Print 15 comment(s) - last by Totally.. on Jun 29 at 4:18 AM

Attack hardware shown in NSA slides, while somewhat unorthodox, was easy and relatively cheap to make

Slides leaked by Edward Snowden, a former contractor for the U.S. National Security Agency (NSA), reveal that the NSA has entire factories devoted to installing special bugs in electronics shipped to Americans and foreigners.  Skepticism about whether such bugs are technically feasible, much less in widespread uses has raged in recent months, but presentations at DefCon 22, held in Las Vegas, Nev. from Aug. 7-10 may help to demystify the strange and terrifying tools the NSA is using to spy on us.
I. Retro Reflectors
From the slides we know of several NSA "implants" -- small electronic equivalents of a wiretap -- which are installed surreptitiously into consumer electronics.  Among the most fascinating -- and technically mysterious -- were the passive implants called "Retro Reflectors".  They include:
  • Surlyspawn -- hardware keylogger

  • Ragemaster -- Monitor tap, records images

    NSA Ragemaster
Michael Ossmann, co-founder of Great Scott Gadgets in Denver, Colorado, is behind the work.  Mr. Ossmann got his start operating a small internet service provider in Fort Collins, Colo. back in the mid-90s, as well as programming Java applets, and IT work.  Over the past decade, his interest has shifted heavily to wireless technologies and their vulnerabilities.  As a top contractor in Colorado, he continues to tinker in his free time, studying novel exploits.
When the NSA ANT toolkit was published, he was fascinated.
He quickly set to work reverse engineering the technology.  Published materials gave a rough idea of how it worked.  A receiver sent a signal to Retro Reflectors such as a Ragemaster tap, which was passively modulating the output.  When the antenna received the energy of the receiver's signal, it reradiates it on radio frequencies.  The antenna then picks up this signal – a signal it essentially powered, and digests its information -- which contains the modulated image coming off the screen when processed.
The crux of Mr. Ossmann's cloned bugs is his use of a software-defined radio in a receiver.  Software-defined radios (SDRs) are a new type of radio electronics that digitally handle wireless communications technology that was traditionally handled in analog electronics.
Their inspiration lies somewhat in the PC sound card, which operates in a similar fashion.  But rather than output sounds, they output radio frequency (RF) waves, including AM, FM, GSM, Wi-Fi, and/or Bluetooth.  As all the signal processing -- traditionally done by constructs such as modulators and oscillators -- is done in software, the SDR can operate flexibly across a wide variety of RF bands.  It can also use digital signal processing algorithms to tune itself to signals it detects and filter out noise.
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

Mr. Ossmann's setup involves a bare bones bug, consisting of a 2-centimeter antenna feeding in to a transistor attached to a color channel in the monitor cable.  This is in line with the notes in the NSA slides, which indicate that the antenna and transistor are often hidden within the cable portion containing the ferrite choke.
HackRF One
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

Presumably three small antennas could be planted to get full color data.  By using SDR, the receiver is able to lurk on channels where it sees no device traffic, potentially channels that are reserved for emergency or other non-commercial uses in the given region.  That way your laptop or smartphone would never notice the bug silently broadcast back to the receiver.
HackRF One
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

An abstract for Mr. Ossmann's talk proclaims:

Of all the technologies revealed in the NSA ANT catalog, perhaps the most exotic is the use of RF retroreflectors for over-the-air surveillance. These tiny implants, without any power supply, transmit information intercepted from digital or analog communications when irradiated by radio signals from an outside source. This modern class of radar eavesdropping technology has never been demonstrated in public before today. I've constructed and tested my own RF retroreflectors, and I'll show you how they work and how easy they are to build with modest soldering skills. I'll even bring along some fully assembled units to give away. Now you can add RF retroreflectors to your own NSA Playset and play along with the NSA!

He's offering his SDR -- HackRF One -- preassembled from various small independent outlets for $299 USD.  $30 USD extra buys you the ANT500, a compatible telescoping antenna that works optimally with the device.  Hardware hackers can pick up HackRF One and test it out using off-the-shelf passive bug designs (e.g. a hacked monitor cable), schematics, and code that Mr. Ossmann has published or will publish after DefCon.
He's compiling his toolkit tutorials on a site  He comments to New Scientist:

SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format.  Showing how these devices exploit weaknesses in our systems means we can make them more secure in the future.

He likens the NSA's sensor networks (which he's duplicating) to RFID networks, a more familiar concept.
II. All Aboard the "CHUCKWAGON"
Mr. Ossmann's project, however, isn't the only effort to duplicate the NSA's malicious technologies.  
Joshua Datko of Fort Collins, Colo.'s Cryptotronix will be showing off a reverse-engineered version of the I2C bus bug, WAGONBED.  He reverse engineered the bug with the help of Teddy Reed, a hardware emulation and security expert.


While the I2C bus was thought to have access to sensor data and fans, the NSA claimed that WAGONBED was capable of installing exploits to a victims PC and copying their data via the IRONCHEF exploit, which infects the user's I/O BIOS.  WAGONBED is then attached wireless to a planted GSM bug, which transmits a cellular signal from the target machine, in an attack known a CROSSBEAM.

Mr. Datko has a virtually identical GSM-connected I2C bug, built on the BeagleBone.  He dubs his device the "CHUCKWAGON".  A graduate of Drexel University's Computer Science Master's program, Mr. Datko's spirited defiance of the NSA's efforts is notable as he was decorated member of the U.S. Navy who served his country in a tour of Afghanistan.  

Sources: DefCon 22 schedule, New Scientist

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Doesn't make sense
By CZroe on 6/24/2014 11:45:47 PM , Rating: 5
The targeted systems are often NOT on the Internet and are usually thoroughly inspected for software intrusions. Read up on Stuxnet, which required sneakernet to infiltrate particularly because the NSA/CIA's target was offline.

Monitoring is not nearly as useful when the target knows they are compromised. That is why it does not actively transmit over the Internet OR by radio waves. I recall a story I heard in the '80s where a teacher told me that a US Embassy received a gift from the Russians during the cold war. I think it was an eagle bust or something similar, but it was thoroughly inspected for bugs and, initially, none were found. Eventually it became clear that their conversations were being eavesdropped on somehow, so they took another look and found a a completely passive listening device. There was some kind of needle that vibrated like a microphone membrane, but there wasn't a single scrap of electronics inside. So how were the Russians getting a signal? By BROADCASTING their own signal and watching the reflection of that signal from the vibrating pin. This is very similar to what we are seeing in these NSA slides. The only difference is that it is connected to a data bus or a video signal instead of modified by sound. I'm actually amazed that things have progressed so little.

You will find no signal coming from the monitored device with such a technique. My understanding is that the decades-old Russian version is on display in some CIA museum.

Now, once the intrusion is detected, software leaves a trail to follow if you want to know who is monitoring you. Now do you see why this is better?

RE: Doesn't make sense
By marvdmartian on 6/25/2014 7:32:00 AM , Rating: 4
Besides which, if they only monitored the internet, the NSA would have terabytes of funny cat pictures they'd have to sift through!

RE: Doesn't make sense
By dgingerich on 6/25/2014 11:22:37 AM , Rating: 2
That would be an interesting way for terrorists to mask their communication: use a bunch of funny cat picture with their text for their planning in the pics. The NSA filtering software would just throw out the pictures as noise and be completely missed.

RE: Doesn't make sense
By Shadowmaster625 on 6/25/2014 12:31:27 PM , Rating: 3
There's nothing funny about it. If I take a picture of a cat, and I share that picture with you, privately, using secure offline methods, then I can alter the pixels in that image according to an algorithm. I then post that image anywhere on the internet, and you take that image and compare it to the original, and use the same algorithm to extract a message from the subtle differences in the image. It's called steganography, and it can not be cracked because there is no way to distinguish subtle pixel color alterations without possession of the original undoctored image. There is no way to distinguish steganographic code from noise. The same can be done for video and audio. It is possible to encode a message into a previously recorded conversation, and make a phone call using that recorded conversation. The NSA would hear a woman's voice saying "Honey can you pick up some eggs on your way home?" But encoded within that speech is a simple text message saying "the bomb will be ready at 6pm tomorrow". And there is no way to detect it because there is no way to distinguish it from noise. There is no hope of the NSA ever stopping "the bad guys" or anyone else from communicating unless they get their hands on the original recording used for steganographic encryption. That's probably why they are so focused on offline spying. But it is too easy to obtain secure offline equipment and far too difficult for the NSA to track anyone but the average citizen. And that's all the NSA exists for anyway... to gather tradeable information for the rich to profit from it.

RE: Doesn't make sense
By karimtemple on 6/25/2014 3:13:05 PM , Rating: 2
It's called steganography, and it can not be cracked
What? You mean aside from steganalysis?

RE: Doesn't make sense
By deltaend on 6/25/2014 10:50:47 AM , Rating: 2
Of course, "The Thing" consisted of a 9" antenna and was fairly difficult to hide. It also was difficult to hear on the other end. The progression is that we can now put extremely small antennas inside of other objects and they are extremely difficult to detect unless you have an electrical engineering degree and rip apart all of the protective casings off of all of your cables. Also, we aren't talking about sound waves here, we are talking about much more complex data mediums. Although the core concept is the same, they are about as similar as a magnetic hard drive and a record player.

"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki