How the NSA hacks PCs, phones, routers, hard disks 'at speed of light': Spy tech catalog leaks
It's not as bad as you thought - it's much worse
Analysis A leaked NSA cyber-arms catalog has shed light on the technologies US and UK spies use to infiltrate and remotely control PCs, routers, firewalls, phones and software from some of the biggest names in IT.
The exploits, often delivered via the web, provide clandestine backdoor access across networks, allowing the intelligence services to carry out man-in-the-middle attacks that conventional security software has no chance of stopping.
And if that fails, agents can simply intercept your hardware deliveries from Amazon to install hidden gadgets that rat you out via radio communications.
The 50-page top-secret document, written by an NSA division called ANT, is part of an information dump sent to German magazine Der Spiegel, and expounded upon by journalist Jacob Appelbaum in his keynote to the 30th Chaos Communication Congress in Germany on Monday. You can watch a clearly furious Appelbaum in the video below.
The dossier is a glorified shopping catalog of technology for spies in the so-called "Five Eyes" alliance of the UK, the US, Canada, Australia, and New Zealand. It gives the clearest view yet of what the NSA, GCHQ and associated intelligence agencies can do with your private data, and how they manage it. Here's an easy-to-digest roundup of what was discussed.
Satellite and optic-fiber communications stored
According to Appelbaum, the NSA is running a two-stage data dragnet operation. The first stage is TURMOIL, which collects data traffic passively via satellite and cable taps and stores it – in some cases for up to 15 years – for future reference. The NSA does not consider this surveillance because no human operator is involved, just automatic systems.
Der Spiegel gave the example of the SEA-ME-WE-4 underwater cable system, which runs from Europe to North Africa, then on to the Gulf states to Pakistan and India before terminating in the Far East. The documents show that on February 13 this year a tap was installed on the line by the NSA that gave layer-two access to all internet traffic flowing through that busy route.
However, this passive capability is backed up by TURBINE, the active intervention side of the NSA, run by its Tailored Access Operations (TAO) hacking squad. By using a selection of hardware and software tools, not to mention physical measures as we'll see later on, the NSA promises that systems can be hacked "at the speed of light," and the staffers in Maryland even took time to build a LOLcat picture highlighting the capability:
Sure they own you, but look at the little kitty. Credit: NSA
"Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies," the NSA said in a statement on the report, adding that TAO's "work is centered on computer network exploitation in support of foreign intelligence collection."
Windows crash reports boon for spies
On the subject of operating systems, Appelbaum said the documents revealed subversion techniques against Windows, Linux, and Solaris. In the case of Microsoft, the NSA is monitoring Windows software crash reports to gain insight into vulnerabilities on a target system and exploit them for its own ends.
“Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem," a Microsoft spokesperson told El Reg in a statement responding to Der Spiegel's report.
"Reports are then reviewed and used to improve customer experiences. Microsoft does not provide any government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about government actions are true."
NSA buys up security exploits to attack vulnerabilities
When it comes to active penetration, the TAO team has a system dubbed QUANTUMTHEORY, an arsenal of zero-day exploits that it has either found itself or bought on the open market from operators like VUPEN. Once inside a computer, software dubbed SEASONEDMOTH is automatically secreted and used to harvest all activity by the target in a 30-day period.
For computers and networks that have firewalls and other security systems in place, the NSA uses QUANTUMNATION, a tool that will scan defenses using software dubbed VALIDATOR to find an exploitable hole, and then use it to seize control using code dubbed COMMENDEER.
A system dubbed QUANTUMCOPPER also gives the NSA the ability to interfere with TCP/IP connections and disrupt downloads to inject malicious code or merely damage fetched files. Appelbaum said such a system could be used to crash anonymizing systems like Tor by forcing an endless series of resets – and makes the designers of the Great Firewall of China look like amateurs.
The website you are visiting is really not the website you want
But it's a scheme dubbed QUANTUMINSERT that Appelbaum said was particularly concerning. The documents show that if a target tries to log onto Yahoo! servers, a subverted local router can intercept the request before it hits Meyer & Co's data center and redirect it to a NSA-hosted mirror site where all activity can be recorded and the connection tampered.
It's not just Yahoo! in the firing line: QUANTUMINSERT can be set up to automatically attack any computer trying to access all sorts of websites. The code predominantly injects malware into religious or terrorism websites to seize control of vulnerable web browsers and their PCs.
But the technology has also been spotted monitoring visits to sites such as LinkedIn and CNN.com, and will work with most major manufacturer's routers to pull off its software injection. (If you think using HTTPS will highlight any of these man-in-the-middle attacks, bear in mind it's believed that the NSA and GCHQ have penetrated the security certificate system underpinning SSL/TLS to allow the agencies' computers to masquerade as legit web servers.)
According to the catalog, Cisco hardware firewalls, such as the PIX and ASA series, and Juniper Netscreen and ISG 1000 products, can have backdoors installed in their firmware to monitor traffic flowing in and out of small businesses and corporate data centers. A boot ROM nasty exists for the Huawei Eudemon firewalls, we're told; Huawei being the gigantic Chinese telcoms electronics maker. Other BIOS-level malware is available for Juniper and and Hauawei routers, according to the dossier.
"At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it," said Cisco in a blog post.
"As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."
The cellphone network you are connected to is not the network you want
Mobile communications are also wide open, it seems. The NSA catalog offers a mobile base station called the Typhon HX (priced at $175,800) that will mimic a network provider's infrastructure and collect mobile signals to decode and study; it effectively taps cellphones.
Appelbaum said this type of hacking was spotted in action by the Ecuadorian embassy shortly after Julian Assange arrived as a house guest. The embassy's staff started getting welcome messages from Uganda Telecom on their mobile because the British intelligence services hadn't reconfigured their data slurping base-station correctly from a previous operation, apparently.
Mobile phone SIM cards can also be easily hacked, the documents claim, using a tool dubbed MONKEYCALANDER. This exploits a flaw, only recently spotted by security researchers but used by the NSA since 2007, that allows code to be installed on a SIM card that will track and monitor an individual user's calls and location.
The catalog also details an exploit called DROPOUTJEEP which claims it can gain complete control of an Apple iPhone via a backdoor, at least back in 2007 when the cyberweapon catalog was drawn up. The NSA says the DROPOUTJEEP exploit has a 100 per cent success rate, leading Applebaum to speculate that Cupertino may have helped the NSA out with the software. The first version of DROPOUTJEEP needed an agent to get his or her hands on the device, but remotely launched versions were promised.
Also listed is flash ROM malware for compromising satellite phones, in case you felt like using that, plus exploits to remotely control Windows Mobile handsets.
Speaking of Windows, NIGHTSTAND is a handy little box of tricks that can, with a range of 8 miles, transmit carefully crafted Wi-Fi traffic to potentially gain control of a PC running Windows XP and Internet Explorer. A tiny Linux-powered computer called SPARROW II can be fitted to drones to scope out poorly secured wireless networks from the skies.
Your hard disk is not the device you thought it was
Hard drives are also easy meat for the NSA, according to the documents. Software called IRATEMONK can be installed on the firmware in disks from Western Digital, Seagate, Maxtor, and Samsung to allow full access to the target's data and operating system. And because it's flashed onto the chips, via other remotely installed malware, the customized firmware is almost impossible to detect. This allows spies to hide and execute anything they like on the connected computer, even if the drive is wiped.
If you want to see how a reprogrammed disk firmware can silently alter files, turn to this independent, earlier research. An example target of IRATEMONK cited by the NSA is a cyber-cafe of PCs.
"Western Digital has no knowledge of, nor has it participated in the development of technology by government entities that create ‘implants’ on Western Digital hard drives, as Der Spiegel described," a WD spokesperson told El Reg in a statement.
The parcels from Amazon are not the parcels you want
On the hardware front, the TAO hacking team also has specialists in "close access operations" or "Off Net" projects where physical access is required to a target's system. This can involve intercepting laptops ordered online from Amazon and others, adding tracking hardware, and then delivering them as normal in the correct packaging, as well as breaking into private property for hardware installation.
The catalog offers a number of hardware tools that can be installed by a g-man. $200,000, for example, will buy you 50 USB cables that have a secondary radio communications system called COTTONMOUTH that allows the agency to send and collect data directly through the ether. A VGA monitor cable called RAGEMASTER intercepts video signals and beams them to a nearby government snoop using a radar-based technique. A similar device exists for keyboards.
Those cables were built by the NSA's ANT team, which also has a fondness for attacking and infiltrating the firmware on your PC: this is the low-level software that's not without its bugs, first to run, and boots your operating system. If this is compromised and reprogrammed using the ANT crew's SWAP program, then it's pretty much game over for the target as the whole system above the firmware can be remotely controlled and monitored as required. Another tool called WISTFULTOLL leaps upon Windows Management Instrumentation to access data on systems.
HOWLERMONKEY ... Check your Ethernet ports
The NSA has also developed a set of tiny surveillance electronics dubbed HOWLERMONKEY that hides within computer hardware, such as an ordinary Ethernet port, Appelbaum said. The one pictured above, dubbed FIREWALK, looks no different to a standard RJ45 socket, but can inject data into and slurp any bytes from packets coming through the physical connection automatically, and relay the information back to base via a radio link.
Wireless communications can also be subverted by installing a separate Wi-Fi card dubbed BULLDOZER. Even if the user has wireless switched off by default, a PCI-connected BULLDOZER can be used to link into a nearly subverted router and collect metadata and content from targeted systems.
Servers built by HP and Dell were also mentioned as an easily subverted system. Hardware dubbed GODSURGE can be fitted to a JTAG debugging port in Dell's PowerEdge machines to provide full access, and the catalog says such monitoring uses common off-the-shelf components that can't be directly attributed to the NSA.
IRONCHEF, we're told, is a BIOS-level nasty designed to target HP ProLiant kit; its PowerEdge cousin is called DEITYBOUNCE.
Where to find all the leaked information
The full document set has now been uploaded to whistleblowing website Cryptome for public perusal. Appelbaum and the Der Spiegel team have been careful to exclude the published names of NSA staff who carry out these attacks, and the names of the people and organizations the agency has targeted. An interactive infographic summarizing the leaks can be found here.
El Reg has contacted all of the companies named by Appelbaum in his presentation, but had limited response given that it’s the Christmas holidays. But if the dossier is to be believed, then there are going to be angry words between the NSA, manufacturers and hardware customers – the latter likely to be searching for more secure products.
Appelbaum said that he'd tried to talk to US legislators about the situation but was continually rebuffed. Part of the problem, he said, was that politicians don't understand the technology behind such systems, and in many cases the lawmakers don’t want to acknowledge there's a problem until a political solution has been worked out.
The leaked catalog is roughly six years old; new technologies developed in the mean time by the NSA (estimated annual budget: $10bn) are anyone's guess, or worst nightmares.
Readers may find some cheer, or not, from the suggestion that most of these techniques are used against highly targeted individuals rather than everyone en mass: NSA analysts need the help of the FBI and CIA to install the hidden hardware snoopers, for example, either by intercepting shipments or by carrying out a so-called black bag job.
The intelligence agencies argue they are combatting terrorism, a claim that is now being fought over in the US courts. Today, questions remain as to who exactly is scrutinizing these surveillance operations and to what level – and who else has their hands on these grave security vulnerabilities that the NSA is otherwise sitting on and secretly exploiting.
"The real problem is who is in charge here," Jon Callas, cofounder of the Silent Circle encrypted communications system, told The Register.
Referring to the secretive FISA court that supposedly oversees the NSA, Callas continued: "For us who are Americans we have the belief that we are ultimately in charge. Now it seems we have secret courts, with secret laws, so how do you run a free society under those kind of conditions?"
"We have a societal belief that some things are not acceptable and while Jake can be hyperbolic, I cheer him on – sunlight is the best disinfectant." ®
With the exception of SEASONEDMOTH, there's no mention of any of these exploits having a time-limited kill switch. Presumably the NSA has means of deactivating online taps, but one wonders how much kit is out there on eBay and with dealers that still contains examples of ANT's intrusive craft.
Applebaum suggests that those interested (which should include pretty much everyone in the security industry as well as IT departments purchasing on the grey market) should look for samples that use the RC6 block cipher and which emit encrypted UDP traffic.
Updated to add
Dell got in touch with us after publication to deny any involvement in the vulnerabilities exploited by the NSA:
We take very seriously any issues that may impact the integrity of our products or customer security and privacy. Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.
Dell does not work with any government – United States or otherwise – to compromise our products to make them potentially vulnerable for exploit. This includes ‘software implants’ or so-called ‘backdoors’ for any purpose whatsoever.
In a statement, Apple echoed much of what Dell and other vendors have said:
Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products.
Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.