We X-Rayed a Suspicious FTDI USB Cable

Posted by aa_is_op 5 days ago

20282Original

Comments

To be fair, this story is basically an ad, but a pretty good one, and many featured HN stories are really marketing. Personally, I don’t mind marketing stuff, if it’s interesting and relevant (like this).

But the fact that most comms cables, these days, have integrated chips, makes for a dangerous trust landscape. That’s something that we’ve known for quite some time.

BTW: I “got it right,” but not because of the checklist. I just knew that a single chip is likely a lot cheaper than a board with many components, and most counterfeits are about selling cheap shit, for premium prices.

But if it were a spy cable, it would probably look almost identical (and likely would have a considerably higher BOM).

Comment by woleium 4 days ago

My apple thunderbolt 4 cable has a computer more powerful than my firs computer in it (ARM Cortex‑M0 core running at up to 48 MHz vs a 286 at 25mhz)

Comment by shagie 4 days ago

That tickled a memory of a video... and I hunted it up.

Adam Savage's Tested : Look Inside Apple's $130 USB-C Cable - https://www.youtube.com/watch?v=AD5aAd8Oy84 (1 minute in "we've been saying that our phones have more computing power than the Apollo guidance computer but I'm positive now that this cable has more computing power than the Apollo guidance computer")

That video is a look at cables (not just Apple's) with Lumafield's CT Scan.

Comment by ssl-3 4 days ago

Lumifield quite recently showed on Adam Savage's Tested again, with some literal insights on a reasonably-diverse array of different 18650 cells: https://www.youtube.com/watch?v=AD5aAd8Oy84

It's a good watch, and I learned some new stuff about some things that I only knew a little bit about before.

Comment by Thorrez 4 days ago

I think you meant to link to https://www.youtube.com/watch?v=-Y23nfAOiXQ

Comment by ssl-3 4 days ago

I absolutely did.

Thanks!

Comment by pm215 4 days ago

The fun thing about those thunderbolt cables is they have two Arm cores in them, one at each end...

Comment by DeathArrow 4 days ago

Probably there is someone somewhere trying to make Linux boot on a thunderbolt cable.

Comment by nkrisc 4 days ago

It would be a pretty amusing demonstration to plug in the cable to a display, then pretend to plug the other end into an imaginary computer sitting nearby and have something boot up on the display.

Comment by HPsquared 4 days ago

It'd be a cool physical demonstration at a cybersecurity roadshow.

A concern: with all this computing onboard, does this mean a malicious USB-C cable could record screen and keystroke?

Often the keyboard receiver is plugged into the monitor's USB hub and so screen and HID are both going along a single cable ... Which also does power delivery. Such cables are a definite "sales category" and could be a target for supply chain attacks. But if they now have chips onboard, doesn't that mean an attacker could even takeover a genuine cable? It seems like a real risk tbh.

Comment by wolrah 2 days ago

> A concern: with all this computing onboard, does this mean a malicious USB-C cable could record screen and keystroke?

Keystrokes: Easily. At least for USB 3 and 4, USB 1/2 data is a physically separate channel that just happens to almost always be packaged alongside the faster stuff, so the lower speed stuff like input devices is easy to intercept. I don't know if Thunderbolt does the same or not, normally USB-C alternate modes still keep the USB 2.0 signals available but Thunderbolt might be an exception.

Screen: Probably not modern video modes in a purely stealthy cable formfactor *YET*, at least not using COTS parts, but it wouldn't surprise me to find the secret squirrel types either already have it or are working on it.

Comment by jamesy0ung 4 days ago

I doubt you are going to fit a chip fast enough to snoop Thunderbolt traffic inside of a usb-c plug

Comment by ChrisMarshallNY 4 days ago

Today, but maybe not much longer.

It is possible that the tech exists, but isn't yet at a point that it can be easily mass-produced, which means "spy cables" may actually be available, from Q-types.

Comment by 4 days ago

Comment by shagie 4 days ago

I think Think Geek used to have a "frayed cable" usb drive... and there have been "how to" for one such as https://www.evilmadscientist.com/2008/how-to-make-a-sawed-of...

Comment by Yoric 4 days ago

Or Doom.

Comment by pseudohadamard 3 days ago

Was going to say the same thing. With way more processing power you could output the video over USB-C/TB at one end and connect a keyboard at the other.

Comment by amarant 4 days ago

I also got it right, but for the entirely wrong reasons!

I assumed the "suspicious" cable was a spy cable, and then guessed that the bigger integrated circuit was probably responsible for doing secret spy stuff, while the smaller circuit up top was all that was needed for ordinary cable work. Turns out the cables do basically the same thing (no fancy spying!), and one is just cheaper.

Comment by araes 4 days ago

Similar reasoning, don't know if it's "wrong" reasoning.

The large chip looks like it's purposely placed to intercept every single incoming signal, and then route them through afterward. Just because they're "experts" does not mean they notice issues that a "naive" observer might have noticed. Get lost in the trees.

It looks like a big chip for doing "secret spy stuff".

Comment by sidewndr46 4 days ago

I felt the same way reading this. A fake FTDI cable? I mean there's no way right? I've never bothered to verify but I'm pretty sure I don't actually even have a single authentic one. I wouldn't know where to order from if I wanted an authentic one.

Comment by speff 4 days ago

I'd think the usual trusted sources for an authentic one - digikey, mouser, sparkfun.

Amazon, ebay, and similar others for the (cheaper) counterfeits.

Comment by Nurbek-F 4 days ago

I got it right too. But for an entirely naive reason. The smaller the components the more complex machines you would need - more expensive. Plus the more wiring on the io 3 vs 3+

Comment by ChrisMarshallNY 4 days ago

That's fairly close to my reasoning.

Comment by quietsegfault 4 days ago

Huh! I originally thought the bottom one was authentic because the main IC looked a lot “nicer”. Then I saw the jumble of wires to the right and rethought.

Comment by bragr 4 days ago

If you look closely at the bottom one, almost all the components are slightly askew, while the top one has everything at neat 90 degrees. And a smaller IC almost always means the more modern/expensive IC. Same for the other components. In fact, the top one has a much higher component count, the small components just don't show up well (look at the pads though).

Comment by sandworm101 4 days ago

Also look at the number unused/unconnected pins on the chip. The fake seems to be using a generic chip programed to act like the real thing. The extra pins are for functions it doesnt need in this use case. A professional-grade product will use a carefully-selected chip with no extra capabilities or unused pins.

Comment by mcdeltat 4 days ago

If you look at enough cheapo/handmade circuit boards you'll notice they often look like the bottom one. Cramped, untidy, or otherwise odd trace layout, poor part placement, poor soldering. The top one - although looking less space efficient because there's more going on - is layed out better. The design just flows in a way amateur designs don't.

Comment by invokestatic 5 days ago

I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.

I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.

Comment by userbinator 5 days ago

I don't want Boot Guard or any of that DRM crap. I want freedom.

I want to make a persistent implant/malware that survives OS reinstalls.

Look up Absolute Computrace Persistence. It's there by default in a lot of BIOS images, but won't survive a BIOS reflash with an image that has the module stripped out (unless you have the "security" of Boot Guard, which will effectively make this malware mandatory!)

I’m more interested in demonstrating how important hardware root of trust is.

You mean more interested in toeing the line of corporate authoritarianism.

Comment by invokestatic 4 days ago

Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.

As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.

Comment by taneq 4 days ago

Some days you’re the anarchist, some days you’re the corporate authority. :D

Comment by fc417fc802 4 days ago

I want an equivalent of boot guard that I hold the keys to. Presented only with a binary choice certainly having boot guard is better than not having it if physical device security is in question. But that ought to be a false dichotomy. Regulation has failed us here.

Comment by kachapopopow 4 days ago

that defeats the point, having the "keys" allows malicious actors to perform the same kind of attacks... trust is protected by trusted companies...

certificate companies sell trust, not certificates.

Comment by fc417fc802 4 days ago

Me managing my own (for example) secure boot keys does not inherently enable malicious actors. Obviously unauthorized access to the keys is an attack vector that whoever holds them needs to account for. Obviously it's not risk free. There's always the potential that a user could mismanage his keys.

There's absolutely no excuse for hardware vendors not to provide end users the choice.

> trust is protected by trusted companies...

The less control of and visibility into their product you have the less trustworthy they are.

Comment by kachapopopow 4 days ago

the hardware is made by asus, asus signs with their key backed by a trusted company.

asus gives out keys to sign bios firmware, now aliexpress can not only counterfeit, but provide tampered hardware.

you can enroll your own secure boot keys so that's not really relevant.

Comment by fc417fc802 4 days ago

Secureboot was being used as an example to illustrate the issue with your claim that a user controlling the keys must necessarily undermine security.

I'll grant that if the user is given control then compromise within the supply chain does become possible. However the same hypothetical malicious aliexpress vendor could also enroll a custom secure boot key, install "definitely totally legit windows", and unless the user inspects he might well never realize the deception. Or the supply chain could embed a keylogger. Or ...

Comment by kachapopopow 4 days ago

you don't have to trust software, but you have to trust your firmware and hardware.

Comment by taneq 4 days ago

> You mean more interested in toeing the line of corporate authoritarianism.

That’s not what I got from their post. After all, they’re putting in some effort to hardware backdoor their motherboard, physically removing BootGuard. I read it as “if your hardware is rooted then your software is, no matter what you do.”

Comment by Nextgrid 5 days ago

> persistent implant/malware that survives OS reinstalls

Try attacking NIC, server BMC or SSD firmware. You will achieve your goal without any hardware replacement needed.

Comment by invokestatic 5 days ago

Yeah, but that doesn’t give me a reason to use the hot air station and hot plate collecting dust on my desk ;)

Comment by cbsks 5 days ago

Nothing drives more creativity from me than a tool in need of a project.

Comment by da_chicken 5 days ago

I mean, you could also do smartphone repairs.

Comment by mschuster91 5 days ago

> I want to make a persistent implant/malware that survives OS reinstalls.

You want to look into something called "Windows Platform Binary Table" [1]. Figure out a way to reflash the BIOS or the UEFI firmware for your target device ad-hoc and there you have your implant.

[1] https://news.ycombinator.com/item?id=19800807

Comment by baby_souffle 5 days ago

> You want to look into something called "Windows Platform Binary Table" [1].

Is this how various motherboard manufacturers are embedding their system control software? I was helping a family friend with some computer issues and we could not figure out where the `armoury-crate` (asus software for controlling RGB leds on motherboard :() program kept coming from

Comment by Nextgrid 4 days ago

That most likely comes from Windows Update though. It now has the ability to download "drivers". It actually had said ability for a long time (back from Vista days if I remember right) but back then it was only downloading the .inf file and associated .sys files/etc, where as nowadays it actually downloads and runs the full vendor bloatware.

Comment by phatskat 4 days ago

Have your friend grab https://github.com/seerge/g-helper which can disable armory crate. It’s also a lot lighter on your system - I was having constant gradual frame drops (games would start find and performance would slowly degrade) until I tried this and used the option to disable the AC processes.

Comment by BobbyTables2 4 days ago

Likely so. I think that’s actually the intended use of this “feature”

Comment by ronsor 5 days ago

Only works if the target is running Windows (paranoid people might be on Linux), so you'd probably want to slip in a malicious UEFI driver directly. Tools like UEFITool can be used to analyze and modify the filesystem of a UEFI firmware image.

Comment by yjtpesesu2 4 days ago

Death approaches. Slow burn until. When Death arrives, what you are doing now will be obviously irrelevant.

Comment by hex4def6 4 days ago

I'm failing to see the smoking gun here.

There are two ways you could interpret "counterfeit".

1. Fake IC (identifies as FTDI 232 IC), fake cable (FTDI logo on it)

2. Real IC, fake cable (eg, I buy the FTDI IC and make the cable, and sell it as an "official" FTDI cable).

(1) is I assume what they mean in this instance., but you could argue (2) is also possible. However, they make no mention of the packaging both calling them "FTDI" cables. Instead, I assume they're going off what they report to the OS as.

FTDI have been around for decades, and the offhand "old cable we had kicking around" could easily mean its 15+ years old. That might easily explain the chip size difference. In this case, FTDI did make TSSOP 28-pin chips for a long time. They're now obsolete, superseded by SSOP package variants (like in the "Real" picture). Put another way, this is like comparing an i5-10400 to a Pentium II that I found in my storage closet and declaring the Pentium II fake.

The actual fake chips visually look identical to the real ones. Obviously, otherwise they wouldn't get mixed into the supply chain.

The only real conclusion they can realistically make from these x-rays are that they're not the same cable (but even then, I don't know if FTDI real cables have silently upgraded the internals while retaining the same SKU).

Comment by krater23 3 days ago

They only wanted to say 'Hey look, we have borrowed a x-ray mashine'

Comment by gregsadetsky 5 days ago

Yeah - these [0] kinds of cables are so extremely scary.

"The O.MG Cable is a hand made USB cable with an advanced implant hidden inside. It is designed to allow your Red Team to emulate attack scenarios of sophisticated adversaries"

"Easy WiFi Control" (!!!!!)

"SOC2 certification"? Dawg, the call is coming from inside the house...

[0] https://shop.hak5.org/products/omg-cable

Comment by mschuster91 5 days ago

> "SOC2 certification"? Dawg, the call is coming from inside the house...

Helps corporate red teams in environments where the purchase department is... a bunch of loons.

Comment by sllabres 4 days ago

From the article: "The consequences for a consumer buying a shady USB cable likely aren’t too bad".

I can't second that, but more to the software/driver side.

Without my knowledge, I once had a counterfeit cable that costed several days of my life. At that time, the FTDI drivers recognized (and as I read did some other things [1]) that a counterfeit cable was connected, but instead of simply disabling the function, they impeded it. In my case: After pressing the first few keys on terminal connection, the transmission from the device to the PC worked, but not the reverse direction. A long search for the error came to an end after I replaced the USB/RS232 with a new one. This was with windows, with Linux even the counterfeit worked.

[1] https://www.elektroda.com/qa,ftdi-ft232-scandal-driver-brick...

Comment by commandersaki 5 days ago

Just to be clear suspicious in this sense is a cable that is likely counterfeit and wasn't able to do high speed transfer unlike the genuine known good one.

Comment by nanolith 4 days ago

I could spot the clone because I'm familiar with the form factor of the FTDI IC, and I'm familiar enough with the datasheet to spot the expected passives.

I'm not too keen these days with FTDI's reputation for manipulating their Windows device drivers to brick clones. So, while I'm familiar with their IC, I don't give them any more money. The next time I need a USB to serial cable, I'll bust out KiCad to build it using one of the ubiquitous ARM microcontrollers with USB features built in. Of course, this is easier for me, since I can write my own Linux or BSD device driver as well. Those using OSes with signing restrictions on drivers would have a harder time, unless they chose to disable driver signing.

Comment by the_biot 4 days ago

I think that's what happened here. I spotted the fake because it has a large number of unused pins, which would not be the case with an FTDI chip that was literally made for this.

I think it's just some generic microcontroller emulating FTDI's protocol in software, but it can't keep up with high-speed transfers of course, and that's how they noticed there was a problem.

Comment by Liftyee 4 days ago

It helps that USB to serial is a solved problem. Plenty of manufacturers make parts that work well and don't need to try and imitate FTDI.

Comment by 4 days ago

Comment by LiamPowell 4 days ago

You don't actually need your own driver, you can just use the CDC device class.

Comment by nanolith 4 days ago

That's true. The only advantage of writing a driver in this case is if I wanted to add functions, such as a programmable level shifter.

Comment by userbinator 5 days ago

After they infamously started going after clones, anything branded FTDI is automatically suspicious.

USB-serial adapters are not particularly special. Dozens of other manufacturers make them.

Comment by hakfoo 4 days ago

This was a huge own-goal for their brand image.

If I buy a FTDI based adapter, it might brick, and I lack the detection skill or supply chain control to be sure that it won't happen.

If I buy a CH340 or PLwhatever based adapter, that doesn't enter the calculus.

Unless I had some explicit "only FTDI can possibly do it" need, I'm going elsewhere.

Comment by alyandon 4 days ago

Exactly - the FTDI drivers refusing to work would have been reasonable and emitting a log or error message that my device was counterfeit would have actually been helpful. Instead, they vandalized end user equipment by permanently bricking the devices which is arguably illegal.

I am not nearly sophisticated enough as an end user to spot a counterfeit FTDI usb-to-serial device so I am not going to risk buying that brand and end up with their drivers intentionally bricking the device.

Comment by dotancohen 4 days ago

The suspect cable actually seemed to have better strain relief for wire connections and more solder on the USB A connector (transfers mechanical stress better), even though the author pointed them out as features of the authentic cable.

Comment by sandworm101 4 days ago

That tangle is not strain relief. Those wires are buried in injection-molded plastic. Pull on them and those loops will not stretch as they are in solid plastic. What they will do is potentially result in unwanted cross-talk between wires as loops start acting as antennas.

Comment by dotancohen 4 days ago

Thank you. If I may, is injection molded plastic not solid plastic? To many potential voids?

Comment by sandworm101 4 days ago

It is solid, which is why the wires cannot move. Molding the thing as one unit overtop the electronics is cheaper than making many parts to clamp over them as a box. A solid block is also generally better for strength and thermal.

Comment by trinsic2 5 days ago

Jeese. I was not sure which image was the suspect one.

Comment by Mawr 4 days ago

You don't need any specialized knowledge, just pick the one that looks "cleaner" and "neater" than the other.

It's sufficient to look at something as basic as the arrangement of cables on the left. The crooked electrical elements on the right are also a big tell.

This works because good—and bad—qualities correlate with each other.

Comment by Neywiny 5 days ago

If you've read the docs, which I'm not saying anyone is expected to, FTDI tends to put buffers on their outputs. That's what gave it away for me. The little sot-23-5 footprints.

Comment by mjevans 5 days ago

I got it backwards because I expected the counterfeit part to use a newer process IC (less silicon area) than a possibly more reliable and perfectly suitable for serial connection speeds 'vintage' process on some long stable spin of silicon.

Why allow for newer processes on the counterfeit? They'd implement it using the least expensive, most mass produced chips possible, which are more likely to be cut from wafers hitting the sweet spot of size / feature and price crossover.

Comment by trinsic2 5 days ago

I wanted to try and figure out out before I did that. No dice.

Comment by blibble 5 days ago

the one which looks cheaper to manufacture

which is definitely the second

Comment by llbbdd 4 days ago

This is how I ID'd it; I have next to zero experience with ICs, but I've opened up a lot of devices for fun or repair and the cheap stuff always has wiring haphazardly contorted like the left side on the counterfeit, like someone had to force it in there and squeeze it shut just to get it out the door.

Comment by kps 5 days ago

They gave it away by saying the genuine cable was a 234 series (small basic UART) and not a 232 (big ol' 28-pin chip).

Comment by 4 days ago

Comment by tamimio 4 days ago

Interesting, not too useful as I doubt most of the readers here have that Xray machine.

I remember years ago I had similar issue, I got one of those FTDI USB cable to interfere with a drone payload, and it was simpler to just plug in the USB cable into the jetson rather than having a small exposed circuit around, but I ended up having performance issues and interruptions that eventually I replaced it with traditional FTDI exposed circuit, I still have the cable till now but I don’t have the X ray machine to check!

Comment by gnabgib 5 days ago

Related USB-C head-to-head comparison (389 points, 2023, 219 comments) https://news.ycombinator.com/item?id=37929338

Comment by avadodin 4 days ago

I couldn't tell a thing about the naqqadah resistor positron-brain whattamajig on the right answer but the wrong answer looked too neat for something actual people would design.

Comment by 4 days ago

Comment by MiiMe19 4 days ago

The bottom one is suspicious because it is bigger !!!!!

Comment by thesaintlives 4 days ago

We bought an x-ray machine and need customers...

Comment by stainablesteel 5 days ago

it's a serious problem

they could be regulated to expose their chip with transparent covering rather than plain dark wiring

Comment by androng 5 days ago

this is an advertisement for the company

Comment by d0ublespeak 4 days ago

This is such a nothing burger corporate ad. They purchased a cheap cable and it sucks. So let’s X-ray it and make a thought piece post about implants…

Comment by kundejenny 2 hours ago

[dead]