Schneier on Security

A blog covering security and security technology.

« Information Security Salary Survey | Main | Dutch Biometric Passport Cracked »

January 31, 2006

Wireless Dead Drop

Dead drops have gone high tech:

Russia's Federal Security Service (FSB) has opened an investigation into a spying device discovered in Moscow, the service said Monday.
The FSB said it had confiscated a fake rock containing electronic equipment used for espionage on January 23, and had uncovered a ring of four British spies who worked under diplomatic cover, funding human rights organizations operating in Russia.

BBC had this to say:

The old idea of the dead-drop ('letterboxes' the British tend to call them) - by the oak tree next to the lamppost in such-and-such a park etc - has given way to hand-held computers and short-range transmitters.
Just transmit your info at the rock and your 'friends' will download it next day. No need for codes and wireless sets at midnight anymore.

Transferring information to and from spies has always been risky. It's interesting to see modern technology help with this problem.

Phil Karn wrote to me in e-mail:

My first reaction: what a clever idea! It's about time spycraft went hi-tech. I'd like to know if special hardware was used, or if it was good old 802.11. Special forms of spread-spectrum modulation and oddball frequencies could make the RF hard to detect, but then your spies run the risk of being caught with highly specialized hardware. 802.11 is almost universal, so it's inherently less suspicious. Randomize your MAC address, change the SSID frequently and encrypt at multiple layers. Store sensitive files encrypted, without headers, in the free area of a laptop's hard drive so they're not likely to be found in forensic analysis. Keep all keys physically separate from encrypted data.
Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won't be at all unusual.

To keep the counterespionage people from wiretapping the hotspot's ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.

I am reminded of a dead drop technique used by, I think, the 9/11 terrorists. They used Hotmail (or some other anonymous e-mail service) accounts, but instead of e-mailing messages to each other, one would save a message as "draft" and the recipient would retrieve it from the same account later. I thought that was pretty clever, actually.

Posted on January 31, 2006 at 7:17 AM • 36 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Mike • January 31, 2006 7:37 AM

I was interested in this when the story broke, and it probably happened. The only problem being it was an early link to (and their justificaton) this:

http://news.bbc.co.uk/1/hi/world/europe/...

Further crackdown of civil liberties in a bid to increase the power of the Kremlin.

They also produced British Foreign Office documents supposedly linking them to these dead-drops. As someone on a TV programme here called Newsnight pointed out the dates on the documents were in US format (month before day) and not UK (day before month).

Tim Finin • January 31, 2006 8:29 AM

This made me remember the Alger Hiss case and how much better a Bluetooth enabled rock is than a pumpkin. See http://ebiquity.umbc.edu/blogger/?p=460

JD • January 31, 2006 8:40 AM

The real story, unfortunately, is Russia's backsliding toward dictatorship, with publicly hyped espionage threats used to intimidate dissent and justify expanding political police power.

Zach • January 31, 2006 8:54 AM

Taking Mr. Karn even one step further, how about keeping the hotspot provider out of the loop. Replace one access point at a support provider for Starbucks and then have someone figure out which one it is after it's up. Use an asic mac filter to send traffic to a special part of the access point itself.

D • January 31, 2006 9:43 AM

Add this to Karn: port knocking on that dangling PC

The PC stays in stealth mode and only replies (briefly) when knocked upon.

Eklem • January 31, 2006 9:50 AM

Saving it as a draft will just obfuscate it a little, won't it? The text will still be transported over the net (between Hotmail server and desktop) as both the first person saves the draft, and the second person reads it.

Francois • January 31, 2006 10:06 AM

@Eklem:
I think the idea is to obfuscate the message from investigators rather than from software. The method takes advantage of assumed weaknesses in investigative method and way of thinking.

The exploited vulnerability here is the idea that an investigator would unconsciously assume that e-mail messages must actually be sent in order to exchange information, and that "draft" e-mails are not carrying information between anyone. Those assumptions would also carry forward into investigative method and software design. As we all know, people are the weakest link in the security chain. Sniffers and other tools are only as good as the people using (and designing) them.

Whether those assumptions are true is another question.

Anonymous • January 31, 2006 11:04 AM

"The real story, unfortunately, is Russia's backsliding toward dictatorship, with publicly hyped espionage threats used to intimidate dissent and justify expanding political police power."

Which, unfortunately, is also the case of the US and many European countries.

Timmy303 • January 31, 2006 11:13 AM

I wonder why they haven't moved toward a passive receiver, catching short burst transmissions of whatever data is being passed. Would make the transaction harder to detect, and the receiver nearly invisible.

Even better, how about hacking one's wireless configuration manager to hide the contraband data in unused header fields, passing it to a similarly hacked access point that would be an otherwise functional dead end. The spy's laptop wifi antenna could be accidentally left activated and innocently trying to associate with whatever WAP it sees (like my wife's does in our neighborhood). Hit the right WAP(s) and the data is passed.

The problem with both of these is that there is no confirmation of message delivery, but then classic dead drops lacked this as well.

Alun Jones • January 31, 2006 11:26 AM

All that spam you get in your in-box is merely steganography. The word "viagra" isn't mis-spelled to get around the spam filters, it's a complicated encoding allowing the spammers and their prospective recipients to exchange messages without anyone suspecting that there are people who want the message in the message.
That's why spammers don't care if they send it to people who don't want it, their goal is to make people think of their communications as discardable trash, rather than something that may have a value.

Zwack • January 31, 2006 1:17 PM

@Alun Jones...

So Spam is like a high-tech numbers station? I suspect that most of what numbers stations broadcast is random numbers and that the actual content is something very small hidden in the number stream (the fifteenth digit say)...

Spam could easily be used in the same way... If the spam comes from A it means X but if it comes from B then it means Y.

Ari Heikkinen • January 31, 2006 2:01 PM

"the 9/11 terrorists. They used Hotmail (or some other anonymous e-mail service) accounts"

Good thing no one came up with the idea of banning anonymous e-mail services, considering all the stupidity surrounding anything terrorism related.

AWHS • January 31, 2006 2:33 PM

Mr/Ms Heikkinen:

The current administration finds this concept to be most inspired. In the five minutes since we read your post, we have extended our draft legislation (entitiled "The Free Speech Empowerment Act of 2006") to include removing anonymity completely from our society-- everyone's voice will be known and their input considered valuable.

Thank you for you contribution to freedom in the United States. May we one day be free to be consumers of capitalist goods and drool listlessly at our television sets without fear of terrorists.

Sincerely,
Anonymous White House Staffer

JD • January 31, 2006 3:45 PM

@Anonymous:

"Which, unfortunately, is also the case of the US and many European countries."

Hardly. Whatever the ills of western open societies, they do not include spy mania and pervasive government intimidation of non-government organizations and mass media. No one, for example, can accuse American mainstream media of any shyness about criticizing the current Administration.

Stiennon • January 31, 2006 5:58 PM

I don't get it. If your information is digital why don't you just encrypt it and send it over the Internet? Why the special equipment? If you are a British or US spy you can send it via satelite encrypted. Anyone else could use a cell phone.

Seems like using an electronic buggy whip.

Bruce Schneier • January 31, 2006 6:04 PM

"I don't get it. If your information is digital why don't you just encrypt it and send it over the Internet? Why the special equipment? If you are a British or US spy you can send it via satelite encrypted. Anyone else could use a cell phone."

Traffic analysis. It can be incriminating simply to communicate, even if the contents of the communication is secret.

Dima • January 31, 2006 6:10 PM

JD, in Russia, you're pretty much free to critisize the regime - provided that you do that from an ultra-patriotic point of view. But if you don't seem patriotic enough - only then all hell breaks loose on you. Does it ring any bells?

Dylan • January 31, 2006 9:43 PM

@JD

The problem is that in the US the mainstream media is a rapidly diminishing force.

Fair and Balanced. ;-)

Longwalker • January 31, 2006 9:45 PM

There really is a lot to be said for hiding in plain sight. A wifi-enabled rock is so far out of the ordinary that any blackhat who finds an 802.11 signal coming from a rock will know that something is up. Further, a rock has a physical location that can be staked out to identify white hat agents who use it.

In contrast, SSL-enabled websites are so common that a secure connection to a well established website (e.g. Google) won't attract much notice from a traffic analysis perspective. If such a website were to have a dead drop interface, a blackhat would have a very hard time spotting it amidst all the innocent SSL traffic.

A website is also fairly hard to stake out against an adversary who is reasonably prudent about accessing the internet. Capturing traffic aimed at a suspected spy site won't comrpomise the agents using the site if the agents only login through hijacked WLANs or through chains of zombied computers.

peachpuff • January 31, 2006 10:46 PM

@JD

Intimidation isn't the same as insulation from criticism. The current administration tolerates contrary opinions but attacks contrary facts, sometimes via criminal prosecution.

Going back to the topic of wireless dead drops, how about putting it in the trunk of a car? You could leave it in a parking lot and give the spy a cover reason to park in the same lot or even just walk past it. Then it's easy to take the device in for repairs, change cars, change lots, etc. The spy doesn't even have to know exactly which car it is.

Or you could turn it around and have the spy leave a device in his own car that accepts connections and sends the information. Tell him to keep the battery charged, leave it on, and stick to his daily routine. He won't even have to know where or when it's being downloaded.

Davi Ottenheimer • February 1, 2006 12:42 AM

several photos i saw from the russian news agency showed someone actually stopping and picking up the rock. there were all sorts of claims about how durable the rock might be, and that people had to "visit" the rock in person to get it to work, but nothing about wireless networking. where did the wi-fi part of the story come from?

Timmy303 • February 1, 2006 12:56 AM

@Longwalker: I guess that would depend on the broadcast radius of the rock's signal. I have no idea what this one was. It is, however, worth noting that the majority of employers I've had that were serious about the spread of sensitive internal data had no internet connections that were not managed, proxied, and carefully scrutinized. I actually wrote a program for an employer some time ago that identified and dropped encrypted traffic for certain protocols. I'd imagine that the intelligence agency in question was at least that smart.

Davi Ottenheimer • February 1, 2006 1:14 AM

here's the series of images that supposedly shows someone accessing the data in the rock:

http://us.news3.yimg.com/us.i2.yimg.com/p/nm/...

they're literally picking the thing up and turning it over...not exactly wireless if they have to be plugged-in or touching the thing. or is that someone from rock-support performing an upgrade?

Sundar • February 1, 2006 1:15 AM

Now, NSA is going to diagnose all the rocks in the United States to check whether they are rocks indeed. Who knows Russians or Al Queda might have come across the same idea to spy others. NSA will first start with the Rock of Gibralder.

Davi Ottenheimer • February 1, 2006 1:20 AM

"It's about time spycraft went hi-tech."

Huh? I thought spycraft has been hi-tech since the beginning of hi-tech...satellites seem to be a pretty good example.

Davi Ottenheimer • February 1, 2006 1:37 AM

Aha, answered my own question. Sorry about the multiple posts...

The Russian Federal Service Bureau suggests that access is done remotely:

http://www.rferl.org/reports/rpw/default.asp

"Let us visualize the situation: the agent, who has to transmit information, walks near the rock, approaches it and transmits information at a distance of about 20 meters via a special device. The intelligence officer also walks nearby, receives information and gives new instructions to his agent."

But I think the more interesting part of the story, really, is the counter-claim by human rights activists and the NGOs

http://uk.news.yahoo.com/31012006/323/...

"Alekseyeva told Kommersant earlier that the spying allegations were part of a 'massive slur campaign against human rights organisations' and leading Russian campaigners said pro-Western NGOs were being targeted as a source of potential opposition to President Vladimir Putin. Alekseyeva, 78, is one of Russia's most respected human rights activists and an adviser to Putin on rights issues."

Walking within 20 meters of a rock in a Russian park could now be grounds for detention.

Roger • February 1, 2006 4:49 AM

It's interesting alright, but if true[1] it actually seems to be quite badly designed. In particular:
* for its described capabilities, it is absolutely enormous and ridiculously heavy. Look at the video of the alleged agent picking it up. He struggles to lift it. What's he supposed to do, stagger back to the embassy lugging an enormous boulder under his arm?
* the inclusion of the "door" (unless it was added by the FSB?) is idiocy. The exterior should be seamless, so that anyone examining the exterior can find nothing odd without smashing it to bits. If it does need repairs, just smash the casing to bits and later cast a new one.
* the supposed range is 25 metres which, we are told, is to make it difficult to intercept. But it also means the agent and handlers had to go within 25 metres of a particular spot, in a park, every time they wished to communicate. A pattern which was, in fact, spotted and led to their downfall. It should either have enough range to give a bit more flexibility in use, or there should be multiple sites active at once, or the sites should be mobile.
* Disguising it as a rock basically forces them to leave it in an open area -- thus making it harder for the agent to approach it unnoticed, and also maximising the interception range.
* If they were in fact a lot smaller, perhaps cheaper, and had seamless exteriors, you could seed an area with dozens of them and never bother coming back to replace a defective one or change the batteries. Just leave it there for someone to unwittingly dispose of later. For example, just drop it in a rubbish bin near the agent's bus stop, and make sure you come by for the upload before the garbage collectors remove it. (Or else have an excuse for wandering around a rubbish tip with a PDA!) Then you could also have a variety of disguises, and thus be able to leave them in any location the agent reports he could frequent more inconspicuously.
* A key point is people. Presumably the FSB shadow as many as possible of the embassy staff, so there is also a risk they will notice a "legal" agent dropping the device. If your illegal is then the only other person who regularly frequents that spot, he will soon be caught. So the device must be left in an area frequented by many people, and able to remain there undisturbed long enough to complete at least one data exchange. "Many" is defined to some degree by how long you leave it there, i.e. if you want to retrieve the data within an hour or so you'd better leave it at a train station, for weekly pickup a swimming pool or theatre might do, for monthly you might get away with a cafe or bar.
* One little trick to consider is vertical range, especially with wooden floors. So far as radio is concerned 25 metres straight up is the same as 25 m horizontally, but for humans 25 m horizontally is "nearby" whereas 25 m is quite a long way up. (People often claim their Class 2 Bluetooth stuff is OK because it only has a range of 10 metres which is entirely within the office, until you point out that with wooden floors that includes as much as 3 storeys above and 3 storeys below.) Once again, the rock disguise was their limitation here.
* the two biggest risks are that the agent be found with suspicious equipment, or that the handler be shadowed to the drop site and observed deploying the "letter box". By making the letter box a massive great lumping rock, and then having its RF protocol (allegedly) some kind of special burst transmission mode, it effectively achieves the worst of both worlds.
* Finally, just as with Tolkachev, the fieldcraft training given to the (unnamed, alleged) agent appears to have been non-existent, and his handlers hardly any better. For example, it seems that everyone involved knew that the rock was the "letter box", and directly interacted with it when it misbehaved. By compartmentalising deployment/recovery of the device, and giving the agent and handlers only the location where to perform uploads and downloads, the process would have been a lot more effective.

_____
1. When this story first broke, most people in the West probably thought, "Ho hum, of course everyone spies on everyone else. Pity for the poor Russian they caught, though" and went back to their morning coffee. However, an increasing number of people are noting that there are quite a few holes in the story, such as:
* the alleged cost of the "spy rock" (supposedly cost ten million pounds!!) is completely ridiculous;
* the things which are supposedly batteries are absolutely massive for a device of such low power. People are already getting 3 months out of Class 2 Bluetooth devices powered by a pair of AA lithium batteries. This looks like about 5 D cells, should be good for approximately 5 years!
* the Russian government has apparently decided not to take any action against the alleged spies, even though most of them don't even have diplomatic immunity!
* the secret video tape doesn't actually show any illegal activity;
* people have noted that the supporting documentation allegedly seized from the NGOs is not in the correct format; and
* the rock shown on TV has an access panel which opens up beautifully to enable the electronic contents to be shown on TV, yet doesn't actually provide any access for battery changes or repairs. It appears, in fact, to be made as a display window!

Dejan Jelovic • February 1, 2006 5:30 AM

Funny. I thought that with all the spam Usenet groups would be a perfect drop box.

Clive Robinson • February 1, 2006 9:18 AM

@Timmy303

You do not want to use specialised equipment, if you get picked up it's the equivalent of a signed suicide note...

Why use any low frequency (WiFi included) system it's asking for trouble as it is to easy to DF (track). Most PDA's etc come with IR ports so it would be more sensible. The only real way to find it then is to actually spot the person using the PDA pointing aproximatly at the rock. If you pick a suitable spot say opposit a bench next to an out door cafe or burger bar in the business district than it is quite likley that a lot of people would be using their PDA's or phones etc there.

At the end of the day field craft is about not getting caught even when nabbed in the act...

Curt Sampson • February 2, 2006 4:13 AM

Bruce, sure people may be doing traffic analysis on your Internet traffic. But still, there are enough protocols out there with enough "padding" in them that I don' t think it would be hard to hide your communications much more effectively than you could using this rock trick.

It could be as simple as infecting your computer with a customized botnet program that looks like a common Windows infection but is actually customed to exchange your data. Or tweak a commonly used network protocol to transfer data covertly as well as overtly, via tweaked Received: header lines in incoming e-mail messages, for example, and not-so-random choice of Message-ID headers and times for outgoing mail.

Erki • February 15, 2006 5:27 AM

This "high-tech spy rock" is widely considered a joke even among Russian newspapers. And a sign that FSB is trying, but failing, to fabricate accusations.

DigiLife • February 17, 2006 7:56 PM

concerning network traffic analysis and webmail:
consider free anonymous ssl webmail accessed via tor by both draft saver and by draft reader where the draft is gnupg encrypted......
not impossible to determine if communication is taking place but very difficult. might even require having the webmail server do the dirty work for you. even so, tracking the wrtiers and readers or reading the messages would't be easy (albeit still not impossible)

duff draft • August 21, 2006 10:55 AM

Further if the email service provider can locate that this account is being used in two different countries, it looks rather fishy and further scrutiny can be done. So in summary message is transmitted like normal message except that it goes to the same account but still subject to traffic analysis independant of whether you use Tor or other proxy so a gnupg message would be like a pink elephant anyway

besides i'm sure many email service providers (if not the likes of the NSA/GCHQ) have already implemented some software that scans through all email service providers mail servers for draft mail and checking them to see if they have any encrypted or intresting message, very plausible i think and if they haven't well isn't it time they do?

btw is not only criminals that use draft folder i use to use it back in the days when i forgot my pw to my account but knew that of my co-worker so i use to share his at work when i commnuicated with him and we didn't mind at all....

sky0ne • August 21, 2006 11:00 AM

the save draft protocol is not as fool proof as people think
as someone has already said, the files are actually moved around as one would
when a normal email is sent, in that the message is tranfsered from the desktop to the email service provider and then from the email service provider to the desktop when the recipient checks the dropped message. Further if the email service provider can locate that this account is being used in two different countries, it looks rather fishy and further scrutiny can be done. So in summary message is transmitted like normal message except that it goes to the same account but still subject to traffic analyis so a pgp message would be like a pink elephant

chuck • September 9, 2008 8:09 AM

Why the technical fieldcraft? Use everyday objects and logical patterns of life. There is absolutely no way you can explain your way out of communicating with a rock. You can explain your way out of tying a ribbon on a tree branch on a bike path.

focusoninfinity • June 29, 2010 10:37 PM

Not in fiction, but in real espionage; has there ever been a documented case of an agent using a shoe for covert secret communications?

Khrushchev at the U.N. does not count; "Whew!", that smelly shoe whiff-tiff, was overt communications.

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D