Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid USB Drive |
| WPA Cracked »
November 10, 2008
Aspidistra was a World War II man-in-the-middle attack. The vulnerability that made it possible was that German broadcast stations were mostly broadcasting the same content from a central source; but during air raids, transmitters in the target area were switched off to prevent them being used for radio direction-finding of the target.
The exploit involved the very powerful (500KW) Aspidistra transmitter, coupled to a directional antenna farm. With that power, they could make it sound like a local station in the target area.
With a staff of fake announcers, a fake German band, and recordings of recent speeches from high-ranking Nazis, they would smoothly switch from merely relaying the German network to emulating it with their own staff. They could then make modifications to news broadcasts, occasionally creating panic and confusion.
German transmitters were switched off during air raids, to prevent them from being used as navigational aids for bombers. But many were connected into a network and broadcast the same content. When a targeted transmitter switched off, Aspidistra began transmitting on their original frequency, initially retransmitting the German network broadcast as received from a still-active station. As a deception, false content and pro-Allied propaganda would be inserted into the broadcast. The first such "intrusion" was carried out on March 25, 1945, as shown in the operations order at the right.
On March 30, 1945, "Aspidistra" intruded into the Berlin and Hamburg frequencies warning that the Allies were trying to spread confusion by sending false telephone messages from occupied towns to unoccupied towns. On April 8, 1945, "Aspidistra" intruded into the Hamburg and Leipzig channels to warn of forged banknotes in circulation. On April 9, 1945, there were announcements encouraging people to evacuate to seven bomb-free zones in central and southern Germany. All these announcements were false.
The German radio network tried announcing "The enemy is broadcasting counterfeit instructions on our frequencies. Do not be misled by them. Here is an official announcement of the Reich authority." The Aspidistra station made similar announcements, to cause confusion and make the official messages ineffective.
EDITED TO ADD (11/13): Photos here.
Posted on November 10, 2008 at 7:07 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The German radio network tried announcing "The enemy is broadcasting counterfeit instructions on our frequencies. Do not be misled by them. Here is an official announcement of the Reich authority." The Aspidistra station made similar announcements, to cause confusion and make the official messages ineffective."
That's just funny
"Here is an official announcement of the Reich authority..." vs. "This is a message from PayPal security..." The more things change, the more they stay the same - different medium, different authorities, but the same tactics.
Pre-emptive counter-Godwin notice: I am not trying to draw any comparison between the Nazis and PayPal. :-)
Using the German radio network to announce not to believe announcements made on the German radio network is surely a no-win situation.
This would have been causing confusion even without Aspidistra making similar announcements.
See the Liar's Paradox.
That is fantastic. As said in the other comments, announcing that the radio network cannot be trusted via the radio network... priceless!
I'll need to check through some old F&CO paperwork but I think it was more than 500KW in operation I think it was around 1MW and was sited at Crowborough near Royal Tunbridge Wells in Kent UK.
If I remember correctly it was purchased from RCA "cheep" because the FCC had refused the licence to the original customer. It was a one off design but it's main point of interest was that unlike other high power transmitters of the time it could be quickly retuned to another frequency thus was almost agile in operation.
When it arived in the UK it remained unused for a while due to departmental in fighting between the BBC and a government department.
When it was installed it was rated for 500KW but BBC engineers worked a little magic to get it up to 1MW.
It had it's own powerstation as well as connections to the national grid. Both the Transmitter hall and power station wher built into the ground with re-enforced concreat blast walls and roof that was something like 3meters thick (i'll have to dig out the photos etc).
After the war it remained in use but due to operating difficulties was put into standby/moth balls in the late 1950's and was finally decomissioned and removed around the 1980s.
The reason for the moth balling was due mainly to political in fighting and partly due to local people complaining about interferance problems.
Amongst other things people complained they could hear it on their telephones and one person complained they could feel it in their head which only went away after a dentist replaced their wartime fillings...
The story of the Black propagander department is quite fascinating and reads like a 2cent spy novel.
One fake station broadcast pretended to be a German army radio station being operated out of hours by an army signaler disenchanted with the German war effort. It became very belivable to German troops and civilians as due to good photo reconasance and information about soldiers names and home addresses (taken fron census data) it was able to anounce that particular German soldiers homes had been bombed befor the official channels notified them. The station anounced that it was able to do this because the millitary command was deliberatly withholding the information.
The fake programs where actually recorded onto phoneagraphic wax discs and broadcast at two different times on different frequencies aimed at different parts of Germany. After a time it was felt that the station had attracted to much attention and it had to be taken of the air. A dramatic closing programe of the station being raided by armed troops with machine gun fire sounding as the oparator gasped out their last was recorded. Due to an oversite this to was transmitted twice, however it appear to have gone un noticed.
If people are interested I can dig out some refrences etc and photos of the site taken by myself and others at various points in it's history.
A wonderful story. I always knew that the allies were wreaking havoc on ineffective German intelligence and counter-intelligence services during the war, but this I didn't know.
I suppose it was the Special Propaganda Executive that did this? I think they were a secondary organization associated with SOE, but I don't know what the org charts were like back then.
Just in case somebody notices and thinks duh?
Crowborough is in East Sussex South West of Royal Tondridge Wells in Kent, just a few miles down the A26 (road), the county border goes South East between the two of them.
Fascinating stuff, but technically this is not anything remotely analogous to a "Man In The Middle Attack". MITM is a technique for an undetected attacker to insert himself in the communication chain, mediating the comm link and siphoning off information without necessarily altering the content.
What is described in this story strikes me as being more analogous to an early "Denial Of Service" attack. It's not really covert, and is designed to interfere with communication and service, rather than to extract valuable information.
Yes, very interested. Could you post links to the photos here?
Ironically, the reference in this blog entry is a Wikipedia article, which is vulnerable to the exact same attack described in the post.
> When it was installed it was rated for 500KW but BBC
> engineers worked a little magic to get it up to 1MW.
Boy, would an interview with those engineers make a great tv special. That's some pretty serious "overclocking", right there.
> ... Wikipedia article, which is vulnerable to the
> exact same attack described in the post.
No, it's not (at least, not with the same consequences). Wikipedia articles have an accessible history log. A "mortal user" can correlate "bad info" to usernames.
It's not strictly speaking MITM, but it is definitely hijacking the communications channel as opposed to just rendering it useless by jamming it. I always find it amusing how a nation famed for fairness and honour was so good at these tricks.
Granted, interesting historical fact, but i don't feel this to be a very original/effective or cost--worthy measure as germany was in the process of collapsing anyway. Thus it's really no big deal to exploit this uhm.. vulnerability. To me, it looks more like the 32nd successful attempt of breaking WEP nowadays..
just my 2c..
"I always find it amusing how a nation famed for fairness and honour was so good at these tricks."
Don't laugh but the now "outmoded" view nearly killed PWE and Sefton Delmer's plans for Black/Grey propaganda stone dead, and may well have criticly affected Operation Overloard (Alied Invasion of occupied Europe).
There was even a (now) ludicrous sugestion that although it was OK to put out Black Propaganda on Short Waves, which could (and did) confuse "our friends" (Alies such as the free French). It was such an affront to sensabilities to put out Grey propaganda on Medium Waves that various senior persons (DG of BBC included) realisticaly insisted that a Grey Propaganda station on MW (using Aspidistra) must indicate it was of British origin...
Their sensibilities prevented them realising that their suggestion of admitting to a Grey MV station would have undone all the work so far done by the Black SW stations at the very time when Operation Overloard needed them the most...
Oh and those wondering why it was called Aspidistra. The person who secured an option on the RCA transmitter described it thus,
"This apparatus would create a raiding Dreadnought of the Ether... "
As it was perhaps the most powerfull transmitter at the time. There was a popular song of the time sung by the singer / actress / comedian / entertainer Gracie Fields called "The Biggest Aspidistra in the World". So it just seemed appropriate.
For some reason Aspidistras where a popular part of English culture and found in many middle and upper class homes in the 1930s and 40s so much so that even George Orwell used it as part of a title of one of his books at that time "Keep the Aspidistra Flying"
@ Pat Cahalan
> No, it's not (at least, not with the
> same consequences). Wikipedia
> articles have an accessible history log.
> A "mortal user" can correlate "bad info"
> to usernames.
You're assuming that the mortal user knows enough about the subject to tell which information is true and which is "bad info."
This attack is more of a Denial of Service coupled with impersonation (inability to authenticate source reliably) rather than a MITM, isn't it? Or am I missing something here?
MITM is a form of impersonation, and it isn't mutually exclusive with denial of service.
For instance, as the MITM, one can prevent a transaction from happening at all, while making it look like it did.
However, I don't see the attack described above as a denial of service. MITM applies because the attacker exploits a medium normally used by the victim.
While we're throwing security buzz words around, I think "social engineering" is another relevant term here.
Agreed. It could be called MITM, one communicating end is the German citizen, the other is the Reichsministerium für Propaganda. The communication channel is cut via initiating an air raid, and from the viewpoint of the listener, the other end is impersonated by the big transmitter. (The other end notices the attack!) Seems to fit more or less a MITM.
It could be argued, that there is no real difference between simple DOS + impersonation and MITM if the communication is strictly one way, and only one end is deceived, however.
Check out the book "Most Secret War" by R.V.Jones. It contains a number of similar tricks.
It also contains a good explanation on how to devise project code names. At least one major WW2 German scheme was foiled because the project code name suggested the required aim of the project.
@Clive Robinson:Thanks for the material you posted - I always like reading things involving lateral thinking, and getting the BBC in to tune-up (sorry, I had to do it) a second-hand transmitter sounds pretty clever. If you've still got the photos I'd definitely be interested in seeing them.
Not to sound entirely ignorant, but what is Black or Grey propoganda?
Whether propaganda is black, grey or white depends on what the recipient knows about its source.
White propaganda openly acknowledges its true source. Grey conceals its source. Black falsifies the source -- usually pretending to originate from the party that is in fact being attacked.
Oops, sorry, that was meant to be addressed to Peter.
> You're assuming that the mortal user knows enough about the
> subject to tell which information is true and which is "bad info."
Not exactly. I'm just saying that there's a difference here because it is possible for the trusted source to tell the public, "information distributed by this source A is reliable, and this other source B is unreliable", and point to the history page.
In the radio example, the German broadcasters couldn't tell the general public how to differentiate between information that came from the unreliable source. Nobody had the requisite technology in their home radio set to tell them where the signal was originating *from*.
nice, but imho not important:
hitlers suicide dates around 30.04.1945, total capitulation was on 08.05.1945.
so on the first day this was used (25.03.1945), the end of the war was already at hand...
"on the first day this was used (25.03.1945), the end of the war was already at hand"
All the more reason to use it.
"so on the first day this was used (25.03.1945), the end of the war was already at hand..."
Err Aspadistra was purchased for 111,801 pounds 4 shillings and 10 pence in june 41 and it's original site was supposed to be in Bedfordhire but it's antenna mast height upset the air ministry and therefore the Crowborough site was subsiquently selected.
Project funding etc was handed over to PWE in the November. A turf war then broke out between the BBC PWE and "The Service" (SIS) over the control of this powerfull MW transmitter.
An uneasy compromise was reached and the BBC's DG reported that Aspadistra was functioning to the PM at the end of Sept 42. It actually went into operational service in the second week of November 42.
However the Black and Grey propaganda was all ready in progress from other SW transmitters prior to this.
Further tricks and techniques where invented and improved throughout the rest of the war as the capabilities of both the equipment and personel increased.
As I noted in an earlier post the BBC DG who had effectivly gained control of Aspadistra due to the turf war was against it being used for anything other than white propaganda but was eventually over ruled which was one of the primary reasons why this technique that had been proved on SW was so delayed on MW.
But the other tricks it was involved with where just as interesting.
One source of information about Aspidistra is David Garnett's official history of the PWE published by St Ermin's Press, ISBN 1 90360808 2.
It's somewhat disjointed in nature which makes it a bit difficult to get into but well worth reading.
I had a look at the photos on the Aspidistra page of the Sefton Delmer site,
And unlike mine they are in colour and appear to have been taken some time prior (ie before full decommisioning) to mine whillst more of it was still there.
If you want to see the other "hole in the ground" photos I can dig them out and scan them.
I wrote the Wikipedia article in question.
There are more technical details available in the references. The Aspidistra staff built special hardware to take over German broadcasts within 50ms after the target German station went off the air. Receivers at another location picked up the target station. When the hardware detected that the target station had gone off the air, the big Aspidistra transmitter went from standby to transmit, repeating the network signal being received from another German station. Listeners just heard a click during the switchover. This was going out as AM, so clicks were normal.
With the Aspidistra transmitter now in the middle between the German network and the receivers in Germany, the staff could then, at a convenient point, switch to their own content.
What's notable technically about this is the high-speed, automated, seamless takeover of the channel. That was very advanced for the time.
All this probably wasn't worth the trouble. Aspidistra had previously been used to create the phony German station "Soldatensender Calais". That was a quite successful "grey propaganda" operation. After D-Day and a few weeks of invasion, Calais had been overrun, so pretending to be a German station in France made no sense. So the big transmitter was freed up for other uses.
Incidentally, the Aspidistra installation, even though in an underground bunker, was a gorgeous piece of Art Deco design. Chrome trim, beautiful woodwork, parquet floors, glass doors, and recessed indirect lighting, all designed by someone who usually did movie theaters. Pictures at "http://www.seftondelmer.co.uk/aspidistra.htm".
White propaganda openly acknowledges its true source. Grey conceals its source. Black falsifies the source -- usually pretending to originate from the party that is in fact being attacked.
I had a look at the photos on the Aspidistra page of the Sefton Delmer site http://sa-bank.ru/modules.php?name=Html_Content
I always wanted to make a big placard with my ham radio callsign on it, take it to one of these big transmitter sites (VOA was not far from where I live) and take pictures of it and then use that as the basis for a QSL card as if the antennas it portrayed were mine.
Having read the article on the guy who ran it, I suspect dementia may have been setting in. He constantly harps on how the Germans were behind Hitler until the end of the war and only turned on him once the writing on the wall was obvious; yet he continuously praises the never-ending stream of Germans who were assisting him in his efforts (which a lot of people would consider traitors) to defeat Hitler. Well, which is it, either there was an "underground" or there wasnt.
They also did something similar with the Nachtjäger fighter control radio network. German linguists were based in East Anglia, and received intercepted comms from the fighter pilots (I think some 100 Group RAF aircraft were tasked as relays for this but I'm not sure). They answered, posing as the controllers. Their voices were broadcast into Germany with some sort of monster transmitter (again, I think some aircraft were used as relays).
The Germans began recruiting women as radar-intercept controllers - either to cope with their manpower shortage or because they thought the fake controllers were in aircraft over Germany and the British wouldn't dare send women. We stood up a squad of women linguists..
Quite frequently the fake and real controllers would end up yelling at each other, each denouncing the other as an enemy impostor, confusing the hell out of everyone. I don't know if they ever deliberately accused another fake of being a fake...
'For some reason Aspidistras where a popular part of English culture and found in many middle and upper class homes in the 1930s and 40s so much so that even George Orwell used it as part of a title of one of his books at that time "Keep the Aspidistra Flying"'
"I knew it! You blasphemed the aspidistra, and something horrible came down the chimney."
Lord Peter Wimsey to Lady PW in Busman's Honeymoon, by Dorothy L. Sayers, 1937.
The correct SIGINT/EW term for this is imitative communications deception.
There is reference to a book above: I looked for that book and this on Amazon's site:
This book is also known as the Wizard War.
The author as a relatively young man was the technical intelligence director for the British Royal Air Force in WW II. As such he was involved in the development of active, passive, and counter measures to thwart the German Luftwaffe.
Developments included radars, anti ship missiles,jet engines, defense against buzz bombs, and the jamming of radio navigation systems used by the Germans.
After the war the author returned to Scotland to become a university professor. He returned to service during the Korean War period. His other book Reflections on Intelligence reveals him to be a man of erudition and covers and fills in some of the gaps in the story told herein which could not be revealed at the time this book was written.
Another one for the complete shelf of intelligence classics.
The book referred to above in Nomen Publicus' comment was "Most Secret War"
After reading Mr Schneier's book on Digital Security in a networked world, I was interested in his information on modern man-in-the-middle network attacks. Concerning DNS attacks, I came across the following information purported to be attempts by DNS inventor to fix the flaws in DNS.
"We saw many attacks launched against us, but have successfully dealt with every one. And our focus has now moved onto additional security measures, beyond DNS. For instance, in the DNSSEC [DNS Security Extensions] era of the future, it will be possible to distribute reputation information using digital signature technology to the filters used by email and virus filters to remove spam and block malicious or pornographic sites."
Interesting. It seems that rather than preventing DNS Spoofing attacks, they are trying to develop a work around that deals with catching spoofed sites before they wreak havoc with your system. A posh MS Phishing Filter methinx...
Currently researching King's Standing at Ashdown forest, I am interested in "the cinema' bilding and interior of the underground bunker, I have read that it was designed by Cecil Williamson does anyone know is this true and anymore on him and did he design pre-war cinemas
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.