The public discovery of FLUXBABBITT, a modestly-clever American spy gadget – that may or may not have been “fired in anger” yet – has provoked the usual flood of media garbage (“JTAG is a Chinese back door! Threat or menace?”) What follows is some basic investigation regarding the plausible workings of this device, based only on:
- The leaked document itself.
- A friend’s disassembled “Dell PowerEdge,” of several years’ vintage.
- Intel’s published documentation for their “XDP” port.
Here is the port in question:
If you doubt your lying eyes, run – not walk – to your server closet and pop a Dell machine of recent manufacture. Remove the cooling duct cover. Look near the rear or front-most edge of the motherboard. You will find a similar picture.
But, threat or menace? Let’s find out; straight from the horse’s mouth:
3.10 Depopulating XDP for Production Units
At some point there may be a desire to remove the debug port from production units. It is recommended that the port real-estate and pads remain in place if they need to be populated for a future problem. Depopulate all physical devices (connector, termination resistors, jumpers) except: Termination of OBSFN_x[0:1] / BPM[4:5]# / PREQ#, PRDY#; Termination of TCK; Termination of TDI; Termination of TMS; Termination of TRSTn.
Not exactly a bog-standard JTAG port (there is, in fact no particular standard for the socket, really; only for the bottom layer of the protocol) – from here you can access CPU registers, view and edit the contents of memory, issue bus read/write cycles, etc. AMD includes a similar (though incompatible) port in some of its products.
Presumably, FLUXBABBIT injects a little bit of nasty directly into RAM at boot time – quite like a traditional MBR infector. The somewhat-exotic delivery mechanism is there to counter a possible audit of the system firmware. (Why this audit would not be expected to include a basic physical inspection of the machine’s internals is a question that should be asked of our dear friends at Ft. Meade, not me.)
JTAG and other debug connectors are routinely found in mass-market products. The manufacturer often succumbs to the temptation of shaving a few pennies of unit cost by omitting the actual connector. This is what the leaked document refers to as “depopulated” (in fact, a standard term-of-art in electronics manufacture.)
The only thing even vaguely suspicious about Dell’s particular phantom debug port is: the pre-tinned solder pads. This could, however, be a mere artifact of the plating process undergone by the motherboard, rather than a deliberate helping hand for our favourite intelligence agency. (Attaching the missing connector would take all of five minutes for a fellow with a steady hand, a solder paste stencil, and a hot air machine – with or without pre-tinned pads.)
And regarding the doings of spies in general: there is really no limit as to what can be done to a physically-molested computer. Focusing on this particular feature is just the kind of tunnel-vision typical of the Computer Insecurity community.
If you’re wondering why there is no FLUXBABBIT in your own Dell, take comfort: the product is almost certainly obsolete. That is, rendered obsolete by “pwning” at design time. Physical molestation is reserved for archaic or otherwise uncooperative machinery.