[HN Gopher] A low budget consumer hardware espionage implant (2018)
___________________________________________________________________
A low budget consumer hardware espionage implant (2018)
Author : fanf2
Score : 318 points
Date : 2024-05-15 06:24 UTC (16 hours ago)
(HTM) web link (ha.cking.ch)
(TXT) w3m dump (ha.cking.ch)
| rado wrote:
| TLDR; a GSM listening and location device hidden inside the plug
| of a standard USB data/charging cable
| morjom wrote:
| So pretty run of the mill stuff for cable mods?
| no_time wrote:
| Using SMS as the control protocol seems like a bad idea. You are
| generating evidence with each command sent that may or may not be
| stored practically forever by the telcos.
| axegon_ wrote:
| That is valid for any centralized service in general. Fun fact:
| I am working on something in that field in my spare
| time(whenever I have both time and motivation) and I opted for
| LoRa instead specifically for that reason, even though it comes
| with a wide range of limitations: payload, range is determined
| by line of sight, no multiplexing and all that. But did make
| some real world testing late last year and the range I got was
| REALLY impressive. Easily 20% above what the manufacturer had
| put in the spec sheet - 12 and a half kilometers with an off
| the shelf dev board.
| snovv_crash wrote:
| The 900MHz bands also have much better penetration. But even
| the 2.4 LoRa are a huge step up from the other chips I've
| seen eg. TI CC2500.
| axegon_ wrote:
| True, well I'm in the EU so 868MHz in my case. Still, it is
| very susceptible to external conditions. It truly is a hit
| or miss. Personally I host a things network
| gateway(indoors), I live on the last floor of a building at
| one of the highest points in the city and it is still very
| inconsistent when I've been fiddling with it. Back when I
| was doing my tests a few months ago I took a micro
| controller with a LoRa module up on the roof so those truly
| were ideal conditions. I have yet to test the CC2500.
| Maxious wrote:
| Note that SMS is the protocol advertised to buyers but the
| unadvertised login credentials for the web portal let you
| manage the device without SMS
| no_time wrote:
| If I understand correctly you need atleast one sms to know
| the credentials to the web portal. that's probably enough to
| get caught if someone finds the device.
| franga2000 wrote:
| If you can get an unidentifiable SIM for the tracker, you
| can also get one + a burner phone for yourself. And if
| someone is stupid enough to not do that or to turn on
| either device in an identifiable location, they're beyond
| help.
| pmx wrote:
| Wouldn't someone using this sort of thing also buy a cheap
| burner phone and throw-away sim card? They're easy to buy with
| cash and you don't need to register them or anything to use
| them. Supermarkets in the UK even sell sims with credit already
| loaded onto them.
| netsharc wrote:
| I can't imagine the UK doesn't have laws to prevent anonymous
| SIM card purchases, because of terrorism fears.
|
| Some duckduckgo-ing suggests it's possible, e.g. someone
| wrote just go to Tesco to get one and there are no ID checks
| (but this was written 6 years ago). In any case, just like
| teenagers buying booze, it's probably not that hard to pay
| someone off the street to buy one for you.
| eythian wrote:
| It's very country dependent. In NL, NZ, and UK (as of
| several years ago when I last did that) for example, no ID
| checks are required. In AU they are.
| Mo3 wrote:
| NL here, no ID check whatsoever
| almostnormal wrote:
| As long as there are no id-checks required for roaming
| and there is at least one country without id-checks, any
| id-check for local SIMs is security theater only.
| grishka wrote:
| In Russia they would ask for your internal passport (aka
| the "ID") and put your name, birth date, and registered
| address into their database. It's illegal to sell sim
| cards without that.
|
| When I traveled to Europe recently and bought a French
| tourist sim, the carrier warned me multiple times that I
| need to provide my identity to continue using it beyond
| 30 days.
|
| In UAE it's about as strict as in Russia.
| bdavbdav wrote:
| Yep. When I tried to get a SIM in India, it was a
| nightmare as a non-national. I had to get a local
| colleague to get one.
| Crosseye_Jack wrote:
| No ID is required to buy a pay as you go SIM card in the
| UK. Just walk into any supermarket or pretty much any
| corner shop and they will sell you a Sim for a quid at
| most. (You can also get them for free from the networks
| directly on their websites, but now they know the address
| the sim was sent too)
|
| Top up credit is the same, ask the counter staff for PSx on
| network Y and once you have paid they will give you a
| printed receipt with a code on it for your desired amount.
|
| It's not really seen as a "national security issue" because
| most people don't practice perfect opsec and leave enough
| details and fingerprints behind.
|
| And an ID check ain't going to prevent anyone from getting
| hold of a sim via other means (like you said, pay someone
| on the street as just 1 example)
|
| Now, try and access porn on that SIM card? Well hold on
| there, now we need to know who you are!!! (Though you can
| often blag your way around this via social engineering the
| CS agent on the phone. Or just bypass the block by using a
| VPN/Change DNS settings.)
|
| Same for the phones themselves.
| willcipriano wrote:
| I thought I read you could buy "adult verification cards"
| by going to a newsstand and presenting ID that is
| potentially verified by the seller (if you appear
| underage) but not recorded. Like alcohol or tobacco
| purchases are in the US.
| Crosseye_Jack wrote:
| There were plans for that (And as another kick in the
| teeth, those porn-passes would expire, want more porn? go
| buy another pass!), but those plans got shelved because
| they finally figured out it was a dump idea. Though "we
| got to protect the kids" does keep popping back up every
| now and then.
|
| (It wasn't the only way to verify your age, it was "just"
| meant as a way to prove age to a site without having to
| share your ID/Credit Card with that site, as not every
| adult has an ID/Credit Card)
|
| As of right now every pay as you go sim comes with adult
| filtering enabled, you are then asked to proof your age
| in a number of ways to the provider to disable the block,
| this can be by using a credit card, or by popping into
| one of the providers stores (if they have one), last PAYG
| provider I unblocked adult content on used AI to guess my
| age from a selfie and no ID was required (The
| verification promised to not store my photo after
| verification, you kinda have to take them at their word
| for that, but breaking such a promise would land them in
| trouble with the ICO). I have on at least 2 occasions got
| the blocked disabled just by having a chat with a
| customer service agent on the phone, however that was
| about 5ish years ago, that provider may have changed up
| their methods in the years since.
|
| Contract plans tend to give you the option when signing
| up if you want the adult content block or not, because on
| contract plans the account holder has to be 18 years old
| to sign up, but they also know that parents will take out
| contract plans for their kids to get a better deal on the
| phone/plan so the option is there for the parents to
| apply it / remove it as they deem fit.
|
| Same goes for the larger fixed line ISPs, during sign up
| you are asked if you want adult content filtering or not
| (some will also offer more categories to filter such as
| gambling, social media, etc etc etc), but its only the
| larger ISPs that have to do this (iirc its not a legal
| requirement, but something the industry agreed too to
| avoid it becoming a legal requirement, however its been
| that long my memory could be faulting me on that). The
| smaller ISPs don't have to do so and some of them (A&A
| for example) pride themselves on not filtering the
| internet for their customers.
|
| The crazy thing is on all the providers I have used
| (however I've not tested every provider), the filtering
| seems to be done pretty much always at the DNS level,
| change your DNS settings to anything other then the
| providers and you are able to bypass the parental
| controls.
|
| Sky iirc (its been a while since I have used them) did do
| some deep packet inspection on filtered sites, but if the
| site was hosted behind the likes of cloudflare they only
| blocked at the DNS level for that site as not to cause
| any issues with any other sites hosted behind that proxy.
|
| EDIT: Oh one thing I remember from when I had to use Sky
| for a brief period about 6 months ago, they "somehow"
| (not actually looked into how they do so, a couple of
| ways they could do this pop to minds, I just never dug
| into it.) pass long your filter status to Google and Bing
| when you do a search, so if you had adult filtering
| enabled at the ISP level Google would force enable safe-
| search on their end.
| fullspectrumdev wrote:
| You can literally go into almost any corner shop in the UK
| and buy a SIM with no ID and cash.
|
| I do this regularly.
| aembleton wrote:
| Are you regularly swapping SIMs? Are you keeping the same
| IMEI number?
| alibarber wrote:
| If you're hacking around with phones or GSM boards for
| fun, on and off, it is cost effective to just grab one
| for a pound or so every time you want to do something as
| they sometimes come with a tiny bit of free data, or just
| a number to receive SMS on at least.
|
| If you don't top up (with say a tenner) within some
| months the card deactivates and becomes useless, so it's
| a no-commitment way to access the GSM network.
| gwbas1c wrote:
| That's assuming you're using it for spying.
|
| A completely honest use of this is to track your car, (or other
| device with a USB port) in case of theft.
|
| If I had one of the Kias or Hyundais that were easy to steal,
| I'd totally slip one of these into the car.
| jandrese wrote:
| The caveat being that these things are only doing cell tower
| triangulation, and not even a good job of it. So all it will
| be able to tell you is that your car is somewhere on the east
| side of the city or so. Although you will be able to listen
| in on the conversations of the car thieves and might pick up
| a clue from that.
|
| Realistically, these are 100% for stalking/espionage.
| throwaway11460 wrote:
| I took the exact opposite conclusion from this information.
| How is it useful for stalking if it doesn't give more exact
| location? On the other hand if I'm looking for my own car
| that somebody took out of the city, this at least gives me
| a general idea of its location.
| jjk166 wrote:
| For stalking/espionage, approximate locations (especially
| which can be refined over long observation periods and
| combined with other data) are often fine. Patterns like
| when does someone leave for work, what shifts do they
| work, where do they go on weekends, etc can be quite
| apparent.
|
| If your car is stolen, what good is knowing the general
| location?
| throwaway11460 wrote:
| Hmm, I guess my eurothinking is showing. I work and live
| within a 5 km radius. I guess in the US you can get much
| more useful that's even though it's approximate.
|
| If my car is stolen and taken away, at least I can call
| that city/country police instead of waiting when it gets
| through the bureaucracy.
| codedokode wrote:
| It's packaging says "data cable", not a "car tracking
| device". Why would they use misleading packaging that the
| thieves would never see? Obviously it is meant to be used
| as a present, or for example, for an employee bringing
| this "cable" to work.
| PaywallBuster wrote:
| can't find in aliexpress?
| Cthulhu_ wrote:
| What is your question?
| haunter wrote:
| Where to buy one. The article says they bought it on
| Aliexpress but there are no sellers.
| mkoryak wrote:
| You did not look hard enough. Use search "GPS tracker
| charger" to get started. They still exist in there
| huhtenberg wrote:
| Needs (2017) in the title.
| MandieD wrote:
| I put (2018) because it was updated in January 2018.
| thefz wrote:
| > This means anyone with access to your gpsui.net login
| credentials can control your device. A device which original
| packaging nor manual make any reference to said website.
|
| Scary.
| GordonS wrote:
| Is there some kind of device that can detect bugs like this? (I'm
| thinking of the "bug sweepers" I've seen in films)
| jf wrote:
| The article has a section on that very topic:
| https://ha.cking.ch/s8_data_line_locator/#detection
| GordonS wrote:
| Thanks; I did actually read the article, but missed this
| section (and likely some others) as the page doesn't work
| well on mobile.
| pbmonster wrote:
| The article covers that under the section "detection".
|
| TL;DR: You can easily detect it while it communicates via GSM,
| and the device is also shielded quite badly, resulting in lots
| of easily detectable RF interference while it works.
|
| All you need is a cheap RF detector. Having access to a full
| spectrum analyzer or a SDR will make this even easier.
|
| All this gets much harder while the thing lies dormant, waiting
| for noise activation or commands. So the "quick bug sweeps" you
| see in the movies are more difficult.
| Cthulhu_ wrote:
| We used to have keychain lights that would start to blink
| whenever a nearby phone went off, I can imagine it could be
| set off by a device like this lol.
| ChrisMarshallNY wrote:
| _> So the "quick bug sweeps" you see in the movies are more
| difficult._
|
| Not if the sweepers are talkative (assuming that the device
| is sound-activated).
| alexey-salmin wrote:
| Good ones record long spans of audio, then transmit them in
| short infrequent bursts outside of working hours. You can
| leave GSM recording equipment overnight and analyze logs,
| but even when you see it in the logs it'll be hard to
| locate the device physically when it's not transmitting.
| lupusreal wrote:
| > _So the "quick bug sweeps" you see in the movies are more
| difficult_
|
| Isn't that what nonlinear junction detectors are for?
| pbmonster wrote:
| Sure, the question is if you're surprised to get a positive
| from a USB cable. Wouldn't be surprised to find a diode
| inside there...
| lupusreal wrote:
| When in doubt, rip it out. If you suspect bugs, then get
| rid of any suspicious cable you can't prove the
| provenance of.
| Cthulhu_ wrote:
| I posted this on my Discord, one of our members is a security
| guy and pointed out that anyone concerned about things like
| this would be using a device called a NLJD, Non-Linear Junction
| Detector: https://reiusa.net/nljd/, which can detect circuit
| boards:
|
| > The NLJD antenna head is a transceiver (transmitter and
| receiver) that radiates a digital spread spectrum signal to
| determine the presence of electronic components. When the
| energy encounters semi-conductor junctions (diodes,
| transistors, circuit board connections, etc.), a harmonic
| signal returns to the receiver. The receiver measures the
| strength of the harmonic signal and distinguishes between 2nd
| or 3rd harmonics. When a stronger 2nd harmonic is represented
| on the display in red, it indicates an electronic junction has
| been detected. In this way, a hand-held ORION is used to sweep
| walls, objects, containers, furniture, and most types of
| surfaces to look for hidden electronics, regardless of whether
| the electronic device is turned on.
| GordonS wrote:
| Exactly the kind of thing I was looking for! Although, I
| guess for a bug hidden within an electrical device (like that
| in the article), this approach wouldn't work?
|
| I wonder how well these work against shielding? Might it be
| possible to build your own device like this?
| lazide wrote:
| It would 'work' - but not be useful, because you'd already
| expect a circuit in that location.
| oasisaimlessly wrote:
| No; USB2 cables are passive and shouldn't have any
| circuitry.
| lazide wrote:
| On the keyboard and the USB controller on the host (right
| next to the port) however...
|
| So unless they're dumb enough to put it literally in the
| middle of the cable? My point stands. These tools don't
| typically have the resolution to tell.
| owl110 wrote:
| If not already out there, soon there possibly will be compromised
| cables with 801.11ah built-in. Given its low cost, low power
| requirements and the considerable range of the technology, it
| will be difficult to protect against unfortuantely.
| rbanffy wrote:
| I've been playing with the idea of eye prosthetics for that
| purpose. At this point, a camera, battery, storage, and radio can
| all fit inside an aesthetic prosthesis and give it some
| functionality in itself or augmented by a smartphone.
| deely3 wrote:
| Something similar to this?
| https://www.instagram.com/bsmachinist/ Sorry for IG link.
| rbanffy wrote:
| That's very neat. The projector idea is particularly cool.
| airbreather wrote:
| An even easier one would be a modified keyboard.
|
| Anyone could fit an esp32 into a keyboard, swap it out, leave it
| lying around, sniff keystrokes, access with Bluetooth or WiFi,
| could have it only have the radio on for certain windows in time
| etc.
| jbosh wrote:
| Hard part there is getting the wear and tear from oils in your
| hand to look identical.
|
| Although maybe most people don't pay attention to that.
| seniorivn wrote:
| just put it inside the original keyboard
| greggsy wrote:
| Pop and swap the keycaps
| gcr wrote:
| Dirty keys on a pristine keyboard is a dead giveaway.
| Scoundreller wrote:
| The other thing that's hard to get right is the weight.
|
| Hard to find material in most things today to remove to even
| out the added weight of an implant.
| ttyprintk wrote:
| The mouse is more commonly swapped in situations with physical
| access. Without physical access, those non-BlueTooth wireless
| mice (with their own RF dongle) are vulnerable to remote
| keystroke injection.
| greggsy wrote:
| Especially the pre-paired ones. I'm wary of older Logitech
| Unified dongles, but the newer Bolt platform offers a bit
| more comfort.
| caulk wrote:
| https://www.keelog.com/keygrabber-forensic/
| taf2 wrote:
| Even better use esp long range and have a receiver device
| outside maybe powered via solar... connected to cell network...
| this way no additional networks exposed internally...
| FuriouslyAdrift wrote:
| I mean... http://airdrivewifi.com/
|
| https://shop.hak5.org/products/key-croc
| dako2117 wrote:
| Isn't it way easier to get a target to use a usb device than a
| keyboard
| playingalong wrote:
| These days most keyboards are USB devices.
| codedokode wrote:
| Yes but giving a keyboard as a present is more suspicious than
| just a harmless data cable.
| lofaszvanitt wrote:
| I always wondered what if an SSD can surreptitiously funnel out
| the data it has on a secure channel, unbeknownst to the owner...
| Maybe all that would indicate the backdoor is some slight (?)
| change in the throughput speed.
| gruez wrote:
| This is easily mitigated with full disk encryption.
| lofaszvanitt wrote:
| You don't get it.
| Cthulhu_ wrote:
| If someone has physical access to a device containing secure
| information, you're already boned. Thankfully, very few people
| are targets of surveillance / espionage like that.
| lofaszvanitt wrote:
| I mean it's built into silicon into all SSDs.
| cheschire wrote:
| If you have the ability to disassemble your electronics, do so!
| Do a DDG search for the identifiers on all the chips. You will
| learn a lot.
| lioeters wrote:
| As I learned when I was a child taking apart electronics, the
| hard part is reassembling them, haha. Taking photos of the
| disassembly steps can be helpful in remembering how the parts
| fit together.
| bagels wrote:
| Too many plastic enclosures are assemble-only, requiring
| destruction to disassemble.
| bottom999mottob wrote:
| The free market did a terrible job incentivizing
| disassembly... Can't count how many no-screw assemblies have
| triggered me.
|
| The right-to-repair situation is a joke right now with
| automotive, consumer electronics, and appliances.
| coupdejarnac wrote:
| Assemblies with a lot of screws require manual labor,
| thereby increasing cost. I think what you actually mean is
| stuff that is specifically designed not to be serviced by
| being held together with glue, etc.
| throwawayqqq11 wrote:
| Would it be possible to shield the host device while frying the
| GSM antenna with selected frequenzies?
|
| Kind of preemptive sanitization of new hardware.
| jcims wrote:
| Lots of cables have chips in them these days.
| lostemptations5 wrote:
| But not specific ones
| philprx wrote:
| What are other equipments similar to this one but different?
|
| There seems to have many GPS location trackers on the market, are
| they all based on the same hardware?
| vzaliva wrote:
| In screenshots he uses Signal messenger to talk to the device.
| How this was achieved?
| landgenoot wrote:
| Signal supports SMS as well.
| anigbrowl wrote:
| Not since a couple of years ago, unfortunately. Now I have to
| use a separate app for SMS and often miss messages.
| smarx007 wrote:
| https://signal.org/blog/sms-removal-android/ ?
| dang wrote:
| Related:
|
| _Inside a low budget consumer hardware espionage implant (2018)_
| - https://news.ycombinator.com/item?id=20190251 - June 2019 (43
| comments)
|
| _Inside a low-budget consumer hardware espionage implant_ -
| https://news.ycombinator.com/item?id=15676737 - Nov 2017 (92
| comments)
| codedokode wrote:
| Its packaging doesn't mention that it is a tracking device so I
| guess the intended usage is a present, for example, at a business
| meeting or to a child, a relative?
___________________________________________________________________
(page generated 2024-05-15 23:01 UTC)