Building the NSA’s Tools

Fake ANT Catalog Entry for HackRF

Back in 2013, the NSA ANT Catalog was leaked. This document contained a list of devices that are available to the NSA to carry out surveillance.

[Michael Ossmann] took a look at this, and realized that a lot of their tools were similar to devices the open source hardware community had built. Based on that, he gave a talk on The NSA Playset at Toorcamp 2014. This covered how one might implement these devices using open hardware.

The above image is a parody of an ANT Catalog page, which shows [Michael]‘s HackRF, an open source software defined radio. In the talk, [Michael] and [Dean Pierce] go over the ANT Catalog devices one by one, discussing the hardware that would be needed to build your own.

Some of these tools already have open source counterparts. The NIGHTSTAND WiFi exploitation tools is essentially a WiFi Pineapple. SPARROW II is more or less a device running Kismet attached to a drone, which we’ve seen before.

A video of the Toorcamp talk is available on [Michael]‘s blog. There will also be a variety of talks on this subject at DEFCON next week, which we’re looking forward to. For further reading, Wikipedia has a great summary of the ANT Catalog.

Homebrew NSA Bugs

NSA

Thanks to [Edward Snowden] we have a huge, publicly available catalog of the very, very interesting electronic eavesdropping tools the NSA uses. Everything from incredibly complex ARM/FPGA/Flash modules smaller than a penny to machines that can install backdoors in Windows systems from a distance of eight miles are available to the nation’s spooks, and now, the sufficiently equipped electronic hobbyist can build their own.

[GBPPR2] has been going through the NSA’s ANT catalog in recent months, building some of the simpler radio-based bugs. The bug linked to above goes by the codename LOUDAUTO, and it’s a relatively simple (and cheap) radar retro-reflector that allows anyone with the hardware to illuminate a simple circuit to get audio back.

Also on [GBPPR2]‘s build list is RAGEMASTER, a device that fits inside a VGA cable and allows a single VGA color channel to be viewed remotely.

The basic principle behind both of these bugs is retroreflection, described by the NSA as a PHOTOANGLO device. The basic principle behind these devices is a FET in the bug, with an antenna connected to the drain. The PHOTOANGLO illuminates this antenna and the PWM signal sent to the gate of the FET modulates the returned signal. A bit of software defined radio on the receiving end, and you have your very own personal security administration.

It’s all very cool stuff, but there are some entries in the NSA catalog that don’t deal with radio at all. One device, IRATEMONK, installs a backdoor in hard drive controller chips. Interestingly, Hackaday favorite and current Hackaday Prize judge [Sprite_TM] did something extremely similar, only without, you know, being really sketchy about it.

While we don’t like the idea of anyone actually using these devices, the NSA ANT catalog is still fertile ground for project ideas.

[Read more...]

NSA Technology Goes Open Hardware

Raspi, GPS, USB hub and battery hooked together

When [Edward Snowden] smeared the internet with classified NSA documents, it brought to light the many spying capabilities our government has at its disposal. One the most interesting of these documents is known as the ANT catalog. This 50 page catalog, now available to the public, reads like a mail order form where agents can simply select the technology they want and order it. One of these technologies is called the Sparrow II, and a group of hackers at Hyperion Bristol has attempted to create their own version.

The Sparrow II is an aerial surveillance platform designed to map and catalog WiFi access points. Think wardriving from a UAV. Now, if you were an NSA agent, you could just order yourself one of these nifty devices from the ANT catalog for a measly 6 grand.  However, if you’re like most of us, you can use the guidance from Hyperion Bristol to make your own.

They start off with a Raspi, a run-of-the-mill USB WiFi adapter, a Ublox GY-NEO6MV2 GPS Module, and a 1200 mAh battery to power it all. Be sure to check out the link for full details.

Thanks to [Joe] for the tip!

 

 

 

Hacking and Philosophy: Surveillance State

hnpss

If you don’t live under a rock (though you may want to now) you probably saw yesterday’s article from Spiegel that revealed the NSA has its own catalog for spy gadgets. Today they released an interactive graphic with the catalog’s contents, and even if you’re not a regular reader of Hacking & Philosophy, you’re going to want to take a look at it. I recommend glancing over IRATEMONK, in the “Computer Hardware” category. As the article explains, IRATEMONK is

An implant hidden in the firmware of hard drives from manufacturers including Western Digital, Seagate, Maxtor and Samsung that replaces the Master Boot Record (MBR).

It isn’t clear whether the manufacturers are complicit in implanting IRATEMONK in their hardware, or if the NSA has just developed it to work with those drives. Either way, it raises an important question: how do we know we can trust the hardware? The short answer is that we can’t. According to the text accompanying the graphic, the NSA

…[installs] hardware units on a targeted computer by, for example, intercepting the device when it’s first being delivered to its intended recipient, a process the NSA calls ‘interdiction.’

We’re interested to hear your responses to this: is the situation as bleak as it seems? How do you build a system that you know you can trust? Are there any alternatives that better guarantee you aren’t being spied on? Read on for more.

[Read more...]

ScareMail Tries to Disrupt NSA Email Surveillance

scaremail

Are you on the NSA’s email watchlist? Do you want to be?  This project is called ScareMail and it’s designed to mess with the NSA’s  email surveillance programs.

[Benjamin Grosser] has written it as a plugin for many popular web browsers, and it uses an algorithm to generate a clever but ultimately useless narrative in the signature of your email using as many probable NSA search terms as possible. The idea behind this is if enough people use it, it will overload the NSA’s search results, ultimately making their email keyword tracking useless.

So how does it work? The algorithm starts with natural language processing (NLP) and an original source of text — he picked Ray Bradbury’s Fahrenheit 451. Using the processor it identifies all nouns and verbs in the original text and replaces them with properly formatted and conjugated “scary” words that he’s indexed from a list of hypothetical NSA key words. To ensure each signature is unique, he makes use of a Markov chain to generate new texts that are completely different each time. The result is a somewhat coherent paragraph that doesn’t make any real sense.

But wait! Surveillance like this is bad, but hypothetically it could work! Well, maybe. But the point is: 

ScareMail reveals one of the primary flaws of the NSA’s surveillance efforts: words do not equal intent.

Stick around after the break to see a proper video explanation of ScareMail by [Ben] himself.

[Read more...]

TEMPEST: A Signal Problem

tempest

TEMPEST is the covername used by the NSA and other agencies to talk about emissions from computing machinery that can divulge what the equipment is processing. We’ve covered a few projects in the past that specifically intercept EM radiation. TEMPEST for Eliza can transmit via AM using a CRT monitor, and just last Fall a group showed how to monitor USB keyboards remotely. Through the Freedom of Information Act, an interesting article from 1972 has been released. TEMPEST: A Signal Problem (PDF) covers the early history of how this phenomenon was discovered. Uncovered by Bell Labs in WWII, it affected a piece of encryption gear they were supplying to the military. The plaintext could be read over that air and also by monitoring spikes on the powerlines. Their new, heavily shielded and line filtered version of the device was rejected by the military who simply told commanders to monitor a 100 feet around their post to prevent eavesdropping. It’s an interesting read and also covers acoustic monitoring. This is just the US history of TEMPEST though, but from the anecdotes it sounds like their enemies were not just keeping pace but were also better informed.

[via Schneier]

Follow

Get every new post delivered to your Inbox.

Join 93,711 other followers