A low budget consumer hardware espionage implant (2018)

https://ha.cking.ch/s8_data_line_locator/

340 points by fanf2 on 2024-05-15 | 94 comments

Automated Summary

The article discusses an analysis of a S8 data line locator, a GSM listening and location device embedded within a USB data/charging cable. The device supports 850, 900, 1800, and 1900 MHz GSM frequencies. It resembles the COTTONMOUTH product line by the NSA/CSS, using an RF device hidden in a USB plug. The S8 also features eavesdropping, espionage, and spying capabilities, such as call back, location query, and SMS commands. The device has no GPS, leading to a 1.57 km deviation in location reporting. The summary covers the analysis of the device's hardware, chips, and connections, including USB passthrough and UART, and attempts to dump the firmware, flash, and SIM sniffing. Additionally, the analysis notes the phone's OS, FAT12 filesystems, configuration data, and vulnerabilities.

Comments

airbreather on 2024-05-15

An even easier one would be a modified keyboard.

Anyone could fit an esp32 into a keyboard, swap it out, leave it lying around, sniff keystrokes, access with Bluetooth or WiFi, could have it only have the radio on for certain windows in time etc.

ttyprintk on 2024-05-15

The mouse is more commonly swapped in situations with physical access. Without physical access, those non-BlueTooth wireless mice (with their own RF dongle) are vulnerable to remote keystroke injection.

greggsy on 2024-05-15

Especially the pre-paired ones. I’m wary of older Logitech Unified dongles, but the newer Bolt platform offers a bit more comfort.

caulk on 2024-05-15
jbosh on 2024-05-15

Hard part there is getting the wear and tear from oils in your hand to look identical.

Although maybe most people don't pay attention to that.

seniorivn on 2024-05-15

just put it inside the original keyboard

Scoundreller on 2024-05-15

The other thing that’s hard to get right is the weight.

Hard to find material in most things today to remove to even out the added weight of an implant.

greggsy on 2024-05-15

Pop and swap the keycaps

gcr on 2024-05-15

Dirty keys on a pristine keyboard is a dead giveaway.

codedokode on 2024-05-15

Yes but giving a keyboard as a present is more suspicious than just a harmless data cable.

taf2 on 2024-05-15

Even better use esp long range and have a receiver device outside maybe powered via solar… connected to cell network… this way no additional networks exposed internally…

FuriouslyAdrift on 2024-05-15
dako2117 on 2024-05-15

Isn't it way easier to get a target to use a usb device than a keyboard

playingalong on 2024-05-15

These days most keyboards are USB devices.

no_time on 2024-05-15

Using SMS as the control protocol seems like a bad idea. You are generating evidence with each command sent that may or may not be stored practically forever by the telcos.

gwbas1c on 2024-05-15

That's assuming you're using it for spying.

A completely honest use of this is to track your car, (or other device with a USB port) in case of theft.

If I had one of the Kias or Hyundais that were easy to steal, I'd totally slip one of these into the car.

jandrese on 2024-05-15

The caveat being that these things are only doing cell tower triangulation, and not even a good job of it. So all it will be able to tell you is that your car is somewhere on the east side of the city or so. Although you will be able to listen in on the conversations of the car thieves and might pick up a clue from that.

Realistically, these are 100% for stalking/espionage.

throwaway11460 on 2024-05-15

I took the exact opposite conclusion from this information. How is it useful for stalking if it doesn't give more exact location? On the other hand if I'm looking for my own car that somebody took out of the city, this at least gives me a general idea of its location.

jjk166 on 2024-05-15

For stalking/espionage, approximate locations (especially which can be refined over long observation periods and combined with other data) are often fine. Patterns like when does someone leave for work, what shifts do they work, where do they go on weekends, etc can be quite apparent.

If your car is stolen, what good is knowing the general location?

throwaway11460 on 2024-05-15

Hmm, I guess my eurothinking is showing. I work and live within a 5 km radius. I guess in the US you can get much more useful that's even though it's approximate.

If my car is stolen and taken away, at least I can call that city/country police instead of waiting when it gets through the bureaucracy.

codedokode on 2024-05-15

It's packaging says "data cable", not a "car tracking device". Why would they use misleading packaging that the thieves would never see? Obviously it is meant to be used as a present, or for example, for an employee bringing this "cable" to work.

throwaway11460 on 2024-05-16

Good point, didn't notice that.

axegon_ on 2024-05-15

That is valid for any centralized service in general. Fun fact: I am working on something in that field in my spare time(whenever I have both time and motivation) and I opted for LoRa instead specifically for that reason, even though it comes with a wide range of limitations: payload, range is determined by line of sight, no multiplexing and all that. But did make some real world testing late last year and the range I got was REALLY impressive. Easily 20% above what the manufacturer had put in the spec sheet - 12 and a half kilometers with an off the shelf dev board.

snovv_crash on 2024-05-15

The 900MHz bands also have much better penetration. But even the 2.4 LoRa are a huge step up from the other chips I've seen eg. TI CC2500.

axegon_ on 2024-05-15

True, well I'm in the EU so 868MHz in my case. Still, it is very susceptible to external conditions. It truly is a hit or miss. Personally I host a things network gateway(indoors), I live on the last floor of a building at one of the highest points in the city and it is still very inconsistent when I've been fiddling with it. Back when I was doing my tests a few months ago I took a micro controller with a LoRa module up on the roof so those truly were ideal conditions. I have yet to test the CC2500.

pmx on 2024-05-15

Wouldn't someone using this sort of thing also buy a cheap burner phone and throw-away sim card? They're easy to buy with cash and you don't need to register them or anything to use them. Supermarkets in the UK even sell sims with credit already loaded onto them.

netsharc on 2024-05-15

I can't imagine the UK doesn't have laws to prevent anonymous SIM card purchases, because of terrorism fears.

Some duckduckgo-ing suggests it's possible, e.g. someone wrote just go to Tesco to get one and there are no ID checks (but this was written 6 years ago). In any case, just like teenagers buying booze, it's probably not that hard to pay someone off the street to buy one for you.

Crosseye_Jack on 2024-05-15

No ID is required to buy a pay as you go SIM card in the UK. Just walk into any supermarket or pretty much any corner shop and they will sell you a Sim for a quid at most. (You can also get them for free from the networks directly on their websites, but now they know the address the sim was sent too)

Top up credit is the same, ask the counter staff for £x on network Y and once you have paid they will give you a printed receipt with a code on it for your desired amount.

It’s not really seen as a “national security issue” because most people don’t practice perfect opsec and leave enough details and fingerprints behind.

And an ID check ain’t going to prevent anyone from getting hold of a sim via other means (like you said, pay someone on the street as just 1 example)

Now, try and access porn on that SIM card? Well hold on there, now we need to know who you are!!! (Though you can often blag your way around this via social engineering the CS agent on the phone. Or just bypass the block by using a VPN/Change DNS settings.)

Same for the phones themselves.

willcipriano on 2024-05-15

I thought I read you could buy "adult verification cards" by going to a newsstand and presenting ID that is potentially verified by the seller (if you appear underage) but not recorded. Like alcohol or tobacco purchases are in the US.

Crosseye_Jack on 2024-05-15

There were plans for that (And as another kick in the teeth, those porn-passes would expire, want more porn? go buy another pass!), but those plans got shelved because they finally figured out it was a dump idea. Though "we got to protect the kids" does keep popping back up every now and then.

(It wasn't the only way to verify your age, it was "just" meant as a way to prove age to a site without having to share your ID/Credit Card with that site, as not every adult has an ID/Credit Card)

As of right now every pay as you go sim comes with adult filtering enabled, you are then asked to proof your age in a number of ways to the provider to disable the block, this can be by using a credit card, or by popping into one of the providers stores (if they have one), last PAYG provider I unblocked adult content on used AI to guess my age from a selfie and no ID was required (The verification promised to not store my photo after verification, you kinda have to take them at their word for that, but breaking such a promise would land them in trouble with the ICO). I have on at least 2 occasions got the blocked disabled just by having a chat with a customer service agent on the phone, however that was about 5ish years ago, that provider may have changed up their methods in the years since.

Contract plans tend to give you the option when signing up if you want the adult content block or not, because on contract plans the account holder has to be 18 years old to sign up, but they also know that parents will take out contract plans for their kids to get a better deal on the phone/plan so the option is there for the parents to apply it / remove it as they deem fit.

Same goes for the larger fixed line ISPs, during sign up you are asked if you want adult content filtering or not (some will also offer more categories to filter such as gambling, social media, etc etc etc), but its only the larger ISPs that have to do this (iirc its not a legal requirement, but something the industry agreed too to avoid it becoming a legal requirement, however its been that long my memory could be faulting me on that). The smaller ISPs don't have to do so and some of them (A&A for example) pride themselves on not filtering the internet for their customers.

The crazy thing is on all the providers I have used (however I've not tested every provider), the filtering seems to be done pretty much always at the DNS level, change your DNS settings to anything other then the providers and you are able to bypass the parental controls.

Sky iirc (its been a while since I have used them) did do some deep packet inspection on filtered sites, but if the site was hosted behind the likes of cloudflare they only blocked at the DNS level for that site as not to cause any issues with any other sites hosted behind that proxy.

EDIT: Oh one thing I remember from when I had to use Sky for a brief period about 6 months ago, they "somehow" (not actually looked into how they do so, a couple of ways they could do this pop to minds, I just never dug into it.) pass long your filter status to Google and Bing when you do a search, so if you had adult filtering enabled at the ISP level Google would force enable safe-search on their end.

fullspectrumdev on 2024-05-15

You can literally go into almost any corner shop in the UK and buy a SIM with no ID and cash.

I do this regularly.

aembleton on 2024-05-15

Are you regularly swapping SIMs? Are you keeping the same IMEI number?

alibarber on 2024-05-15

If you're hacking around with phones or GSM boards for fun, on and off, it is cost effective to just grab one for a pound or so every time you want to do something as they sometimes come with a tiny bit of free data, or just a number to receive SMS on at least.

If you don't top up (with say a tenner) within some months the card deactivates and becomes useless, so it's a no-commitment way to access the GSM network.

worstspotgain on 2024-05-16

Any chance your purchase triggers the ~238 surveillance cameras on your route back from the store to get a good idea of who they're dealing with?

The UK used to be a surveillance outlier, but sadly other places have caught up in the meantime, including the US.

fullspectrumdev on 2024-05-16

It’s ok.

Only about 2 of them will record anything resembling a usable image - the rest are either broken, potato quality, pointing at nothing, or recording to media that’s so fucked that it’s highly unlikely to capture anything useful.

Not to mention the vast majority of them are privately owned and require a shit tonne of paperwork for the cops to access them, so they don’t bother unless it’s a murder case.

adonovan on 2024-05-18

Nonetheless the coverage was enough for highly motivated law enforcement agencies to reconstruct almost every step of the paths taken by the Russian assassins, sorry, “sports nutritionists”, when they paid a visit to the UK to nourish a certain enemy of Russia with Novichok.

eythian on 2024-05-15

It's very country dependent. In NL, NZ, and UK (as of several years ago when I last did that) for example, no ID checks are required. In AU they are.

grishka on 2024-05-15

In Russia they would ask for your internal passport (aka the "ID") and put your name, birth date, and registered address into their database. It's illegal to sell sim cards without that.

When I traveled to Europe recently and bought a French tourist sim, the carrier warned me multiple times that I need to provide my identity to continue using it beyond 30 days.

In UAE it's about as strict as in Russia.

bdavbdav on 2024-05-15

Yep. When I tried to get a SIM in India, it was a nightmare as a non-national. I had to get a local colleague to get one.

Mo3 on 2024-05-15

NL here, no ID check whatsoever

almostnormal on 2024-05-15

As long as there are no id-checks required for roaming and there is at least one country without id-checks, any id-check for local SIMs is security theater only.

Maxious on 2024-05-15

Note that SMS is the protocol advertised to buyers but the unadvertised login credentials for the web portal let you manage the device without SMS

no_time on 2024-05-15

If I understand correctly you need atleast one sms to know the credentials to the web portal. that's probably enough to get caught if someone finds the device.

franga2000 on 2024-05-15

If you can get an unidentifiable SIM for the tracker, you can also get one + a burner phone for yourself. And if someone is stupid enough to not do that or to turn on either device in an identifiable location, they're beyond help.

cheschire on 2024-05-15

If you have the ability to disassemble your electronics, do so! Do a DDG search for the identifiers on all the chips. You will learn a lot.

lioeters on 2024-05-15

As I learned when I was a child taking apart electronics, the hard part is reassembling them, haha. Taking photos of the disassembly steps can be helpful in remembering how the parts fit together.

bagels on 2024-05-15

Too many plastic enclosures are assemble-only, requiring destruction to disassemble.

bottom999mottob on 2024-05-15

The free market did a terrible job incentivizing disassembly... Can't count how many no-screw assemblies have triggered me.

The right-to-repair situation is a joke right now with automotive, consumer electronics, and appliances.

coupdejarnac on 2024-05-15

Assemblies with a lot of screws require manual labor, thereby increasing cost. I think what you actually mean is stuff that is specifically designed not to be serviced by being held together with glue, etc.

thefz on 2024-05-15

> This means anyone with access to your gpsui.net login credentials can control your device. A device which original packaging nor manual make any reference to said website.

Scary.

rbanffy on 2024-05-15

I’ve been playing with the idea of eye prosthetics for that purpose. At this point, a camera, battery, storage, and radio can all fit inside an aesthetic prosthesis and give it some functionality in itself or augmented by a smartphone.

deely3 on 2024-05-15

Something similar to this? https://www.instagram.com/bsmachinist/ Sorry for IG link.

rbanffy on 2024-05-15

That's very neat. The projector idea is particularly cool.

GordonS on 2024-05-15

Is there some kind of device that can detect bugs like this? (I'm thinking of the "bug sweepers" I've seen in films)

Cthulhu_ on 2024-05-15

I posted this on my Discord, one of our members is a security guy and pointed out that anyone concerned about things like this would be using a device called a NLJD, Non-Linear Junction Detector: https://reiusa.net/nljd/, which can detect circuit boards:

> The NLJD antenna head is a transceiver (transmitter and receiver) that radiates a digital spread spectrum signal to determine the presence of electronic components. When the energy encounters semi-conductor junctions (diodes, transistors, circuit board connections, etc.), a harmonic signal returns to the receiver. The receiver measures the strength of the harmonic signal and distinguishes between 2nd or 3rd harmonics. When a stronger 2nd harmonic is represented on the display in red, it indicates an electronic junction has been detected. In this way, a hand-held ORION is used to sweep walls, objects, containers, furniture, and most types of surfaces to look for hidden electronics, regardless of whether the electronic device is turned on.

GordonS on 2024-05-15

Exactly the kind of thing I was looking for! Although, I guess for a bug hidden within an electrical device (like that in the article), this approach wouldn't work?

I wonder how well these work against shielding? Might it be possible to build your own device like this?

lazide on 2024-05-15

It would ‘work’ - but not be useful, because you’d already expect a circuit in that location.

oasisaimlessly on 2024-05-15

No; USB2 cables are passive and shouldn't have any circuitry.

lazide on 2024-05-15

On the keyboard and the USB controller on the host (right next to the port) however…

So unless they’re dumb enough to put it literally in the middle of the cable? My point stands. These tools don’t typically have the resolution to tell.

jf on 2024-05-15

The article has a section on that very topic: https://ha.cking.ch/s8_data_line_locator/#detection

GordonS on 2024-05-15

Thanks; I did actually read the article, but missed this section (and likely some others) as the page doesn't work well on mobile.

pbmonster on 2024-05-15

The article covers that under the section "detection".

TL;DR: You can easily detect it while it communicates via GSM, and the device is also shielded quite badly, resulting in lots of easily detectable RF interference while it works.

All you need is a cheap RF detector. Having access to a full spectrum analyzer or a SDR will make this even easier.

All this gets much harder while the thing lies dormant, waiting for noise activation or commands. So the "quick bug sweeps" you see in the movies are more difficult.

ChrisMarshallNY on 2024-05-15

> So the "quick bug sweeps" you see in the movies are more difficult.

Not if the sweepers are talkative (assuming that the device is sound-activated).

alexey-salmin on 2024-05-15

Good ones record long spans of audio, then transmit them in short infrequent bursts outside of working hours. You can leave GSM recording equipment overnight and analyze logs, but even when you see it in the logs it'll be hard to locate the device physically when it's not transmitting.

Cthulhu_ on 2024-05-15

We used to have keychain lights that would start to blink whenever a nearby phone went off, I can imagine it could be set off by a device like this lol.

lupusreal on 2024-05-15

> So the "quick bug sweeps" you see in the movies are more difficult

Isn't that what nonlinear junction detectors are for?

pbmonster on 2024-05-15

Sure, the question is if you're surprised to get a positive from a USB cable. Wouldn't be surprised to find a diode inside there...

lupusreal on 2024-05-15

When in doubt, rip it out. If you suspect bugs, then get rid of any suspicious cable you can't prove the provenance of.

throwawayqqq11 on 2024-05-15

Would it be possible to shield the host device while frying the GSM antenna with selected frequenzies?

Kind of preemptive sanitization of new hardware.

jcims on 2024-05-15

Lots of cables have chips in them these days.

lostemptations5 on 2024-05-15

But not specific ones

codedokode on 2024-05-15

Its packaging doesn't mention that it is a tracking device so I guess the intended usage is a present, for example, at a business meeting or to a child, a relative?

dang on 2024-05-15

Related:

Inside a low budget consumer hardware espionage implant (2018) - https://news.ycombinator.com/item?id=20190251 - June 2019 (43 comments)

Inside a low-budget consumer hardware espionage implant - https://news.ycombinator.com/item?id=15676737 - Nov 2017 (92 comments)

owl110 on 2024-05-15

If not already out there, soon there possibly will be compromised cables with 801.11ah built-in. Given its low cost, low power requirements and the considerable range of the technology, it will be difficult to protect against unfortuantely.

vzaliva on 2024-05-15

In screenshots he uses Signal messenger to talk to the device. How this was achieved?

landgenoot on 2024-05-15

Signal supports SMS as well.

smarx007 on 2024-05-15
anigbrowl on 2024-05-15

Not since a couple of years ago, unfortunately. Now I have to use a separate app for SMS and often miss messages.

lofaszvanitt on 2024-05-15

I always wondered what if an SSD can surreptitiously funnel out the data it has on a secure channel, unbeknownst to the owner... Maybe all that would indicate the backdoor is some slight (?) change in the throughput speed.

Cthulhu_ on 2024-05-15

If someone has physical access to a device containing secure information, you're already boned. Thankfully, very few people are targets of surveillance / espionage like that.

lofaszvanitt on 2024-05-15

I mean it's built into silicon into all SSDs.

gruez on 2024-05-15

This is easily mitigated with full disk encryption.

lofaszvanitt on 2024-05-15

You don't get it.

huhtenberg on 2024-05-15

Needs (2017) in the title.

MandieD on 2024-05-15

I put (2018) because it was updated in January 2018.

philprx on 2024-05-15

What are other equipments similar to this one but different?

There seems to have many GPS location trackers on the market, are they all based on the same hardware?

PaywallBuster on 2024-05-15

can't find in aliexpress?

Cthulhu_ on 2024-05-15

What is your question?

haunter on 2024-05-15

Where to buy one. The article says they bought it on Aliexpress but there are no sellers.

mkoryak on 2024-05-15

You did not look hard enough. Use search "GPS tracker charger" to get started. They still exist in there

throwaway6272 on 2024-05-15

[dead]

JSDevOps on 2024-05-16

Incredible

mrgrj on 2024-05-16

"No official documentation nor information about the chip is available from MediaTek." </sigh>

rado on 2024-05-15

TLDR; a GSM listening and location device hidden inside the plug of a standard USB data/charging cable

morjom on 2024-05-15

So pretty run of the mill stuff for cable mods?