Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable

Mich from ha.cking bought a $25 "S8 data line locator" device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of "trickle down surveillance" where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

The board inside the device combines a MediaTek MT6261MA (a cheap chip used in Chinese smart-watches) and a RDA 6626e (a cellular phone on a chip). These seem to be running the Nucleus Real Time Operating System. The S8 also has a USB passthrough so that its housing can serve as a regular USB cable.

Mich's analysis also spotted some suspicious MMSes that the device sent when it was idle, and though these need further investigation, it might be phoning home to the manufacturer.

The S8 is very similar to the NSA COTTONMOUTH "implant" — a spying device hidden in a USB cable — that was revealed in 2013 through the publication of a Snowden leak of the Advanced or Access Network Technology catalog published by the NSA's Tailored Access Operations group for internal use by NSA operatives.

The device itself is marketed as a location tracker usable in cars, where a thief would not be able to identify the USB cable as a location tracking device. Its malicious use-cases can, however, not be denied. Especially since it features no GPS making its location reporting very coarse (1.57 km deviation in my tests). It can, e.g., be called to listen to a live audio feed from a small microphone within the device, as well as programmed to call back if the sound level surpasses a 45 dB threshold. The fact that the device can be repackaged in its sliding case, after configuring it, i.e. inserting a SIM, without any noticeable marks to the packaging suggests its use-case: covert espionage.

Inside a low budget consumer hardware espionage implant


(via 4 Short Links)