Top NSA hacks of our computers

Last week I wrote up a leak of an NSA document describing  DEITYBOUNCE, a tool for flashing malicious BIOS on Dell servers.  Not until the next day did I realize that it was part of a much larger set of descriptions of such hacks. In this image gallery I describe many of the most interesting ones.

The leaked documents were first described in an article in Der Spiegel, the German magazine. Most are in the same spirit as DEITYBOUNCE and have similar code names. Many are for hacking into mainstream computing hardware like the Dell PowerEdge servers hacked by DEITYBOUNCE, or for big-name networking hardware from the likes of Cisco, Juniper and Huawei.

There are also devices for tapping into video cables, wireless networks and USB ports. There are devices meant to capture audio in a room and send it elsewhere. There are devices which I just don't understand. Quite a bit of it looks stereotypically James Bond-like.

These documents are all rather old, dating from 2007 to 2009. It's likely that many, if not most, are obsolete. Certainly DEITYBOUNCE is not likely to be useful anymore. We have no reason to believe that the NSA gave up on this sort of espionage, so it's reasonable to assume there are more current devices and descriptions out there. Perhaps Snowden and his buddies in the press are holding them back for future leakage.

The tools are the work of a group called ANT, which Der Spiegel says "...presumably stands for Advanced or Access Network Technology." The descriptions of ANT's tools make it clear that there are other groups at the NSA doing similar, related work and perhaps their descriptions are still to come.

Many of the tools, both hardware and software, need some sort of insider help for installation. There are many places this can be done, such as the manufacturer, a distributor, an intercepted shipment, or even the company's own IT, perhaps even after a bribe or blackmail.

One of the tools, DROPOUTJEEP, got a lot of attention about a week ago because  it provides a hack for iPhones .

Superficially just like DEITYBOUNCE in that it's designed to be a persistent compromise of a common server platform. There is a software component but, instead of flashing a BIOS, IRONCHEF uses a "hardware implant." Like the flashed BIOS, the hardware device can reinstall the software component at boot time.

The document is dated 7/14/2008.

Things get confusing and a little scary here: FEEDTROUGH isn't actually an attack on certain Juniper Netscreen firewalls, but a way to make other attacks persistent across reboots. These other attacks are identified as "DNT's BANANAGLEE and CES'S ZESTYLEAK." Who are DNT and CES? I don't know and neither BANANAGLEE nor ZESTYLEAK are in this collection.

FEEDTROUGH is version-specific to the OS and maintains a database of OS versions; at boot time it checks the OS version and, if it's one not in the database, FEEDTROUGH exits and allows the boot to continue normally. But check out this line: "If the OS is one modified by DNT, it is not recognized, which gives the customer freedom to field new software."

I repeat: Who is DNT, and how is it that they can modify the OS? Clearly FEEDTROUGH raises more questions than it answers. (But since I ask, DNT is, according to Cryptome, Digital Network Technologies, a private company which builds these things for the NSA.

There is a separate document on GOURMETTROUGH, which sounds like a fine-tuned version of FEEDTROUGH. The description speaks more of DNT, making it sound like another NSA group.

There are several other tools with roughly the same description, tailored for different manufacturers and models: HALLUXWATER, JETPLOW, SOUFFLETROUGH, HEADWATER, SCHOOLMONTANA, SIERRAMONTANA and STUCCOMONTANA

All documents are dated 6/24/2008.

LOUDAUTO is just a "bug" in the old sense, a microphone for picking up audio and transmitting it for the NSA (or whomever) to collect. They call it an "audio-based RF retro-reflector."

It can pick up office-volume audio from over 20 feet away, although perhaps less if concealed. It consumes very little power, which is partly due to the way it retransmits the audio it receives: it passively reflects a digital conversion of the analog audio using a continuous wave signal from a separate, nearby unit.

LOUDAUTO is built entirely with commercial off-the-shelf hardware. Compared to the hacks of commercial computing equipment, LOUDAUTO sounds almost innocuous. This is the sort of spy stuff the government has been doing for many, many decades.

(Yes, I agree, this isn't a computer hack and therefore doesn't conform to the title, but I thought it was cool.)

The document is dated 4/7/2009.

No wired network access? No problem! Set up your NIGHTSTAND, hack into the wifi and exploit computers running Windows 2000, Windows XP, Windows XP SP1 and Windows XP SP2 along with Internet Explorer 5 or 6.

NIGHTSTAND is a dedicated Linux Fedora Core 3 computer inside a box with a big antenna that looks like it came off a cell tower. Why? "Use of external amplifiers and antennas on both experimental and operational scenarios have resulted in successful NIGHTSTAND attacks from as far away as eight miles under ideal environmental conditions."

The description says nothing about the mode of attack, but it's likely that NIGHTSTAND can only work on open or WEP-based wifi networks. Back in 2008 (the document is dated 7/25/2008) this may have been a workable strategy.

The document is dated 7/25/2008.

A mini-Linux 2.4 device with a PowerPC chip that captures at least 2 hours of wifi data (at which point the battery starts to go). It runs the BLINDDATE application software, whatever that is. It has Mini PCI slots for expansion.

The document is dated 7/25/2008.

RAGEMASTER is amazing: it's a device that's embedded "...in the ferrite video cable" between the card and monitor. It taps the red video signal and re-radiated to a separate unit which decodes and displays it.

That unit would be NIGHTWATCH. TAWDRYYARD acts as a beacon to assist in the location of the RAGEMASTER units.

According to Cryptome, this technology has been used fairly recently, "...as of September 2010 at the following embassies: Brazil's UN Mission in NY (POKOMOKE), France's UN Mission in NY (BLACKFOOT), India's Embassy and annex in DC, and India's UN Mission in New York. India's embassies were slated to be detasked, at the time of the document."

The documents are dated 7/24/2008 and 4/7/2009.

BULLDOZER is a hardware implant in the PCI bus, installed "through interdiction." KONGUR is a malware payload that uses BULLDOZER to spy on and control the system. GINSU makes KONGUR persistent.

The document is dated 6/20/2008.

SWAP, ARKSTREAM and TWISTEDKILT are used together to perform, on an arbitrary computer, much the same affect as DEITYBOUNCE: ARKSTREAM reflashes the BIOS and TWISTEDKILT writes to the hard disk's Host Protected Area; SWAP provides software application persistence. In fact, ARKSTREAM is the BIOS flashing component in DEITYBOUNCE.

Because it is flashed into the BIOS, it can execute before any software-based security.

The document is dated 6/20/2008.

WISTFULTOLL is spyware which collects registry data and other information about a Windows system using WMI (Windows Management Instrumentation) API calls.

Like a lot of surreptitious NSA software, WISTFULTOLL is installed and managed using either UNITEDRAKE or STRAITBIZZARE. These are frameworks for delivering payloads to systems; they implant using malicious hard drive firmware.

The document is dated 6/20/2008.

For most people a SIM card in a phone is just a key that opens the door to their carrier's network, but there's more to them. A SIM card also holds the user's phone number, address book, text messages, and other data.

GOPHERSET is a software hack of the SIM card itself. It "exfiltrates" the user's personal data using SMS. Yes, code on the SIM card can issue commands to and make requests of the phone. It can be deployed either through USB connection or over the air and may or may not require keys from the carrier. So maybe the carrier, or just a carrier employee, has to cooperate; maybe not.

MONKEYCALENDAR is similar, but it captures and reports the phone's geolocation data.

Interesting question: Surely the text messages are being sent from the user's carrier account, and if there are charges he'll see them on his bill. Perhaps there's more to it.

The documents are dated 10/1/2008.

PICASSO is cool. It's a modified handset that "collects user data, location information and room audio." It can be commanded remotely through SMS from a laptop and another phone.

In fact it does a lot more than just collect data from the room — the description says "Block call to deny target service" which I guess means it can interfere with other phones in the room. It can also have a "panic button" sequence which alerts the operator and sends him location data.

The document is dated 6/20/2008.

TOTECHASER and TOTEGHOSTLY are software hacks aimed at Windows Mobile devices. Windows Mobile never had a lot of traction in consumer markets, but there were narrow markets where it did quite well, including ruggedized phones and, as is the case with TOTECHASER, satellite phones.

TOTECHASER is an implant for the Windows CE kernel inside Windows Mobile, specifically targeting the Thuraya SG-2520 dual-mode GSM/SAT handset (discontinued). Either this model was very popular or the NSA had someone specific in mind.

The TOTECHASER writeup makes it clear that it's not fully-baked (the documents are dated 10/1/2008). It sounds like it probably needs installed before the customer gets it and they haven't figured that part out.

TOTEGHOSTLY is a higher-level remote control framework for compromised (perhaps by TOTECHASER) Windows Mobile devices.

CANDYGRAM is a fake cell tower, built out of a Windows XP system and a cell phone. It can be configured for a pre-set list of up to 200 phone numbers. When one of those phones comes within range of CANDYGRAM, it sends an SMS message to "registered watch phones."

CANDYGRAM is designed for passive data collection, not attack of the target phones. There are several other tools in the list with various GSM "network in a box" functions.

The document is dated 6/20/2008.

We've got three devices here: COTTONMOUTH-I, COTTONMOUTH-II and COTTONMOUTH-III, all about compromising systems through USB.

COTTONMOUTH-I is a smart "jacket" around a USB A plug. It monitors what's on the wire and communicates it either wirelessly to other COTTONMOUTH-1 devices or through a covert channel in the USB wire to STRAITBIZZARE software. COTTONMOUTH-II is a USB port with a built-in tap to communicate with STRAITBIZZARE. There is no wireless component.

COTTONMOUTH-III is a COTTONMOUTH-II and a tapped Ethernet port. Like COTTONMOUTH-I it has a wireless capability for communicating with other COTTONMOUTH devices and can talk to STRAITBIZZARE over the wire.

These ports are of the type soldered to the motherboard, and so they have to be installed through an interdiction of the computer or, conceivably, at the factory itself.

The document is dated 8/5/2008.

FIREWALK is a tapped, bidirectional Gigabit Ethernet port. It can actively inject Ethernet packets inbound or out. It has a built-in RF transceiver which it can use to create communicate with an ROC (Remote Operations Center).

The document is dated 8/5/2008.