability?
It appears close to a one-time trick, if you’re China. Once the trust is gone, it’s not coming back. Supply chains are already coming back home due to automation and consequently less reliance on cheap manual labour.
The case would have to be compelling - something that could not be achieved otherwise. That case is yet to be made.
When you ask "why would they?" you can intuit a seemingly good case either way that they would or wouldn't (maybe they would because they're incompetent.)
Instead of relying on intuition, a more to-the-point question is "did they do it?" We have to wait for a definitive answer to this from the authorities.
Coincidentally, Joe Fitzpatrick was also one of the experts cited in the Bloomberg article. It would have been great to see this kind of technical perspective in the Bloomberg article! Joe clearly has value to add to the conversation and it is disappointing that Bloomberg chose to leverage his credentials in the hardware security community to add fluff to their article instead of any real insight. Same with using Joe Grand as well.
I love follow-ups like this from experts like Joe. However, he seems quick to dismiss a couple things as improbable due to cost. I don’t know, but I wouldn’t be so sure considering we’re talking a nation-state actor here.
My thoughts exactly, it was a nice try though, maybe a next version could actually parse the article in order to find the most prominent keywords/topics instead of relying on just the title.
I'm pretty sure this comment would have gathered a number of comments / upvotes if it was in the right context.
This thread is about implanting malicious chips in hardware, specifically motherboards, see the "The Big Hack" story by Bloomberg, all over the place, most recent discussion is currently #1 on the front page here:
Yeah, it's a major procedure. I had just one inch done on a femur due to a growth plate fracture that had left the leg a little shorter than the other leg, and it wasn't fun. The growing pains were the worst.
Microcontrollers are not a huge amount larger than that any more:
-Cortex-M4f in 1.6x1.6x0.65mm (MAX32660)
-Attiny20UUR in 1.56x1.4mmx0.50mm
Bare dies may be a bit smaller than the above.