30 comments

[ 1.9 ms ] story [ 54.3 ms ] thread
I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.

I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.

Death approaches. Slow burn until. When Death arrives, what you are doing now will be obviously irrelevant.
Yeah - these [0] kinds of cables are so extremely scary.

"The O.MG Cable is a hand made USB cable with an advanced implant hidden inside. It is designed to allow your Red Team to emulate attack scenarios of sophisticated adversaries"

"Easy WiFi Control" (!!!!!)

"SOC2 certification"? Dawg, the call is coming from inside the house...

[0] https://shop.hak5.org/products/omg-cable

it's a serious problem

they could be regulated to expose their chip with transparent covering rather than plain dark wiring

Jeese. I was not sure which image was the suspect one.
You don't need any specialized knowledge, just pick the one that looks "cleaner" and "neater" than the other.

It's sufficient to look at something as basic as the arrangement of cables on the left. The crooked electrical elements on the right are also a big tell.

This works because good—and bad—qualities correlate with each other.

Just to be clear suspicious in this sense is a cable that is likely counterfeit and wasn't able to do high speed transfer unlike the genuine known good one.
this is an advertisement for the company
To be fair, this story is basically an ad, but a pretty good one, and many featured HN stories are really marketing. Personally, I don’t mind marketing stuff, if it’s interesting and relevant (like this).

But the fact that most comms cables, these days, have integrated chips, makes for a dangerous trust landscape. That’s something that we’ve known for quite some time.

BTW: I “got it right,” but not because of the checklist. I just knew that a single chip is likely a lot cheaper than a board with many components, and most counterfeits are about selling cheap shit, for premium prices.

But if it were a spy cable, it would probably look almost identical (and likely would have a considerably higher BOM).

I also got it right, but for the entirely wrong reasons!

I assumed the "suspicious" cable was a spy cable, and then guessed that the bigger integrated circuit was probably responsible for doing secret spy stuff, while the smaller circuit up top was all that was needed for ordinary cable work. Turns out the cables do basically the same thing (no fancy spying!), and one is just cheaper.

I got it right too. But for an entirely naive reason. The smaller the components the more complex machines you would need - more expensive. Plus the more wiring on the io 3 vs 3+
I felt the same way reading this. A fake FTDI cable? I mean there's no way right? I've never bothered to verify but I'm pretty sure I don't actually even have a single authentic one. I wouldn't know where to order from if I wanted an authentic one.
After they infamously started going after clones, anything branded FTDI is automatically suspicious.

USB-serial adapters are not particularly special. Dozens of other manufacturers make them.

This was a huge own-goal for their brand image.

If I buy a FTDI based adapter, it might brick, and I lack the detection skill or supply chain control to be sure that it won't happen.

If I buy a CH340 or PLwhatever based adapter, that doesn't enter the calculus.

Unless I had some explicit "only FTDI can possibly do it" need, I'm going elsewhere.

I could spot the clone because I'm familiar with the form factor of the FTDI IC, and I'm familiar enough with the datasheet to spot the expected passives.

I'm not too keen these days with FTDI's reputation for manipulating their Windows device drivers to brick clones. So, while I'm familiar with their IC, I don't give them any more money. The next time I need a USB to serial cable, I'll bust out KiCad to build it using one of the ubiquitous ARM microcontrollers with USB features built in. Of course, this is easier for me, since I can write my own Linux or BSD device driver as well. Those using OSes with signing restrictions on drivers would have a harder time, unless they chose to disable driver signing.

It helps that USB to serial is a solved problem. Plenty of manufacturers make parts that work well and don't need to try and imitate FTDI.
You don't actually need your own driver, you can just use the CDC device class.
I think that's what happened here. I spotted the fake because it has a large number of unused pins, which would not be the case with an FTDI chip that was literally made for this.

I think it's just some generic microcontroller emulating FTDI's protocol in software, but it can't keep up with high-speed transfers of course, and that's how they noticed there was a problem.

The suspect cable actually seemed to have better strain relief for wire connections and more solder on the USB A connector (transfers mechanical stress better), even though the author pointed them out as features of the authentic cable.
This is such a nothing burger corporate ad. They purchased a cheap cable and it sucks. So let’s X-ray it and make a thought piece post about implants…
(comment deleted)
I couldn't tell a thing about the naqqadah resistor positron-brain whattamajig on the right answer but the wrong answer looked too neat for something actual people would design.
Interesting, not too useful as I doubt most of the readers here have that Xray machine.

I remember years ago I had similar issue, I got one of those FTDI USB cable to interfere with a drone payload, and it was simpler to just plug in the USB cable into the jetson rather than having a small exposed circuit around, but I ended up having performance issues and interruptions that eventually I replaced it with traditional FTDI exposed circuit, I still have the cable till now but I don’t have the X ray machine to check!

The bottom one is suspicious because it is bigger !!!!!
We bought an x-ray machine and need customers...
I'm failing to see the smoking gun here.

There are two ways you could interpret "counterfeit".

1. Fake IC (identifies as FTDI 232 IC), fake cable (FTDI logo on it)

2. Real IC, fake cable (eg, I buy the FTDI IC and make the cable, and sell it as an "official" FTDI cable).

(1) is I assume what they mean in this instance., but you could argue (2) is also possible. However, they make no mention of the packaging both calling them "FTDI" cables. Instead, I assume they're going off what they report to the OS as.

FTDI have been around for decades, and the offhand "old cable we had kicking around" could easily mean its 15+ years old. That might easily explain the chip size difference. In this case, FTDI did make TSSOP 28-pin chips for a long time. They're now obsolete, superseded by SSOP package variants (like in the "Real" picture). Put another way, this is like comparing an i5-10400 to a Pentium II that I found in my storage closet and declaring the Pentium II fake.

The actual fake chips visually look identical to the real ones. Obviously, otherwise they wouldn't get mixed into the supply chain.

The only real conclusion they can realistically make from these x-rays are that they're not the same cable (but even then, I don't know if FTDI real cables have silently upgraded the internals while retaining the same SKU).

They only wanted to say 'Hey look, we have borrowed a x-ray mashine'
From the article: "The consequences for a consumer buying a shady USB cable likely aren’t too bad".

I can't second that, but more to the software/driver side.

Without my knowledge, I once had a counterfeit cable that costed several days of my life. At that time, the FTDI drivers recognized (and as I read did some other things [1]) that a counterfeit cable was connected, but instead of simply disabling the function, they impeded it. In my case: After pressing the first few keys on terminal connection, the transmission from the device to the PC worked, but not the reverse direction. A long search for the error came to an end after I replaced the USB/RS232 with a new one. This was with windows, with Linux even the counterfeit worked.

[1] https://www.elektroda.com/qa,ftdi-ft232-scandal-driver-brick...