Just as a sidenote: X-raying PCBs and then diffing them against clean PCBs is a worthwhile thing to do if you're concerned about hardware backdoors, or 'interdiction' of hardware in a supply chain. I do this sometimes when ordering super-critical equipment like Thinkpads from the U.S as you never know what lurks on the motherboard (keyloggers, etc).
I have a clean Thinkpad that I use to compare against potential backdoored devices. So far I haven't spotted any differences in the PCBs. I guess the intelligence agencies have not marked me as important enough to target. That being said, I imagine there are people working in the cryptocurrency space who have a lot to hide (if you own their boxes, you could be looking at thefts worth millions of dollars, or whatever the equivalent is in the cryptocurrency they are developing).
Once you do a thorough sweep and decide one device is clean all it takes is a small PCB revision and you have to start over. It becomes a very expensive exercise after a point (time and money) that is reserved for the most critical of situations.
The problem is a good hack doesn't need the most critical of situations to succeed. It can creep in through the most innocent cracks and climb its way up the chain.
And some hardware hacks are beyond what a regular Xray PCB check would outline, like a modified piece of silicon in a chip. Xrays are great for more obvious changes, not necessarily for something that was inserted at the very start of the supply chain.
> X-raying PCBs and then diffing them against clean PCBs is a worthwhile thing to do if you're concerned about hardware backdoors, or 'interdiction' of hardware in a supply chain. I do this sometimes when ordering super-critical equipment like Thinkpads from the U.S as you never know what lurks on the motherboard (keyloggers, etc).
I'm curious - how does one go about buying or getting access to an x-ray machine (and how much does that cost)?
I have a clean Thinkpad that I use to compare against potential backdoored devices. So far I haven't spotted any differences in the PCBs. I guess the intelligence agencies have not marked me as important enough to target. That being said, I imagine there are people working in the cryptocurrency space who have a lot to hide (if you own their boxes, you could be looking at thefts worth millions of dollars, or whatever the equivalent is in the cryptocurrency they are developing).