Topic: FPGA Export Regulation and "Supply Chain Interdiction"

I just read this nugget in the blog post "Meeting Snowden in Princeton"[0] by Ross Anderson based on discussions about NSA operations:

"The export control mechanisms are also used as an early warning mechanism, to tip off the agency that kit X will be shipped to country Y on date Z. Then the technicians can insert an implant without anyone at the exporting company knowing a thing. This is usually much better than getting stuff Trojanned by the vendor."

This is referring to the targeted interception programs run by some governments[1] and which (maybe!) have been used against Tor developers[2].

I'm curious if the Crowdsupply and Novena folks needed to fill out ITAR or EAR style paperwork as part of customs for Novena hardware, either for the finished boards or for the raw components (particularly the Xilinx FPGA). I assume the assembled bare boards were shipped from Shenzhen to the USA for final boxing and then shipped onward internationally, but the Xilinx components might have been shipped from the USA to Shenzhen at some point.

I don't mean to be negative (ZOMG SPIES!!111!) or suggest that paperwork shouldn't be filed as necessary, i'm just curious if this is even an issue speculatively, as a gedankenexperiment. I've filled out plenty of export paperwork for specific digital components in the past and always just whined about the red tape, but I might think about it differently in the future. Off the top of my head, a way to avoid this on an individual level might be to get sensitive hardware shipped to a domestic friend in the USA and have them hand carry it (by plane?), filling out whatever export duties are necessary (IANAL, don't know if/how this can be done entirely legally). On a regional scale, folks can try to source components and do at least the pick-and-place assembly locally (made much more feasible by Novena being open hardware! <3).


URLs mangled to get around forum restrictions:
[0] /2015/05/02/meeting-snowden-in-princeton/
[1] /tech-policy/2014/05
[2] /node/1311

Re: FPGA Export Regulation and "Supply Chain Interdiction"

Snowden revealed that the NSA did this to Cisco routers. I have read online that Cisco now offers to ship their stuff to/from private addresses. So this method is already in action.

Regarding the Novena I think it would be really hard to create a good working implant for the Novena. The problem is that you have the Schematic, and the case is open. So you can check if what you received matches the schematics. An additional board would probably stick out.

So that leaves implants inside the FPGA or inside the i.MX6. There will not be a mobile phone in them so you will need the support of some kind of software to exploit the implant in the chip.Here again we run Linux on it, not some proprietary OS. So if you want to be super sure remove all the software that was on the Novena and recompile it yourself. And don't use the SSD, there could be something in the SSD Firmware. Then again they could do an evil Maid attack on you. So don't let your novena unwatched in your hotel room.

Another point to consider is the cost/benefit analysis. On the cost side the implant on the Novena is probably much harder to do as on other devices and also easier to detect, especially as most of the Novena users are probably IT Experts. Then due to the crowd funding the NSA probably has the complete list of Novena users. The question is how interesting are we to the NSA ?

Re: FPGA Export Regulation and "Supply Chain Interdiction"

JustAnotherOne wrote:
The question is how interesting are we to the NSA ?

We are all on a list. Some of us are on more than one list.

Re: FPGA Export Regulation and "Supply Chain Interdiction"

There was some nice work integrating an extra CPU inside an RJ45 jack, which would be feasible on Novena. Anything else, probably not - it's a little too exposed. I suppose the WLAN card is perhaps a possible route, too.