Using QFIRE, NSA exploits security holes and even uses the occasional drone to harvest the data of billions of users

The National Security Agency (NSA) this week admitted that it’s collecting American's metadata via bulk warrants from secret courts.  But it claims that it isn't collecting anything else.  We now have ample evidence -- thanks again to leaker Edward Snowden -- that suggests that claim is false.
I. Spy State
Americans need to read these accounts very carefully, particularly as we now have direct government documents.  For all the NSA's attempts to hide the truth, it was unable to do so.  Now we have the facts.
At a weekend Chaos Communications Congress event in Hamburg, sponsored by Germany's (in)famous Computer Chaos Club, Jacob Appelbaum delivered a speech detailing techniques he believes the U.S. National Security Agency (NSA) is using in its campaign to spy on not only Americans, but the entire world.

NSA Amazon and Newegg
The NSA routinely intercepts packages via programs like ANT, and implants inexpensive spy devices to spy on Americans.

According to Mr. Appelbaum, the NSA -- while not above carelessness and using "dumb" exploits -- has developed a set of unmatched capabilities that make it the most powerful entity in the world, eclipsing any other entity in the U.S. government.
II. Meet Your Worse Nightmare
Mr. Appelbaum is no novice to computer security.  He co-developed the Tor "onion routing" network and was hired by the University of Washington (UW) to protect critical state medical records.
He told attendees at his morning "To Protect and Infect: The Militarization of the Internet (Part II)" talk (a last minute surprise addition):

I'm going to talk today a little bit about some things that we've heard about about at the conference and I'm going to talk a bit about some things that you probably have not ever heard of in your life and are probably worse than some of your worst nightmares.

After co-authoring a recent piece in Der Spiegel revealing the NSA routinely intercepted Americans' electronics to plant spying devices in them, he revealed fresh details at this keynote of the NSA's spying capabilities. 

Jacob Appelbaum
Jacob Appelbaum's CCC talk follows his high profile expose/analysis piece in Der Spiegel.

In his talk, Mr. Appelbaum explains the danger of NSA spying, discussing the story of Rafael, a journalist in Angola.  He found that the government had implanted a screengrab program on Rafael's program.  Rafael was an investigative journalist exposing government corruption.  Unfortunately, his machine was safeguarded too late.  He was arrested and charged with espionage crimes.  Mr. Appelbaum describes:

When you mess with a military dictatorship, it messes with you back.  So even though that's one of the lamest backdoors his life is under threat.  So just simple things can cause serious serious harm to regular people who are working for some kind of truth telling.

Incidentally, the administration of President Barack Obama (D) has charged more than twice as many whistleblowers with Espionage Act (18 U.S.C. § 792) offenses as all the previous administrations before him (since the Act was passed in 1917) combined, according to The Guardian.

Jacob Appelbaum
Jacob Appelbaum has seen digital spying lead to tragic consequences. [Image Source: YouTube]

It has also spearheaded secret programs to monitor dozens of Associated Press phone lines and spy on a Fox News journalist, allegedly in order to investigate "leaks".  The administration has thus far stopped short of indulging the noisy cries of Rep. Peter Thomas King (R-N.Y., 2nd District) and his anti-free media cohorts (who want to charge journalists for investigative journalism), but given past behavior it would not be surprising to see similar harassment occur here in the states at some point.
III. Meet QFIRE and its Minions TURBINE and TURMOIL
The NSA data collection collective falls under a massive surveillance effort called "TURMOIL". 


Mr. Appelbaum comments on the NSA definition of surveillance:

If I ran a TURMOIL collection system -- that is passive signals systems collecting data from the whole planet, everywhere they possible can -- I would go to prison for the rest of life. 

That's the balance right. Jefferson talks about this, he says, "That which the government is allowed to do that you are not, this is a tyranny."

There some exceptions to that, but the CFAA in the United States (that's the Computer Fraud and Abuse Act), you know it's so draconian for regular people.  And the NSA gets to do something like intercepting 7 billion people all day long with no problems and the rest of us are not even allowed to experiment for improving the security of our own lives without being put in prison, or under threat of serious indictment.

Alarmingly, multiple sources -- including Mr. Appelbaum -- are reporting that sources within the intelligence community have revealed that the collected data from TURMOIL is stored for 15 years.

NSA Deep Storage

He confirms, "That includes content as well as metadata."
That means that every American's data is sitting in a treasure trove, just waiting to be compromised or exploited by criminals or future political regimes.  The NSA says it only temporarily stores the metadata it collects from American networks and does not spy on Americans.
Well, we now know that "temporarily" in NSA-speak means "15 years" just like "collect, not spy" translates (roughly) to "spy". 
IV. NSA Uses Foreign Servers to Attack Americans, Collect Their Data
Most of this data also passes through foreign servers, as the NSA uses (perhaps for legal reasons) foreign servers for much of its attacks on U.S. citizens.
TURMOIL is complemented by "TURBINE".  While TURMOIL uses deep packet inspection, TURBINE is active, using deep packet injection.  Turbine allows the NSA to use ultra-fast communications lines to take your internet requests, grab the requested data, and pass it to you beating the normal provider data so it doesn't even appear the NSA is monitoring the network.
Mr. Appelbaum likens this to the NSA "beating the speed of light".

Turmoil and QFire

Together TURMOIL and TURBINE form QFIRE, a complete universal hacking and surveillance system used by the NSA.  This system still remains heavily classified and denied by the NSA, which has only started to acknowledge some of the passive sensor (TURMOIL) side capabilities, which it has downplayed.

Nokia hundred dollar bill
The Founding Fathers paid a price in blood to free America of "general searches" (i.e. mass warrants).  And they warned their ancestors that if they allowed such practices to reappear in the name of national security they would have neither freedom nor safety. [Image Source: U.S. Treasury]

"This is turnkey tyranny and it's not that it's coming, it's that it's actually here," he warns.
V. And the NSA Really is Watching Some of us
The NSA's QUANTUM THEORY program has effectively automated TURMOIL and TURBINE to scan the plaintext that it's harvesting off the internet and automatically initiated attacks on networks of interest -- sort of like a SkyNet in the real world.  This data set is currently performed by traditional search, but in the long term the NSA wants to use quantum computers to gain instant search access to the data set, as the name of the program implies.
Such "untasked targeting" does not specifically target individuals, but rather runs automated attacks on anyone who visits certain sites, such as websites affiliated with Islamic religion, culture, or thought.  Mr. Appelbaum says this system is sort of like internet carpet-bombing.
According to Mr. Appelbaum, The New York Times, and Der Spiegel NSA employees even made a "LOLCat" joking about what they are doing:

NSA Quantum LOLCat
[Image Source: NSA employees via Der Spiegel/Appelbaum]

You can't say NSA employees don't have a sense of humor.  They're right there laughing with us (or at us?) about the irony of what they're doing.
Speaking of "what they're doing" he showed up a post-collection (TURMOIL), post-attack (TURBINE) program dubbed MARINA, which we've seen around before.  Notably, MARINA appears to be taking pictures of people -- including U.S. citizens and citizens in ally states -- using laptop webcams.

Marina spying
MARINA software helps the NSA watch you on your webcam.

So it sounds like Big Brother really is watching us -- or some of us, at least.
This isn't particularly surprising, perhaps.  We've seen similar tactics used by private sector criminals.  

FBI tracking
The DHS and FBI want to be able to identify all Americans in public locations in real time to combat "terrorism" and other crimes. [Image Source: Hang the Bankers]

The NSA and its contractors like Raytheon Comp. (RTN) are working to develop facial recognition coupled deep-data mining query software that can instantly recognize people worldwide using pictures collected from unauthorized access and other pictures found on the internet unprotected.
VI. The Ultimate Cybersquatter
And you thought Google Inc.'s (GOOG) Street View data collection was bad -- it turns out the NSA performs similar data gathering, but unlike Google they don't stop at unencrypted networks.
In its data collection efforts, the NSA reportedly regularly monitors and cracks password-protected citizen networks using the growing army of domestic drones or a surveillance van, using powered antennas to boost faint signals.  Basically, according to Mr. Applebaum, the NSA is only limited by budget in its data collection, and it's been quite clever in making sure even budget does not stop it from harvesting most of the world's meaningful data.

Stalker Drone
The Stalker Drone uses periodic laser recharges to stay aloft for continuous surveillance.
[Image Source: LaserMotive]

He comments:

I've heard that they actually put this hardware -- from sources inside the NSA and inside other intelligence agencies -- that they actually put this kind of hardware inside drones. 

So that they fly them over areas they're interested in and they do mass exploitation of people.  We don't have a document that substantiate that part; but we do have this document, which claims that they've done it from up to eight miles away.

That's a real interesting thing because it tells us that they understand that common wireless cards -- probably running Microsoft Windows, which is an American company -- that they know about vulnerabilities and they keep them secret to use them.  

This part of a constant theme of sabotaging and undermining American companies and American ingenuity. As an American, while generally not a nationalist I find this disgusting, especially as someone that writes free software and would like my tax dollars spent on improving these things. And when they know about them I don't want them to keep it a secret because all of us are vulnerable.  It's a really scary thing.

It uses a government equivalent of the popular hacker/cybercrime/PEN testing tool metasploit on a Fedora Core 3 Linux laptop.  It calls these laptops "NIGHTSTAND" and brags "Attack is undetectable by the user."


This isn't terribly surprising given that amateur hackers have been cracking Wi-Fi networks a mile or two away from their homes for some time now.  A patient attacker can crack even encrypted networks.  Amateur hackers regularly penetrate WEP-encrypted networks, leveraging weak IVs and key repetition.  Even certain WPA network encryption schemes are vulnerable to compromise.
But what is a bit surprising is the range of the NSA's capabilities.  According to Mr. Appelbaum, documents indicate agents can target networks up to 8 miles away.  They're likely using a powered dish and a lot of signal amplification -- but it's still a pretty impressive feat from a technical perspective, even if it may be bad news for Americans.

free wi-fi
[Image Source: Elite Daily]

NIGHTSTAND is believed to exploit kernel vulnerabilities.  Mr. Appelbaum claims that he and his colleagues have set up honeypot machines at their homebases and have scene them inundate with kernel panics that are telltale signs of the flaws exploited by the NSA.  So he says that it's no longer just talk of the "war coming home".
VII. Unmatched Penetration
According to him, the NSA has zero day vulnerabilities on hand that allow it to penetrate virtually any Wi-Fi router, Windows PC, external storage device, server, tablet, or smartphone.

Jacob AppelbaumThe NSA can penetrate virtually any device and routinely does, says Mr. Appelbaum.

Rather than give this data to private sector firms to offer increased security to users, the NSA turns around and exploits these flaws to spy on everyone -- sort of a digital equivalent of "sometimes you have to burn a village to save it."
The NSA calls its attack toolkit "FOXACID". 
FOXACID is packed with "QUANTUM" tools, which are NSA's digital lockpicks.  Like many clumsy picks, they can damage the lock they attack, but it appears the NSA isn't terribly concerned about that.

QUANTUM toolkid
QUANTUM and FOXACID are used to compromise billions of users worldwide, in part by impersonating American corporations.

FOXACID includes QUANTUMTHEORY -- a set of physical attack tools that generally are quantum in name only.  The devices in this part of the kit include so-called "SEASONEDMOTHS" (SMOTHS, for short) hardware "implants" that the NSA attaches to target machines after intercepting them.  SMOTHS are remarkable in that they are self-destructing bugs; they simply stop working after 30 days.  Literally it's like something out of Get Smart or, to borrow Mr. Appelbaum's example, science fiction writer Phillip K. Dick's dystopian futurist visions.
Then there's QUANTUMNATION, which includes memory-injection style software attack tools VALIDATOR and COMMANDEER.  Effectively these tools first try to check if your computer is running any sort of security software that would detect its activity.  If not, they "send in the troops" forcing citizens to provide digital quarter for NSA's military-grade malware.

FOXACID has many ways to skin the cat, if the cat happens to be your digital security measures.

Examples of zero-day software/malware attacks shown come from a 2007 brochure, which includes zero-day vulnerabilities on GSM (3G) smartphone data networks (e.g. phones on AT&T Inc. (T)) and on the OS of Apple, Inc. (AAPL) iPhone, iOS.
The brochure he referenced dates back to 2007, so the NSA likely has moved on since to exploits of more modern standards like LTE and new platforms like Google Inc.'s (GOOG) Android.

Obama iOS

It appears the NSA was a bit ahead of the curve on GSM cracking, as well.  Equipment to penetrate GSM networks began to pop up a year later in 2008, and a year later the 64-bit implementation of the standard was deemed fully insecure.  Cellular providers responded by trying to beef up encryption to 128-bits, but that too was cracked a year later.
In addition to physical bugs and malware, the NSA has QUANTUMBOT, a toolkit that hijacks IRC bots (infected user computers) in an imperceptible way in order to spy on them.  Ironically this means that the NSA could stop a good deal of distributed denial of service (DDoS) attacks, but it chooses not to, so that it can use the botnet's criminal doors to spy on people
VIII. NSA Hopes to Take You For a "Bareback Ride"
QUANTUMCOPPER is even trickier.  It interferes with TCP/IP, offering effectively a "kill switch" for the internet.  Mr. Appelbaum likens this to a one up of China's "Great Firewall", as the U.S. "Great Firewall of Earth" in the sense that the NSA could force anyone connecting to anonymity software globally to reset their machine, exposing them.
Mr. Appelbaum quips, "I'm sure they only use it for good."
QUANTUMINSERTION takes the manipulation of TCP/IP a step forward, allowing it to be used perform "man on the side" attacks... "light speed" beating attacks previously mentioned, which are used in the TURMOIL program to serve malicious copies of popular webpages to users.  Near identical versions of websites can distribute software to users that bundles a little extra goodie for the victim -- NSA malware.
TLS (encryption) could end this kind of attack, but plain "http" offers no such protections.  As Mr. Appelbaum says, "When you bareback with the internet, you ride with the NSA... or you're getting a ride ... or you're going for a ride."
TAO (Tailored Access Operations) agents use the global data fishing operation to find targets, and then launch automated -- and in some cases manual -- attacks via packet exploitation via QUANTUMINSERTION and FOXACID urls.  Do to careless programming errors in the NSA's python codebase, some FOXACID urls are actually publicly visible masquerading as Apache servers.
CNN is among the sites that are commonly spoofed by the NSA, according to documents and exposed code.  The FOXACID/QUANTUMINSERTION system inserts an invisible iFrame code into the normal CNN frontpage, causing it to load resources.  These resources scan your computer to determine if it's attackable.  If it can be attacked, the system then attacks you.
Many of these attacks rely on SSOs -- local outposts of the NSA.  By serving data requests for American websites directly from local sites, the NSA has a significant chance of beating the legitimate site packets.  The NSA may use similar tactics on a state-by-state basis to compromise domestic traffic.
Basically, the NSA impersonates American businesses, without permission, on a massive and malicious scale.

Somberknave can even penetrate air-gapped networks.

Even airgapped targets are not immune.  The NSA uses special software called SOMBERKNAVE.  SOMBERKNAVE works with implanted machines to defeat airgapped networks.  It does this by using the sabotaged device to resend data via its latent Wi-Fi card, which appears to be turned off.
Some of the remaining deep-penetration tools used by the NSA will ring familiar -- OLYMPUS, UNITED RAKE, STUXNET.
IX. NSA and British Digital Spies Team up to Spy on Everyone, Deploy Fake Base Stations
If data can travel to a wireless router, it's then "phoned home" to the NSA.  The only way of defeating this scheme is to physically destroy wireless transmitters in air-gapped deployments and separate them from Wi-Fi access points as an extra precaution (although the NSA could potentially deploy unwanted local access points, if it was extra eager).
But even the NSA has trouble gaining access now and then.  According to Mr. Appelbaum, in particular they have trouble gaining access to Gmail, Google's popular email service.  Rather than simply giving up, and being unable to spy on many Americans' digital lives, the NSA recruits a buddy.
That buddy happens to be the land of King George, America's old imperial masters -- the UK.  It turns out the UK's NSA counterpart, the Government Communications Headquarters (GCHQ), can squirrel into U.S. Gmail accounts.  So the NSA agent simply fills out a special form and *whammo* a handy foreign ally is now helping it spy on that American.

UK police
Britain's secret police are less legally constrained than the NSA, even. [Image Source: Reuters]

But that help doesn't come free to the taxpayer or the NSA.  As Mr. Appelbaum explains, "Information is a currency in an unregulated market."
The U.S. and Britain trade favors, but they both need each other to pull off a particularly wild spying feat -- deploying fake cell phone towers around the world.  These towers are real in the sense that they look innocent and route exactly like commercial towers.  But again, they impersonate local businesses in the U.S. and abroad, rerouting traffic for themselves.
X. Fake Base Towers
The fake base towers allow not only the collection of data, but they also allow the pinpointing of locations of American citizens and foreigners.
According to Mr. Appelbaum, they can be located via careful inspection of routing of emergency or information phone calls.  But the dead giveaway occurred when the U.S. and Britain tried to spy on Julian Assange at the Ecuadorian embassy where he has asylum in the UK.  The giveaway part came when they forgot to reconfigure the server, which was previously deployed in Uganda.  Callers at the embassy began to notice their calls being routed through a base station identifying itself as in "Uganda".
The UK and U.S. tried to suppress this little *whoopsie* but eventually coverage began to emerge, thanks to confidential sources who revealed the base station was a malicious stand-in, such as one of the Typhone Hx BSR (base station receiver) that the NSA uses.

TyphonTyphon BSR

The NSA is spending our money on these fake stations.  One base station costs $175,800 USD, so likely they're only deployed sparingly in densely populated locations (U.S. and foreign cities) or locations of interest (e.g. near embassies or government offices in ally states).
XI. Corporations May be Complicit
Earlier today we learned that the NSA was routinely intercepting shipments or detaining investigation "suspects" and installing bugs in their devices.
What is especially novelty about this scheme is that it uses not only physical bugs and traditional malware; it also uses "BADBIOS".  Dubbed "STUCCOMONTANA", these replacement firmware are essentially the normal device firmware with a rootkit/data logging built in.


Affected devices including
  • Microsoft
    • Xboxes
    • Windows CE Thurayaphones
  • Apple
    • iPhones
    • iPads
  • Servers from:
    • Dell (PowerEdge)
    • Hewlett-Packard Comp. (HPQ) (Proliant)
  • Routers from:
    • Juniper Networks, Inc. (JNPR)
    • Cisco Systems, Inc. (CSCO)
    • Huawei Technologies Comp. (SHE:002502)
  • Hard drives and external storage solutions by:
    • Western Digital Corp. (WDC)
    • Seagate Technology PLC (STX) (and its Maxtor brand)
    • Samsung Electronics Comp., Ltd. (KSC:005930)
Mr. Appelbaum implies that in many cases the government's ability to have such perfect drop in replacements of closed source firmware was likely only possible via corporate cooperation.  He comments:

We're going to name a bunch of companies, because, basically f--k those guys for collaborating when they do and f--k them for leaving us vulnerable when they do.

And I mean that in the most loving way, because some of them are victims, actually.  It's important to note that we don't yet understand which is is which.  So it's important to name them so that they have to go on record.  So they have to say where they are.  And so that they can give us enough rope to hang themselves.  I really want that happen because it's important to note who collaborated and who didn't collaborate.

In some cases, he claims, the NSA goes as far as to "blackbag" people, which means sending agents out in the field to breaking into peoples' homes replacing their gadgets with compromised replacements.  He claims some security professionals have been targeted by such NSA attacks.
He admits that it's difficult to substantiate these claims, as the program appears quite unprecedented.  No one before has had the legal leverage or money to be able to convince dozens of OEMs to give up their firmware source codes.  There are rumors of companies offering backdoors for cash, but to offer an entire device's driving code -- that is quite precedent.
Computer experts, including Mr. Appelbaum say it will take some time to inspect various commercial products (particularly those of investigation targets) and determine which devices have BADBIOS.  Mr. Appelbaum himself was detained several times and had devices returned to him.  He is convinced that some of these devices may have been compromised via the STUCCOMONTANA/BADBIOS kits.
Such malicious firmware can be identified, in some cases by telltale signs.  Among these is RC6 constants sniffed in the internet traffic.  Excessive encrypted UDP packet communication is another sign.
XII. Sabotaging Your OS
When it comes to hard drives, some attacks occur at the OS level.  The NSA has a special flavor of BADBIOS dubbed "SWAP", which it installs via "TWISTEDKILT" software.  SWAP strips away disk protections and visibility restrictions that allow only the host machine to see the disk.

SWAP compromises your hard drives.

Among the OSs targeted are FreeBSD and Solaris.  Mr. Appelbaum jabs,

How many al-Qaeda people use Solaris?  This tells you a really important point.  They're interested in compromising the infrastructure of systems; not just individual people.  They want to take control and literally colonize those systems with these implants.  And that's not part of the discussion.  People aren't talking about that because they don't know about that yet.  But they should talking about that.


Note by "interdiction" he says the government is basically saying "we stole your f--king mail".
In other words, this is the interception-type exploit that was written about.  This makes sense, as hard drives would be one of the quickest, easiest, and smallest shipped products to target.  He says the NSA is essentially attacking every option American public and corporate users have.
He claims that the NSA actually intercepts some computer shipments and injection molds components into holes drilled in your computer case (more on this later).  That way even if the motherboard is serviced or replaced, it can be retargeted by the chip lurking in your case.
XIII. IRATEMONK "Owns" Hard Drives
In terms of hard drive attacks, another favorite tool of the NSA is IRATEMONK.  The taxpayers got a deal here, as the hard drive makers reportedly offered the NSA this malicious replacement firmware for free.


IRATEMONK can survive hard drive wipes and virtually any other cleaning procedure.


Basically the only way to rid yourself of it is to ditch the drive and hope you don't get shipped another infected one.
XIV. Infecting Dell and HP Servers
Dell PowerEdge servers (clearly an oft-used tool by al-Qaeda) have a malicious firmware replacement called DEITYBOUNCE, which offers full rootkit access for all the hosted sessions on the server.  This is important, as Dell is one of the world's most used server brands, heavily used in U.S. and European hosting facilities.

Cracking Dell PowerEdge servers is fun and easy with DEITYBOUNCE.

Dell conveniently left a JTAG debugging port "accidentally" lingering around, which the NSA is actively exploiting via its "GODSURGE" bug.


Here's a short list of some of the targetable Dell server products:


Note that it only costs $500 USD per server to compromise. 
HP servers are sabotaged slightly differently, with an implant-based backdoor.  This suggests that HP might not have been quite as willing to cooperate with the NSA as Dell.
XV. NSA Can Compromise Every iOS Device "Always"
IPhones are infected with the DROPOUTJEEP replacement firmware.  Again, you know how much terrorists love to use iPhones.  Perhaps that's part of why Apple says that user-created replacement firmware is a "threat to national security" -- if jailbreakers patch iPhone flaws, it's a lot harder for apps like DROPOUTJEEP to spy on user via intentional backdoors, which the jailbreakers may use and then patch.
DROPOUTJEEP is one app in a collection of phone-related BADBIOS, nicknamed CHIMNEYPOOL.
With DROPOUTJEEP, the NSA can not only check your contacts, read your SMS (texts), and listen to your voicemail -- it can also remotely activate your microphone (so-called "hot microphone" tech.) and track your location.

Dropout jeep
Well, looks like the NSA can spy on your location.

If nothing else, this slide should again definitively prove the NSA has lied yet again, not only to Americans, but to Congress.  It told Congress that it did not track locations -- in fact one judge recently dismissed a suit against the NSA partly on blind belief on that grounds.  But it appears that the NSA is simply lying; in many cases it is getting Americans' location data.


Mr. Appelbaum strongly implies that Apple is collaborating with the U.S. government as the NSA claims its malware attacks on Apple devices "never fail".
He comments:

Here's the problem... I don't really believe that Apple didn't help them.  I can't prove it yet... Either they have a huge collection of exploits that work against Apple products, meaning they are hoarding information about critical systems that American companies produce and sabotage them.  Or Apple is sabotaging them themselves.

I'd like to believe that since Apple didn't join the prison program till after Steve Jobs died that maybe it's just that they write sh-ty software.  We know that's true.

It should be interesting to see how Apple responds.
XVI. Other Phones Targeted as Well
Windows CE Thurayaphones (a popular brand of satellite phones) can be targeted by TOTECHASER command and control replacement firmware.  It's worth noting that unlike most of the aforementioned products, Thurayaphones is heavily used in the Middle East, and is in based in the United Arab Emirates.  In that regard, it might possibly be the most reasonable target on this list, which is populated primarily with U.S. products.
The NSA even has malware that can squeeze into SIM cards.  This malware echoes an attack shown by hackers Karsten Nohl and Luca Melette earlier this year -- an attack the NSA said would be "impossible" to occur in the wild.  Forbes in a headline from July wrote "SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones".

NSA Sim Card attack

But it turns out the NSA knew about this flaw for years and left it unfixed so they could continue to hack peoples' phones.  The NSA calls this software MONKEYCALENDAR.

Here's an NSA flow chart of the attack process:


... note that the victim device begins to send out encrypted SMS texts.

NSA Texts

Strangely, the NSA's documents reveal that its "favorite spy phone" to receive these texts is the ancient clamshell SGH-X480C.
X480C Samsung x480c
Samsung x480cSamsung X480C

XVII. Implants -- Sci-Fi Stuff

But the NSA don't stop at mere compromise of existing hardware.  They go as far as to create their own attack hardware in many cases.  There's a rich variety of attack devices used by the agency.

Hardware implants

These implants pack built-in Wi-Fi, and hence can exploit even air-gapped networks.  They literally include a little radio frequency broadcaster packed into a variety of firmware.

Newegg NSA
[Image Source: Jason Mick; original: Maximum PC]

They're kind of like a far worse version of that "malicious iPhone charger" that hackers prototyped earlier this year, but was deemed unlikely to occur commonly in the wild.

One such implant is BULLDOZER -- a PCI express implant that hangs around on your bus, providing a backdoor to the NSA.


Bulldozer talks to the motherboard using a program called IRONCHEF, which allows full monitoring and even control of the target machine.


There's even a handy-dandy I2C implant (a rarely used motherboard port) that can chat with the moterhboard bios as well, via its own onboard IRONCHEF implementation.


XVIII. USB Bugs -- Old and New

We already mentioned COTTONMOUTH, and were met with speculation.  In our last piece one user Samus wrote:

Really Jason...the NSA is intercepting mail now? To bug it? What the fuck drugs are you on? This is so far fetched; the bone has left orbit.

Well, the answer must be "whatever drugs help you see reality" as COTTONMOUTH is indeed real.  Here's an NSA picture of it.

Cottonmouth receiver

The NSA can afford spying aplenty, thanks to its use of cheap, untraceable components.  Documents (below) show the plugs cost taxpayers about $20 a piece (kind of funny since the NSA claims it's built with "common" components) -- an order of 50 runs $1.015K USD.  The NSA calls its software used to talk to the motherboard STRAITBIZARRE and the internals of the plug TRINITY (yes, we know, acronym overload).


And that's just the old model.  With the new model you can't even see the transmitter board as it's directly within the metal plug housing.  It uses a new type of wireless transmitter called a "Howler Monkey" chip.


Here's a little guide to COTTONMOUTH II.


Because of that fancy HOWLERMONKEY chip, COTTONMOUTH II (CM-II) is a lot more expensive.  50 units fetches $200,000 USD -- or rough $4,000 USD per unit.

Cottonmouth II

That may seem like a lot to spy on everyone, but clearly the NSA spares no expense.


Here are some more photos, courtesy of the NSA (sort of).
XIX. And Now Something Truly Crazy -- the NSA Can Turn Your Home Into a Radio Station
Quite possibly the wildest thing shown in the presentation was a direct monitor-tapping device.

Wave monitoring device

This thing is essentially a miniature radio tower.  Planted somewhere in the target's home or surroundings, it receives signals from local RF transmitters (like the HOWLERMONKEY chips) and then amplifies them to a moderately high power level before broadcasting them to distant listeners.

NSA radar wave generator

The signals broadcast by the mini-tower can travel at least a mile so they can be picked up by other networks or implanted collection equipment.  Internal amplifiers boost the signal to 2 watts, external amplifiers crank this up to the final output power of 1 kilowatt.
I feel that this is one of the few places where Mr. Appelbaum's analysis goes a bit off the rails.  He implies that the NSA may be using this to cause cancer in enemies of the state Hugo Chavez.
First, it's clear that this device would be implanted in a discrete location in the target's home, e.g. in the wall boards. So it's not directly next to the target.  Yes, 1 KW is a lot -- to put this in context a typical LTE baseband station (which are often mounted near us on roofs) have a peak output power of about 48 dBm [source] -- or roughly 63 watts.  So this is like installing 16 LTE base stations in your attic.
Still, while that's a lot of power I doubt it will cause cancer.  Why? 
First, there's the anecdotal evidence of radio DJs and staff who regularly operate around high power broadcast antennas.  Is it in their attic?  No, but many of the antennas used by top city stations are even more powerful.  And despite that radio DJs aren't exactly dropping dead left and right with cancer.  Nikola Tesla survived decades despite continuously shooting many a kilowatt through his human frame.

Nikola Tesla
Nikola Tesla survived many a kilowatt of RF power. [Image Source: Unknown]

Second, I think it strikes on a bit of truth, but will likely mislead people, as well.  The human body has extremely robust DNA damage repair mechanism.  Things like diet and ingested toxins play a far greater role in "causing" an initial occurrence of cancer as they directly damage the repair mechanisms, or can cause such massive DNA damage, that there's essentially nothing left to repair.

Arguably this kind of transmitter -- if hidden could potentially boost cancer, as once DNA repair mechanisms are already broken by an existing cancer or disease.  Anything that induces DNA mutation events could cause fresh kinds of cancer.  But I take issue with his wording in that most take this as it could cause cancer in a healthy individual -- which it likely could not.

Anyhow, I digress -- the point of this device is to exfiltrate direct video feeds of your screen.  Why not just take screenshots?  I don't know -- maybe because you want to plant a radio antenna in peoples' homes because that makes you feel like a super spy?

The NSA uses radar in its reception process, slides indicate.


The radar based illumination on the receiving end is called RAGEMASTER.  It's compatible with many NSA monitoring laptops or remote viewing stations including NIGHTWATCH, GOTHAM, and VIEWPLATE.  The combined surveillance package is called the ANGRYNEIGHBOR toolkit.

NIGHTWATCH is heavily shielded to make sure all this radar and radio signal boosting doesn't interfere with its LCD screen.  Here's some information on it.


The NSA also showed another ANGRYNEIGHBOR device, which transmits to the radio antenna station.  This device taps your PS/2 or USB keyboard.  Laptop tapping capabilities are listed as "coming soon", but they're probably here, given that the document is a couple years old.


Again these kinds of tools seem pretty impractical, but they might be useful in long-term surveillance of air-gapped locations.
XX. Painting the Targets
Another item acts as a beacon, perhaps painting the target for drone strikes.  Humorously it notes that it’s off the shelf components make it "non-attributable to the NSA".  Whoops.


The final slide refers to a "hand held finishing tool" for "geolocating targets in the field" (via their smartphones).  In the U.S. this hopefully means locating targets for arrest and due process, but the Obama administration says it is unwilling to rule out warrantless drone death strikes on U.S. soil "if necessary". 

AG Eric Holder justified this policy by likening it to Japanese internment, essentially defending his likely unconstitutional policy with one of the most unconstitutional actions in U.S. history.  President Obama's new nominee to head the U.S. Department of Homeland Security (DHS) is also a strong supporter of drone strikes; he essentially masterminded the legal defense of the program at the U.S. Department of Defense (DOD).


Given these slides, it's clear NSA leaker Edward Snowden had good cause to be concerned about drone death strikes.  While it's unlikely that the U.S. could fly none-stealth drones over Russian airspace undetected, he likely is keeping his Moscow-area homebase a secret as a stealth drone airstrike, while unlikely, might be a feasible option for President Obama.

As I've said before, there's a serious future danger if warrantless drone deathstrikes are condoned by courts or kept secret from Congress via Congress's own secrecy laws.  Combined with an autonomous or semi-autonomous identification and control system, such a system could easily kill tens, or even hundreds of thousands of Americans within hours at the press of a button.

Predator missile
Some Democrats and some Republicans alike in Congress have fought to preserve the Obama administration's privilege to kill Americans it deems "terrorist" with warrantless drone missile strikes. [Image Source: Drone Wars UK]

The NSA already has the capability to locate you. It's nearing the ability to achieve identification of your face.  And it already has autonomous digital attack systems.  So extending this to autonomous drone death strikes would not require any great technological leaps.

The issue of drone killings is unlikely to lessen.  The U.S.'s military research complex is pushing hard to create unmanned fully-autonomous armed drones and has refused to sign robotic warfare treaties that would keep a human soldier "in the loop" for any killing decisions.

If achieved, such a system (assuming it is obedient and does not rebel against its human master(s)) is essentially a military coup in a box; even if President Obama and his successors are tempted to use this tech to suppress political dissent it's a double edged sword, as the power to wage war on the citizens is ultimately controlled by the military and will become increasingly autonomous from the actual American soldiers (who would likely not obey such an order).

So even if the President views such tools as a path to maintain power, he might be accidentally handing control to a military dictator.

XXI. How Often Are These "Tools" Used?

The biggest thing to note is that these documents reveal the capabilities that the NSA has.  What is unclear is how often it uses them -- particularly against U.S. citizens.

Note some of these documents date back to 2007 or 2008.  So expect that some of these physical and digital attack vectors have been replaced by more modern equivalents.  But given the NSA's ongoing sabotage of international cryptography standards, and the private sector's semi-voluntary collusion, it'd be folly to believe the NSA does not have just as powerful -- if not more powerful weapons at its disposal today.

Recall that the Obama administration only achieved permission to scale up its most aggressive mass spying plans in 2011.  So if anything, these documents may just be the tip of the iceberg.

Autonomy iceberg
This may just be the tip of the iceberg when it comes to the NSA's CURRENT capabilities.

As for how often they occur, that question remains largely unknown.

We do know that passive collection targets 99 percent of Americans, and most of the internet-enabled residents of the world, including a signifcant portion of our North American, European, and Asian allies.

It appears that some capabilities -- such as the autonomous attacks on known and zero-day exploits -- may target hundreds of thousands, if not millions of Americans monthly.  Such targeting is in many cases entirely autonomous and weakly regulated, at best.

Other tools such as the physical implants or even the radio monitoring pack are likely less frequently used.  The key problem here is the NSA has freedom to implant such devices in anyone who it deems a "threat to national security".  For example, there's strong evidence it's already using such a campaign against journalists to try to ferret out journalists.

Such tactics are common in military regimes and the quasi-Democratic Russia to suppress free political thought.  That should be very frightening to Americans.

XXII. Abuses Have Occurred, Likely Are Still Occurring

These abuses are not speculation or paranoia.  They are proven fact.

Under President George Walker Bush (R) intelligence agencies spied on Quakers and other pro-peace groups.  President Barack Hussein Obama's (D) deputies ordered spying on the Occupy Wall Street activists who the administration believed might upset JP Morgan Chase & Comp. (JPM) and other top campaign donors.  Under his watch the NSA also reportedly spied upon Pope Francis (Benedict XVI), the leader of the Catholic Christian church.  President Obama has claimed that he was unaware of this surveillance, but he and his deputies have not commented on the program under oath.

Pope Francis
President Obama's NSA reportedly spied on Pope Francis. [Image Source: Think Progress]

The administration has even admitted to "mistakes", but claims that accountability has since improved.  But that's an excuse that can be indefinitely applied, so long as no independently verifiable evidence of improvement is presented.

So it's clear that the power has been used and abused.

That gets to the root problem. As the NSA has general warrants, it can essentially "play King George".  Like the English rulers of the American colonies at the time of the revolution, it can carry out effectively warrantless searches of American's goods, as all American's are covered by its general warrants. 

Secret courts
 At least the British gave the colonies the courtesy of passing general warrants in a public court.
[Image Source: Before Its News]

In a way, the current U.S. system is even more offensive than the English monarchy's policies, as at least those general warrants were passed by a public court.  By contrast the general warrants in the U.S. today have been passed by a secret court so many Americans are unaware they even exist.

American revolution
When the British began using general warrants against the colonies, the American colonist rebelled against the regime and paid a bloody cost for freedom. [Image Source: Unknown]

These warrants not only apply to offline goods.  They also allow the NSA and sister agencies to directly compromise the U.S. postal system and seize and maliciously modify physical goods.  In this regard they're directly analysis to search and seizures that were carried out at the time of revolution.

But unlike the British who were unable to watch the revolutionaries as they quietly plotted rebellion behind closed doors without resorting to flawed human tools like spies, the U.S. federal government today has an unquestionably loyal set of robotic tools to spy on the public and suppress dissent.

NSA spying
The NSA is watching your adult entertainment viewing history. [Image Source: Nation of Change]

So effectively the question of how often it uses them is a moot point.  It is using them, and that appears antithetical to the principles America was founded on.

Source: YouTube

“Then they pop up and say ‘Hello, surprise! Give us your money or we will shut you down!' Screw them. Seriously, screw them. You can quote me on that.” -- Newegg Chief Legal Officer Lee Cheng referencing patent trolls

Latest Blog Posts
The Best Android Apps
Saimin Nidarson - May 20, 2017, 6:16 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki