Conversation
![David Watson 🥑](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96"><rect fill-opacity="0"/></svg>)
Post your reply
Last year we CT scanned a top-of-the-line Thunderbolt 4 connector and were astonished to find a 10-layer PCB with lots of active electronics. A lot of people saw the scan and wondered whether malicious electronics could be hidden in a tiny USB connector.
Quote
Jon Bruner
@JonBruner
What’s inside Apple’s $129 Thunderbolt cable? We CT scanned one to find out, and compared it to some cheaper cables… 
We put an OMG cable in our Neptune CT scanner. It captures hundreds of X-ray images from different angles, then we reconstruct them into a 3D model that includes both external and internal features. (The color coding in the 3D model indicates relative density.)
For context, here’s a typical USB-C connector from Amazon Basics. It has a PCB, but no active electronics; the PCB is just used to connect the pins to the right wires in the cable.
0:02
Inside the ordinary-looking OMG connector we can immediately spot an antenna and a microprocessor. While high-end Thunderbolt connectors have some ICs, you won’t find an antenna like this in any normal USB connector.
On the other side of the connector is its most interesting feature: a USB passthrough module. When the malicious features of the OMG cable are deactivated, this passthrough links the connector’s pins directly to the cable without sending any signals through the microcontroller,
Show more
2D X-ray images can detect major deviations from an expected design, like the presence of an antenna and an IC, but it’s easy to slip other features past a simple 2D X-ray scan…
The microcontroller looks like an ordinary IC when we view it as a 2D X-ray image, but when we look at a 3D CT scan and adjust the visualization parameters, we can see another detail emerge: a second set of wire bonds, connected to a second die that’s stacked on top of the main
Show more
Complex, global supply chains carry enormous risks, as we were reminded during October’s supply chain attack in Lebanon–a story that has been thoughtfully following and analyzing since it happened.
Quote
MG
@_MG_
The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.
1/n
1/nShow more
Hidden explosives in electronics have been used before–for instance, in a USB thumb drive, which was able to reproduce. But as complex, active electronics make their way into corners of our lives that were previously dumb, the surface area for attacks becomes larger. And as
Show more
We’ve also posted our scan of the O.MG cable here: lumafield.com/article/invest so that you can explore it yourself in Voyager.
A lot of you are asking what should be done! At a personal level, buy reputable cables and avoid public USB ports like those charging stations at airports.
Most importantly we need vigilance throughout the supply chain. Manufacturers and retailers unwittingly distribute counterfeits all the time. Fortunately, we’re entering an era of ubiquitous, ultra-fast X-ray CT. lumafield.com/article/ultra- This will help!
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="630"><rect fill-opacity="0"/></svg>)
First, YIKES!
Secondly, great great thread.
You REALLY have to be careful these days..
However, is there a way to test and check this with software?
That when plugged in, you run some kind of diagnostics test or similar? Feels like even if ordering cables from respected or
Show more
That's an interesting question; I'm not sure what the basic components of a USB cable are designed to withstand either. Maybe can answer this one.
That was an eye-opener and a half. MANY thanks for sharing.
But, how do we protect our selves against this? By strictly buying brand name cables, or is there another way?
Please share.
Buying reputable cables helps, as does avoiding public USB ports. We also need more vigilance throughout the supply chain—distributors and retailers regularly receive and redistribute counterfeits. Fortunately ubiquitous, ultra-fast CT is now practical.
Apple should start adding cryptographically signed NFC tags to all their official usb-c cables, and when you bring the cable close to plug it in, it could show a little green lock icon or something to indicate that it’s a legit cable. Would at least make it tougher and more
Show more
I thought thunderbolt/usb-4 needed a controller chip of some sort for negotiation, a basic cable that it just wires is what you would find on a cheap cable that fries your tech.
Not saying that there aren't criminals using chips on a USB-C cable, but the presence of a chip on a
Show more
For those wondering what the USB-C $129 cable is for, it can send the display one way and receive 100W the other way. Now you plug in a single cable to turn your laptop into a desktop
.
.
Great thread, very informative. A few years ago as an InfoSec exec, I attempted to write contract rqmts for global vendors to certify their products as malware-free on delivery. All refused b’cause they didn’t have control of their supply chains. Scary.
I worked for a certain govt agency that did this type of stuff.
One reason why when I had my computers confiscated by a govt entity and returned to me months later I immediately sold it on eBay.
"Technology makes crime more efficient and so criminals are perpetual early adopters of all things tech."
--Marc Goodman ("Future Crimes")
Spy thriller authors aren't lying. If you're writing tech thrillers and you're concerned your ideas are too farfetched, the
Show more
Wow, is that actually a custom package with stacked dies? That is a crazy level of concealment.
Wow that's crazy, thank god this is totally niche and! I say while finding every USB-C cable I have and hiding them in another room..
Something sinister? A device that reverses the direction it can installed as soon as it detects its about to be inserted correctly?
How do you even protect yourself from this? I am close to selling all my hardware and build a Linux PC from ground up
I really appreciate the insights from your post, but holy hell is this reveal infuriating or what?
And that is the commercial resolution
I bet you my ass that much more is possible. On probably can read out ssd type memory via xrays and a couple of hundred million dollar black dev fund
Chips are inside lots of USB connectors. It depends upon the hat the chip is doing.
I like that inventor has to put tape on the cable to mark it as you can’t tell otherwise 
So the answer is a mini CT hand scanner to take with you and check your cables before each use.
… I’m not kidding.
I remember reading about Gulf War 1 and how the U.S. used a parallel printer cable for malicious inject within the Iraq military complex...
Thanks for this very interesting post. How far would the antenna send? I guess the sgnal has to be picked up in the near field?
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="628"><rect fill-opacity="0"/></svg>)
Yesterday it was your local 7/11 card swiper, today it’s the hotel charger port.
Hola, please find the unroll here: threadreaderapp.com/thread/1864377 Share this if you think it's interesting. 
This is my new favorite fidget toy. I'm so glad I have to pay 100 dollars for it.
How fast does it charge though? Idc if they see my shit posts if I get a fast charger
Feeling better about ordering hardwood to craft low-tech gifts this year. ... 
Wait, what about invasive larvae? 
Wait, what about invasive larvae? 
GIF
please unroll.
I want to be able to share this thread with someone who's not on Twitter.
I am a CT radiographer, I've never seen such detail.
Help me understand this 
If 'they' got into the supply chain to be able to manipulate pagers to explode than I fear to think how many of these types of things have gone through and where they are.