> At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there.

I have done this before, and we actually found an unspeced part! Thankfully, it was not from a malicious state actor, but just one supplier being creative and not telling anybody. Especially if you don't have an iron grip on your supply chain, you have to be vigilant. As a manufacturer, there are more problems to watch out for than espionage.

This is more common than one would think. I've done something like this several times before, too -- not taking photographs, but reviewing the actual board against the layout and specs. I found unspecced parts twice; the first time it was pretty innocent, just a couple of 0-ohm resistors that weren't marked on the schematics (understandable from ODMs who want to reuse the same design but annoying to debug when it goes wrong). The second time it was a pair of clamping diodes that should have been there from the very beginning (I don't know how it slipped by the initial schematic review; I wasn't working there when it happened). They weren't on any schematics, and when we requested an up-to-date BoM, they were tucked away under another set of diodes, despite being a different part.

I also found parts that had been changed without notice (one of which had the potential to be tons of fun because it was a crystal oscillator with a far worse tolerance than the original).

When the supply chain itself, the management effort and the handling of the supply chain gets so large that it's done almost completely overseas, by a whole team of different people, under constant time pressure and in various degrees of partnerships with other companies (not just those who sell the supplies), these things can slip between the cracks surprisingly easy.

I'm waiting for someone to say that pcb are designed with dummy traces added to allow for manufacturer to make stupid changes without harming anything

Not necessarily for that, but it does routinely happen that an ODM uses the same PCB design for multiple projects. This results in various chips remaining unpopulated, 0-ohm resistors used here and there to route pins to the right peripheral and so on.

As for stupid changes, while I don't remember the details now, I definitely remember drafting at least one schematic that supported accessing the same peripheral in different ways (or something of this type?) because we couldn't figure out the best one (or the right one?) from the datasheet. It's definitely the kind of thing that I'd rather not see in a final design, and which I'd iron out in a subsequent revision, but I suppose if you work under the consumer industry's tight deadlines...

Oh, and of course, some PCB traces literally don't lead anywhere in the connection sense. E.g. guard rings aren't there to connect electronics together. I suppose it wouldn't be hard to mask some malicious connections that way.

Oh yeah, since I started scraping electronics I see how often boards are designed for multiple price points :) there's indeed a lot of place to toy with.

You know, it would be possible to insert a small component between pcb layers too (during pcb manufacture/lamination) if agents were that much determined.

They mentioned that in the Bloomberg article.

This doesn't really mean anything, though. For all we know the "person familiar with the matter" is the same source Bloomberg used in their report. There's still not acknowledgement from Apple in 2016 that anything like this was actually happening.

If you have all the resources of a state actor to accomplish this, it’s owuld not be a chip on the motherboard, it would be a set of circuits in the motherboard.

Why make something easy to photograph when you can embed it an area that can only be seen in an x-ray?

That’s how I’d do it at least.

The original Bloomberg article said some of the chips were so thin they were sandwiched between PCB layers.

Or just replace an existing chip, which is the most logical way to do it...

Altering the flash chip would be too obvious. It's a textbook 101 supply chain attack... Looking at the flash image (dumping it) or chip (x-raying it) would be the first thing anyone would do if they suspected something fishy. A tiny SPI man-in-the-middle chip sandwiched between the PCB fiberglass layers is a lot more discrete and more generic (same MitM chip fiddling with transmitted bytes can attack many different flash platforms, regardless of the sizes/pinouts/footprints of the flash chips).

That seemed to match the lightbluetouchpaper description - the "hack chip" goes where the optional legacy (non-quad) SPI chip would go.

Given the size estimation, it wouldn’t cover the whole footprint.

But... why put it on an unpopulated footprint. Why not just replace the original Quad SPI IC with a backdoored device?

What do you then do when they upgrade/change the Quad SPI IC? A separate chip means a stable interface they can conform to.

How do you know they don't do that too? This is just one news story, from one manufacturer.

I’m mean they could do that too... but why do this weirdly awkward thing described by Bloomberg at all?

It’s not like doing both is extra sure, it’s just weirdly difficult and more easily detectable to do it in the way described.

Or even, why make it visible on an x-ray when you could make it only visible on a microscope after cutting open an IC?

  > suspected

  > to prevent

Considering the article is credible, it doesn't mean Apple has found anything, it only means they were being cautious,

Reading this makes me understand the decision about them licking down on repairs a little more. If a Mac won’t boot because of tampering (repairing) then it essentially solves this problem. I’m a little conflicted if it’s the case as I think we have the right to repair our own devices but distrust of any state actors (locally and internationally) is also pretty high.