Inside a low budget consumer hardware espionage implant (2018) (ha.cking.ch)

210 points by lelf 128 days ago

43 comments

Kliment 125 days ago

Easy way to detect this without an RF detector - use a "usb charge doctor" which is a super cheap voltage and current measurement tool for USB. If the cable draws current with nothing attached, dissect it.

Incidentally, my theory about the website and product is that this is a firmware reuse of a fleet tracking product. The manufacturer is likely an electronics manufacturing outfit that adapted the layout to match the new application but didn't have in-house firmware developers and instead reused a popular low-end fleet tracker firmware for the same chip. These are used for stuff like taxi dispatch or package pickup so you can see the entire fleet on a map and call whoever is closest to your destination. It doesn't need precise location.

    michaelt 124 days ago

      Incidentally, my theory about the
      website and product is that this
      is a firmware reuse of a fleet
      tracking product.
    
    Yeah, there are already off-the-shelf products like [1] that combine GPS, battery and SMS sending. Presumably this product is a variant of one of those.

    [1] https://www.ebay.co.uk/itm/GPS-Tracker/223443762010

    speaker1 125 days ago

    usb-c cables seem to drain power, at least both I have, though one of them has LED.

      NullPrefix 124 days ago

      Type C cables have chips in them. Not a dumb wire. That's by design

        antsar 124 days ago

        That design, in this context, seems bad for security...

      xoa 124 days ago

      I've never tried it now that I think about it, but how standardized is the USB-C cable drain? I would assume that, with perhaps some minimal difference for length, all normal in-spec cables would be pretty similar, but I don't actually know that and would be curious if anyone has checked a few.

      If there is a standard baseline though then the OP's advice doesn't meaningfully change, it just becomes "If the cable draws current over the baseline with nothing attached, dissect it" rather then "if it draws any at all". Any spy chip would still have to be on top of whatever else is needed to make the cable work at all, so it's not really a different problem unless standard cables have enough delta between them to hide a spy chip drain in. And even if that's true between manufacturers, if within a single manufacturer cables were pretty steady that might merely become a reason to source exclusively from one/a few reliable ones that stable baseline draws can be established for?

wjnc 125 days ago

After also reading the discussion in '17. How come this is trivially easy to make, very cheap and still we have a massive stolen car problem in Europe? Some cars in my country have >1% chance of getting stolen in a given year. The incentives must be off somewhere? This is a device that could only be triggered after theft, thus hardly any privacy concerns, and still give quite a good location (perhaps improved with glonass and other sattelites). They can't be found easily (so small, only transmissions after stealing) and placed on any given wire in the car. Seems only beatable by placing the car in a cage after theft.

    michaelt 124 days ago

    According to [1] in the UK car thefts peaked in 1993 at 36 incidents per thousand car-owning households, and it's now dropped to 4.

    Is there really still a massive stolen car problem?

    [1] https://www.bbc.co.uk/news/business-47023003

      toyg 124 days ago

      Anecdotally, there are still a few issues for the extreme ends of the market - luxury (high effort, high returns) and bangers (very low effort, typically cut for parts). Anything in between (“sensibly priced cars”, to use a clarksonism) is too much effort and risk for not enough returns.

      But yes, it’s nowhere as bad as it was in the ‘80s/‘90s. This has to do with social changes (the drop in heroin use and crime, and general improvement in living standards) as much as with technological ones (alarms installed by default, electronic locks on injection).

    pjc50 124 days ago

    Various services exist for this already, but someone has to pay the ongoing SIM fees. Criminals are also surprisingly good at removing them, and the higher value cars are usually stolen with the keys and then immediately containerised for export.

    Or the cars are stolen for use in some other crime and then abandoned, sometimes even before the owner knows about it.

    2rsf 125 days ago

    The Israeli Ituran has a similar service for cars, although I think they are based on cellular location and not GPS. There are few problems with that though- thieves know where and how to disable the device, even if you can locate the car you need someone to go and fetch it- most of the times this will be in place you don't want to go to alone, and a problem unique to Israel is that thieves can cross the border to the Palestinian Authority before you can deploy any police force to stop them.

      Scoundreller 124 days ago

      No exit controls in Israel? Or not enough time to get the car on a list?

        cnlevy 124 days ago

        There are no exit controls. And you can be sure that after 2 hours of theft, your car has already been taken apart and sold.

    bouk 124 days ago

    > we have a massive stolen car problem in Europe

    Any kind of generalization like that for all of Europe is bound to be wrong

      swarnie_ 124 days ago

      If you trust the RAC around 110k cars were stolen last year in the UK out of 38+ million.

      Assume all cars are created and stolen equal that's not really a massive problem in my world.

    jstanley 124 days ago

    > This is a device that could only be triggered after theft, thus hardly any privacy concerns

    How would the car know when it has been stolen?

      hoseja 124 days ago

      I assume by you sending it and activation SMS.

        jstanley 124 days ago

        That would imply an always-on mobile phone connection inside the car, which is bad for privacy because now the phone company knows the car's rough location at all times.

          sanlyx 124 days ago

          It does not matter for the 90% of the people who do not turn on airplane mode in their phones when they get in the car.

    amelius 125 days ago

    By the way, I think such devices exist for pets.

      2rsf 125 days ago

      They do, I developed the basis for a pet tracker more than 10 years ago, actually the highest cost for them is the cellular plan and monthly service fees for the service.

        Scoundreller 124 days ago

        I wish every wifi network just had a 64kbps always-open connection that anyone could use. But I guess we can’t have nice things unless it’s a pay-product by a telecom.

          auto 124 days ago

          At first read I was ready to write this off as a legal nightmare, but it’s interesting as a service concept. Run a router that supports this always-open (or rather, widely known auto mechanism) protocol, maybe get some kick back.

          That said, low data SIM cards are getting more and more feasible. My stepdad runs an android at a remote location for weather data, and with something like hourly, double digit count byte uploads he stays under the monthly limit to where the sim is essentially free.

            Scoundreller 124 days ago

            I figure running it through Tor would fix the legal issues in exchange for ethical ones.

            At the consumer level, low data SIMs in Canada aren’t price competitive, hence my desire to cut out télécoms wherever possible.

            Indeed, Free.fr let’s their mobile customers connect to any of their fixed-network subscriber’s wifi with appropriate segmentation.

            Educational users can connect to eduroam at any participating institution.

            I think Fon tried to go down this road, but no go.

DigitalTerminal 125 days ago

Cool. I'm suddenly conscious of all the USB plugs that exist in my immediate surroundings.

    125 days ago

jf 125 days ago

What's a good RF detector to get? This post ends with the author pointing out that the implant can be detected with a cheap RF detector. I'm interested in getting myself an RF detector to play with but I'm overwhelmed by what I see on Amazon.

    Tepix 124 days ago

    A CC308 from AliExpress is one of the cheapest options at less than $7.

      monkeynotes 124 days ago

      Plot twist, cheap Chinese RF detector has snooping built in, turns off radio when RF detector is in use, silently goes back to reporting when unit is not in use.

      You can't beat a determined opposition casually.

HeraldEmbar 124 days ago

I think I'm going to run 50 volts through all my usb cables when I get home.

    gruez 124 days ago

    Sounds like a great way to fry your lightning and usb-c cables as the former has a mfi chip, and the latter has a pull down resistor.

      Scoundreller 124 days ago

      I guess the secure solution is to carry around your own X-Ray verified lightning-USB dongle and high voltage fry any dumb cable you find yourself needing.

        edoo 124 days ago

        Or always buy two and dissect one.

    danesparza 124 days ago

    And why 50? That's so arbitrary. Why not 120? Or 240? Or 9?

      antsar 124 days ago

      (IANAEE) 120 and 240 are a bit more painful when mistakes happen. And 9 seems too low (normal USB voltage is 5, so 9 might be within safety margins).

        bb88 124 days ago

        It's probably just his DC power supply he has handy.

        As far as 120/240 thing, if you have a component not meant for that kind of voltage, it might fail open, or it might fail short.

        If it fails short, high amounts of current might be allowed to flow through other components which would carbonize so even more current would flow. And maybe catch fire.

        danesparza 124 days ago

        "120 and 240 are a bit more painful when mistakes happen" ... aaah. That sounds like the voice of experience.

        Man, I love the internet.

        TheCraiggers 124 days ago

        My phone charges at 9v over USB-C so I would imagine it would be just fine.