Spy Tech: Nonlinear Junction Detectors

September 20, 2017 by 121 Comments

If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?

High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below

Continue reading “Spy Tech: Nonlinear Junction Detectors”

FBI Reports On Linux Drovorub Malware

August 22, 2020 by 26 Comments

The FBI and the NSA released a report on the Russian-based malware that attacks Linux known as Drovorub (PDF) and it is an interesting read. Drovorub uses a kernel module rootkit and allows a remote attacker to control your computer, transfer files, and forward ports. And the kernel module takes extraordinary steps to avoid detection while doing it.

What is perhaps most interesting though, is that the agencies did the leg work to track the malware to its source: the GRU — Russian intelligence. The name Drovorub translates into “woodcutter” and is apparently the name the GRU uses for the program.

A look inside the code shows it is pretty mundane. There’s a server with a JSON configuration file and a MySQL backend. It looks like any other garden-variety piece of code. To bootstrap the client, a hardcoded configuration allows the program to make contact with the server and then creates a configuration file that the kernel module actively hides. Interestingly, part of the configuration is a UUID that contains the MAC address of the server computer.

The rootkit won’t persist if you have UEFI boot fully enabled (although many Linux computers turn UEFI signing off rather than work through the steps to install an OS with it enabled). The malware is easy to spot if you dump raw information from the network, but the kernel module makes it hard to find on the local machine. It hooks many kernel functions so it can hide processes from both the ps command and the /proc filesystem. Other hooks remove file names from directory listings and also hides sockets. The paper describes how to identify the malware and they are especially interested in detection at scale — that is, if you have 1,000 Linux PCs on a network, how do you find which ones have this infection?

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.

Spy Tech: Unshredding Documents

June 12, 2023 by 40 Comments

Bureaucracies generate paper, usually lots of paper. Anything you consider private — especially anything that could get you in trouble — should go in a “burn box” which is usually a locked trash can that is periodically emptied into an incinerator. However, what about a paper shredder? Who hasn’t seen a movie or TV show where the office furiously shreds papers as the FBI, SEC, or some other three-letter-agency is trying to crash the door down?

That might have been the scene in the late 1980s when Germany reunified. The East German Ministry of State Security — known as the Stasi — had records of unlawful activity and, probably, information about people of interest. The staff made a best effort to destroy these records, but they did not quite complete their task.

The collapsing East German government ordered documents destroyed, and many were pulped or burned. However, many of the documents were shredded by hand, stuffed into bags, and were awaiting final destruction. There were also some documents destroyed by the interim government in 1990. Today there are about 16,000 of these bags remaining, each with 2,500 to 3,000 pieces of pages in them.

Machine-shredded documents were too small to recover, but the hand-shredded documents should be possible to reconstruct. After all, they do it all the time in spy movies, right? With modern computers and vision systems, it should be a snap.

You’d think so, anyway.

Continue reading “Spy Tech: Unshredding Documents”

Recreating One Of History’s Best Known Spy Gadgets

March 25, 2023 by 22 Comments

[Machining and Microwaves] got an interesting request. The BBC asked him to duplicate the Great Seal Bug — the device the Russians used to listen covertly to the US ambassador for seven years in 1945. Turns out they’re filming a documentary on the legendary surveillance device and wanted to demonstrate how it worked.

The strange thing about the bug is that it wasn’t directly powered. It was actually a resonant cavity that only worked when it was irradiated with an external RF energy. Most of the video is background about the bug, with quite a few details revealed. We particularly liked the story of using a software defined radio (SDR) to actually make the bug work.

As you might expect, things didn’t go smoothly. Did they ever get results on camera? Watch the video, and you can find out. This is just the first of six videos he plans to make on the topic, and we can’t wait for future videos that cover the machining and more technical details.

We’ve examined the Theremin bug before. There’s a definite cat-and-mouse dynamic between creating bugging devices and detecting them.

Continue reading “Recreating One Of History’s Best Known Spy Gadgets”

Eavesdropping By LED

August 25, 2021 by 23 Comments

If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.

You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.

Continue reading “Eavesdropping By LED”