I'm a physicist, but nowadays I'm more doing software engineering stuff. So I don't use that microscope _for_ my work, but if I wanted to have a look at something, that wouldn't be a problem. One learns how to work with those devices at university


You can always do a passive analysis, i. e. check the device's emissions. Does it send something on another frequency? Does it add data on the frequency currently being used? How is its power consumption pattern?

We're talking about 5G modems, I presume? The question would be : what would that backdoor do? I mean, would it wait for external commands? On what 'channel' would those commands arrive? If not by radio emissions from close-by, how would communicate home?

If that device would open kind of VPN back home, one would probably see a data stream. If it was somehow externally activated, data would need to arrive on the usual way. E.g via SMS. But then you'd definitely need to know the phone number. Or it would need to be some kind of network broadcast? In any case, this kind of logic would already be firmware. You wouldn't do that in hardware.

Or are we talking about 5G equipment one would use to build a 5G provider network? That is particularly interesting as from what I've read, even if those devices were very leaky, all customer data one could read was encrypted traffic (at least our mobile phone provider claim this would be the case). From what I've read, firmware for that kind of device needs to be opened up these days.

Well, using radiofrequency would make the bug really easily detectable as soon as it gets activated, as you're describing in the above. And once you detect the RF, you can close in on the bug fairly easily. Personally I would do an RF silent bug that taps into an ethernet line.

Anyway, the bug that I mentioned was allegedly placed on supermicro motherboards. RF wouldn't be that useful because motherboards are enclosed in metal cases - they're not Faraday cages (air ventilation), but nonetheless absorb most of the RF noise produced inside, and would greatly attenuate the signal out of the bug.

Yes, traffic analysis could identify suspicious traffic, but it's a lot more difficult than an RF sweep. Identifying the actual device is an order of magnitude more difficult - e.g., most would first suspect software as the source of suspicious packets.