To be fair, this story is basically an ad, but a pretty good one, and many featured HN stories are really marketing. Personally, I don’t mind marketing stuff, if it’s interesting and relevant (like this).
But the fact that most comms cables, these days, have integrated chips, makes for a dangerous trust landscape. That’s something that we’ve known for quite some time.
BTW: I “got it right,” but not because of the checklist. I just knew that a single chip is likely a lot cheaper than a board with many components, and most counterfeits are about selling cheap shit, for premium prices.
But if it were a spy cable, it would probably look almost identical (and likely would have a considerably higher BOM).
That tickled a memory of a video... and I hunted it up.
Adam Savage's Tested : Look Inside Apple's $130 USB-C Cable - https://www.youtube.com/watch?v=AD5aAd8Oy84 (1 minute in "we've been saying that our phones have more computing power than the Apollo guidance computer but I'm positive now that this cable has more computing power than the Apollo guidance computer")
That video is a look at cables (not just Apple's) with Lumafield's CT Scan.
I also got it right, but for the entirely wrong reasons!
I assumed the "suspicious" cable was a spy cable, and then guessed that the bigger integrated circuit was probably responsible for doing secret spy stuff, while the smaller circuit up top was all that was needed for ordinary cable work. Turns out the cables do basically the same thing (no fancy spying!), and one is just cheaper.
Huh! I originally thought the bottom one was authentic because the main IC looked a lot “nicer”. Then I saw the jumble of wires to the right and rethought.
If you look at enough cheapo/handmade circuit boards you'll notice they often look like the bottom one. Cramped, untidy, or otherwise odd trace layout, poor part placement, poor soldering. The top one - although looking less space efficient because there's more going on - is layed out better. The design just flows in a way amateur designs don't.
If you look closely at the bottom one, almost all the components are slightly askew, while the top one has everything at neat 90 degrees. And a smaller IC almost always means the more modern/expensive IC. Same for the other components. In fact, the top one has a much higher component count, the small components just don't show up well (look at the pads though).
I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.
I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.
I don't want Boot Guard or any of that DRM crap. I want freedom.
I want to make a persistent implant/malware that survives OS reinstalls.
Look up Absolute Computrace Persistence. It's there by default in a lot of BIOS images, but won't survive a BIOS reflash with an image that has the module stripped out (unless you have the "security" of Boot Guard, which will effectively make this malware mandatory!)
I’m more interested in demonstrating how important hardware root of trust is.
You mean more interested in toeing the line of corporate authoritarianism.
Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.
As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.
> You mean more interested in toeing the line of corporate authoritarianism.
That’s not what I got from their post. After all, they’re putting in some effort to hardware backdoor their motherboard, physically removing BootGuard. I read it as “if your hardware is rooted then your software is, no matter what you do.”
> I want to make a persistent implant/malware that survives OS reinstalls.
You want to look into something called "Windows Platform Binary Table" [1]. Figure out a way to reflash the BIOS or the UEFI firmware for your target device ad-hoc and there you have your implant.
> You want to look into something called "Windows Platform Binary Table" [1].
Is this how various motherboard manufacturers are embedding their system control software? I was helping a family friend with some computer issues and we could not figure out where the `armoury-crate` (asus software for controlling RGB leds on motherboard :() program kept coming from
Only works if the target is running Windows (paranoid people might be on Linux), so you'd probably want to slip in a malicious UEFI driver directly. Tools like UEFITool can be used to analyze and modify the filesystem of a UEFI firmware image.
The suspect cable actually seemed to have better strain relief for wire connections and more solder on the USB A connector (transfers mechanical stress better), even though the author pointed them out as features of the authentic cable.
That tangle is not strain relief. Those wires are buried in injection-molded plastic. Pull on them and those loops will not stretch as they are in solid plastic. What they will do is potentially result in unwanted cross-talk between wires as loops start acting as antennas.
Yeah - these [0] kinds of cables are so extremely scary.
"The O.MG Cable is a hand made USB cable with an advanced implant hidden inside. It is designed to allow your Red Team to emulate attack scenarios of sophisticated adversaries"
"Easy WiFi Control" (!!!!!)
"SOC2 certification"? Dawg, the call is coming from inside the house...
Just to be clear suspicious in this sense is a cable that is likely counterfeit and wasn't able to do high speed transfer unlike the genuine known good one.
I could spot the clone because I'm familiar with the form factor of the FTDI IC, and I'm familiar enough with the datasheet to spot the expected passives.
I'm not too keen these days with FTDI's reputation for manipulating their Windows device drivers to brick clones. So, while I'm familiar with their IC, I don't give them any more money. The next time I need a USB to serial cable, I'll bust out KiCad to build it using one of the ubiquitous ARM microcontrollers with USB features built in. Of course, this is easier for me, since I can write my own Linux or BSD device driver as well. Those using OSes with signing restrictions on drivers would have a harder time, unless they chose to disable driver signing.
This is how I ID'd it; I have next to zero experience with ICs, but I've opened up a lot of devices for fun or repair and the cheap stuff always has wiring haphazardly contorted like the left side on the counterfeit, like someone had to force it in there and squeeze it shut just to get it out the door.
If you've read the docs, which I'm not saying anyone is expected to, FTDI tends to put buffers on their outputs. That's what gave it away for me. The little sot-23-5 footprints.
I got it backwards because I expected the counterfeit part to use a newer process IC (less silicon area) than a possibly more reliable and perfectly suitable for serial connection speeds 'vintage' process on some long stable spin of silicon.
Why allow for newer processes on the counterfeit? They'd implement it using the least expensive, most mass produced chips possible, which are more likely to be cut from wafers hitting the sweet spot of size / feature and price crossover.
You don't need any specialized knowledge, just pick the one that looks "cleaner" and "neater" than the other.
It's sufficient to look at something as basic as the arrangement of cables on the left. The crooked electrical elements on the right are also a big tell.
This works because good—and bad—qualities correlate with each other.
To be fair, this story is basically an ad, but a pretty good one, and many featured HN stories are really marketing. Personally, I don’t mind marketing stuff, if it’s interesting and relevant (like this).
But the fact that most comms cables, these days, have integrated chips, makes for a dangerous trust landscape. That’s something that we’ve known for quite some time.
BTW: I “got it right,” but not because of the checklist. I just knew that a single chip is likely a lot cheaper than a board with many components, and most counterfeits are about selling cheap shit, for premium prices.
But if it were a spy cable, it would probably look almost identical (and likely would have a considerably higher BOM).
My apple thunderbolt 4 cable has a computer more powerful than my firs computer in it (ARM Cortex‑M0 core running at up to 48 MHz vs a 286 at 25mhz)
That tickled a memory of a video... and I hunted it up.
Adam Savage's Tested : Look Inside Apple's $130 USB-C Cable - https://www.youtube.com/watch?v=AD5aAd8Oy84 (1 minute in "we've been saying that our phones have more computing power than the Apollo guidance computer but I'm positive now that this cable has more computing power than the Apollo guidance computer")
That video is a look at cables (not just Apple's) with Lumafield's CT Scan.
I also got it right, but for the entirely wrong reasons!
I assumed the "suspicious" cable was a spy cable, and then guessed that the bigger integrated circuit was probably responsible for doing secret spy stuff, while the smaller circuit up top was all that was needed for ordinary cable work. Turns out the cables do basically the same thing (no fancy spying!), and one is just cheaper.
Huh! I originally thought the bottom one was authentic because the main IC looked a lot “nicer”. Then I saw the jumble of wires to the right and rethought.
If you look at enough cheapo/handmade circuit boards you'll notice they often look like the bottom one. Cramped, untidy, or otherwise odd trace layout, poor part placement, poor soldering. The top one - although looking less space efficient because there's more going on - is layed out better. The design just flows in a way amateur designs don't.
If you look closely at the bottom one, almost all the components are slightly askew, while the top one has everything at neat 90 degrees. And a smaller IC almost always means the more modern/expensive IC. Same for the other components. In fact, the top one has a much higher component count, the small components just don't show up well (look at the pads though).
1 reply →
I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.
I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.
I don't want Boot Guard or any of that DRM crap. I want freedom.
I want to make a persistent implant/malware that survives OS reinstalls.
Look up Absolute Computrace Persistence. It's there by default in a lot of BIOS images, but won't survive a BIOS reflash with an image that has the module stripped out (unless you have the "security" of Boot Guard, which will effectively make this malware mandatory!)
I’m more interested in demonstrating how important hardware root of trust is.
You mean more interested in toeing the line of corporate authoritarianism.
Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.
As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.
2 replies →
> You mean more interested in toeing the line of corporate authoritarianism.
That’s not what I got from their post. After all, they’re putting in some effort to hardware backdoor their motherboard, physically removing BootGuard. I read it as “if your hardware is rooted then your software is, no matter what you do.”
> persistent implant/malware that survives OS reinstalls
Try attacking NIC, server BMC or SSD firmware. You will achieve your goal without any hardware replacement needed.
Yeah, but that doesn’t give me a reason to use the hot air station and hot plate collecting dust on my desk ;)
2 replies →
> I want to make a persistent implant/malware that survives OS reinstalls.
You want to look into something called "Windows Platform Binary Table" [1]. Figure out a way to reflash the BIOS or the UEFI firmware for your target device ad-hoc and there you have your implant.
[1] https://news.ycombinator.com/item?id=19800807
> You want to look into something called "Windows Platform Binary Table" [1].
Is this how various motherboard manufacturers are embedding their system control software? I was helping a family friend with some computer issues and we could not figure out where the `armoury-crate` (asus software for controlling RGB leds on motherboard :() program kept coming from
2 replies →
Only works if the target is running Windows (paranoid people might be on Linux), so you'd probably want to slip in a malicious UEFI driver directly. Tools like UEFITool can be used to analyze and modify the filesystem of a UEFI firmware image.
Death approaches. Slow burn until. When Death arrives, what you are doing now will be obviously irrelevant.
The suspect cable actually seemed to have better strain relief for wire connections and more solder on the USB A connector (transfers mechanical stress better), even though the author pointed them out as features of the authentic cable.
That tangle is not strain relief. Those wires are buried in injection-molded plastic. Pull on them and those loops will not stretch as they are in solid plastic. What they will do is potentially result in unwanted cross-talk between wires as loops start acting as antennas.
Yeah - these [0] kinds of cables are so extremely scary.
"The O.MG Cable is a hand made USB cable with an advanced implant hidden inside. It is designed to allow your Red Team to emulate attack scenarios of sophisticated adversaries"
"Easy WiFi Control" (!!!!!)
"SOC2 certification"? Dawg, the call is coming from inside the house...
[0] https://shop.hak5.org/products/omg-cable
> "SOC2 certification"? Dawg, the call is coming from inside the house...
Helps corporate red teams in environments where the purchase department is... a bunch of loons.
Just to be clear suspicious in this sense is a cable that is likely counterfeit and wasn't able to do high speed transfer unlike the genuine known good one.
After they infamously started going after clones, anything branded FTDI is automatically suspicious.
USB-serial adapters are not particularly special. Dozens of other manufacturers make them.
This was a huge own-goal for their brand image.
If I buy a FTDI based adapter, it might brick, and I lack the detection skill or supply chain control to be sure that it won't happen.
If I buy a CH340 or PLwhatever based adapter, that doesn't enter the calculus.
Unless I had some explicit "only FTDI can possibly do it" need, I'm going elsewhere.
I could spot the clone because I'm familiar with the form factor of the FTDI IC, and I'm familiar enough with the datasheet to spot the expected passives.
I'm not too keen these days with FTDI's reputation for manipulating their Windows device drivers to brick clones. So, while I'm familiar with their IC, I don't give them any more money. The next time I need a USB to serial cable, I'll bust out KiCad to build it using one of the ubiquitous ARM microcontrollers with USB features built in. Of course, this is easier for me, since I can write my own Linux or BSD device driver as well. Those using OSes with signing restrictions on drivers would have a harder time, unless they chose to disable driver signing.
It helps that USB to serial is a solved problem. Plenty of manufacturers make parts that work well and don't need to try and imitate FTDI.
You don't actually need your own driver, you can just use the CDC device class.
That's true. The only advantage of writing a driver in this case is if I wanted to add functions, such as a programmable level shifter.
Jeese. I was not sure which image was the suspect one.
the one which looks cheaper to manufacture
which is definitely the second
This is how I ID'd it; I have next to zero experience with ICs, but I've opened up a lot of devices for fun or repair and the cheap stuff always has wiring haphazardly contorted like the left side on the counterfeit, like someone had to force it in there and squeeze it shut just to get it out the door.
If you've read the docs, which I'm not saying anyone is expected to, FTDI tends to put buffers on their outputs. That's what gave it away for me. The little sot-23-5 footprints.
I got it backwards because I expected the counterfeit part to use a newer process IC (less silicon area) than a possibly more reliable and perfectly suitable for serial connection speeds 'vintage' process on some long stable spin of silicon.
Why allow for newer processes on the counterfeit? They'd implement it using the least expensive, most mass produced chips possible, which are more likely to be cut from wafers hitting the sweet spot of size / feature and price crossover.
I wanted to try and figure out out before I did that. No dice.
They gave it away by saying the genuine cable was a 234 series (small basic UART) and not a 232 (big ol' 28-pin chip).
You don't need any specialized knowledge, just pick the one that looks "cleaner" and "neater" than the other.
It's sufficient to look at something as basic as the arrangement of cables on the left. The crooked electrical elements on the right are also a big tell.
This works because good—and bad—qualities correlate with each other.
Related USB-C head-to-head comparison (389 points, 2023, 219 comments) https://news.ycombinator.com/item?id=37929338
this is an advertisement for the company
This is such a nothing burger corporate ad. They purchased a cheap cable and it sucks. So let’s X-ray it and make a thought piece post about implants…
it's a serious problem
they could be regulated to expose their chip with transparent covering rather than plain dark wiring