Attack hardware shown in NSA slides, while somewhat unorthodox, was easy and relatively cheap to make

Slides leaked by Edward Snowden, a former contractor for the U.S. National Security Agency (NSA), reveal that the NSA has entire factories devoted to installing special bugs in electronics shipped to Americans and foreigners.  Skepticism about whether such bugs are technically feasible, much less in widespread uses has raged in recent months, but presentations at DefCon 22, held in Las Vegas, Nev. from Aug. 7-10 may help to demystify the strange and terrifying tools the NSA is using to spy on us.
I. Retro Reflectors
From the slides we know of several NSA "implants" -- small electronic equivalents of a wiretap -- which are installed surreptitiously into consumer electronics.  Among the most fascinating -- and technically mysterious -- were the passive implants called "Retro Reflectors".  They include:
  • Surlyspawn -- hardware keylogger

  • Ragemaster -- Monitor tap, records images

    NSA Ragemaster
Michael Ossmann, co-founder of Great Scott Gadgets in Denver, Colorado, is behind the work.  Mr. Ossmann got his start operating a small internet service provider in Fort Collins, Colo. back in the mid-90s, as well as programming Java applets, and IT work.  Over the past decade, his interest has shifted heavily to wireless technologies and their vulnerabilities.  As a top contractor in Colorado, he continues to tinker in his free time, studying novel exploits.
When the NSA ANT toolkit was published, he was fascinated.
He quickly set to work reverse engineering the technology.  Published materials gave a rough idea of how it worked.  A receiver sent a signal to Retro Reflectors such as a Ragemaster tap, which was passively modulating the output.  When the antenna received the energy of the receiver's signal, it reradiates it on radio frequencies.  The antenna then picks up this signal – a signal it essentially powered, and digests its information -- which contains the modulated image coming off the screen when processed.
The crux of Mr. Ossmann's cloned bugs is his use of a software-defined radio in a receiver.  Software-defined radios (SDRs) are a new type of radio electronics that digitally handle wireless communications technology that was traditionally handled in analog electronics.
Their inspiration lies somewhat in the PC sound card, which operates in a similar fashion.  But rather than output sounds, they output radio frequency (RF) waves, including AM, FM, GSM, Wi-Fi, and/or Bluetooth.  As all the signal processing -- traditionally done by constructs such as modulators and oscillators -- is done in software, the SDR can operate flexibly across a wide variety of RF bands.  It can also use digital signal processing algorithms to tune itself to signals it detects and filter out noise.
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

Mr. Ossmann's setup involves a bare bones bug, consisting of a 2-centimeter antenna feeding in to a transistor attached to a color channel in the monitor cable.  This is in line with the notes in the NSA slides, which indicate that the antenna and transistor are often hidden within the cable portion containing the ferrite choke.
HackRF One
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

Presumably three small antennas could be planted to get full color data.  By using SDR, the receiver is able to lurk on channels where it sees no device traffic, potentially channels that are reserved for emergency or other non-commercial uses in the given region.  That way your laptop or smartphone would never notice the bug silently broadcast back to the receiver.
HackRF One
HackRF One, the active signal sender/receiver [Image Source: Great Scott Gadgets]

An abstract for Mr. Ossmann's talk proclaims:

Of all the technologies revealed in the NSA ANT catalog, perhaps the most exotic is the use of RF retroreflectors for over-the-air surveillance. These tiny implants, without any power supply, transmit information intercepted from digital or analog communications when irradiated by radio signals from an outside source. This modern class of radar eavesdropping technology has never been demonstrated in public before today. I've constructed and tested my own RF retroreflectors, and I'll show you how they work and how easy they are to build with modest soldering skills. I'll even bring along some fully assembled units to give away. Now you can add RF retroreflectors to your own NSA Playset and play along with the NSA!

He's offering his SDR -- HackRF One -- preassembled from various small independent outlets for $299 USD.  $30 USD extra buys you the ANT500, a compatible telescoping antenna that works optimally with the device.  Hardware hackers can pick up HackRF One and test it out using off-the-shelf passive bug designs (e.g. a hacked monitor cable), schematics, and code that Mr. Ossmann has published or will publish after DefCon.
He's compiling his toolkit tutorials on a site  He comments to New Scientist:

SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format.  Showing how these devices exploit weaknesses in our systems means we can make them more secure in the future.

He likens the NSA's sensor networks (which he's duplicating) to RFID networks, a more familiar concept.
II. All Aboard the "CHUCKWAGON"
Mr. Ossmann's project, however, isn't the only effort to duplicate the NSA's malicious technologies.  
Joshua Datko of Fort Collins, Colo.'s Cryptotronix will be showing off a reverse-engineered version of the I2C bus bug, WAGONBED.  He reverse engineered the bug with the help of Teddy Reed, a hardware emulation and security expert.


While the I2C bus was thought to have access to sensor data and fans, the NSA claimed that WAGONBED was capable of installing exploits to a victims PC and copying their data via the IRONCHEF exploit, which infects the user's I/O BIOS.  WAGONBED is then attached wireless to a planted GSM bug, which transmits a cellular signal from the target machine, in an attack known a CROSSBEAM.

Mr. Datko has a virtually identical GSM-connected I2C bug, built on the BeagleBone.  He dubs his device the "CHUCKWAGON".  A graduate of Drexel University's Computer Science Master's program, Mr. Datko's spirited defiance of the NSA's efforts is notable as he was decorated member of the U.S. Navy who served his country in a tour of Afghanistan.  

Sources: DefCon 22 schedule, New Scientist

"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki