CTX4000: NSA Exploit of the Day

Today's device -- this one isn't an implant -- from the NSA's Tailored Access Operations (TAO) group implant catalog:

CTX4000

(TS//SI//REL TO USA,FVEY) The CTX4000 is a portable continuous wave (CW) radar unit. It can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection.

(TS//SI//REL TO USA,FVEY) The CTX4000 provides the means to collect signals that otherwise would not be collectable, or would be extremely difficult to collect and process. It provides the following features:

  • Frequency Range: 1 - 2 GHz.
  • Bandwidth: Up to 45 MHz
  • Output Power: User adjustable up to 2 W using the internal amplifier; external amplifiers make it possible to go up to 1 kW.
  • Phase adjustment with front panel knob
  • User-selectable high- and low-pass filters.
  • Remote controllable
  • Outputs:
  • Transmit antenna
  • I and Q video outputs
  • DC bias for an external pre-amp on the Receive input connector
  • Inputs:
    • External oscillator
    • Receive antenna

Unit Cost: N/A

Status: unit is operational. However, it is reaching the end of its service life. It is scheduled to be replaced by PHOTOANGLO staring in September 2008.

Page, with graphics, is here. General information about TAO and the catalog is here.

We've already seen reference to VAGRANT and DROPMIRE. The first collects data off computer screens, the second from printers with "purely proximal access."

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 20, 2014 at 2:20 PM • 43 Comments

Comments

Iain MoffatJanuary 20, 2014 3:35 PM

At simplest it would be a doppler radar (closely related to police speed trap radar) which produces a demodulated signal whose frequency is proportional to the velocity of an illuminated radar-reflecting object. This is adequate to recover audio from something like a "Moscow Embassy Great Seal" bug on its own. It is notable that the TAO catalogue contains various objects designed to be influenced by signals of interest and illuminated by the radar to exfiltrate information. The radar cannot be fully understood without also examining these entries.

I remember one of my lecturers at uni worked on similar technology for industrial purposes (to reliably detect tagged objects in a factory full of metal) where active electronics modulated the reflected signal or re-radiated it on a different frequency. The very wide bandwidth (45Mbits/s) probably is needed to handle video-modulated returns as it is way in excess of the doppler frequencies expected from moving objects illuminated by a low microwave radar.

Hope this helps

Iain

Clive RobinsonJanuary 20, 2014 3:40 PM

If it emits EM radiation between 1-2GHz above around 10mW then most wide band diode bug detectors will find it simply due to it's "electric field".

However some more expensive bug detectors won't pick it up because they are designed to not show CW signals or those that don't have a corelation with audio signals.

It will also be clearly visable to a quite cheap spectrum analyser or quite a few VOX controled scanners / communications test sets.

If they do radiate 1KW of energy in this band in close proximity it's quite likely that low preasure gas discharge lights (strip lights, low energy bulbs and neon indicators) will visably glow. It will also overload the front ends of most consumer grade radios including TV's cordless phones and mobile phones. Further within around 200 wavelength it's going to be within the NRPB danger zones, so is legaly a significant health risk (even though it is non ionising radiation).

For those trying to tell if a CW signal seen on a bug hunter etc is this unit it's close proximity use means that a simple direction finding antenna (LPDA) will give different bearings within a room etc which is a dead give away to close proximity.

That said any receiver antenna working in this band is going to have a noticable effect to a well trained operator of this equipment if it is moved at a spead that will cause signals in it's video out bandwidth. So an alert operator will reduce the signal level to zero over ten or fifteen seconds to reduce the chance of being discovered.

TomJanuary 20, 2014 3:59 PM

"How we might detect it"??? If it's pushing out 1kW around 2GHz, then I'd look for your coffee boiling in the mug - that's not too different to a microwave oven.

I wonder what the gain of the antenna they use is? If they're trying to illuminate a specific target, then probably something pretty high, I imagine...

FigureitoutJanuary 20, 2014 4:05 PM

If they do radiate 1KW of energy in this band in close proximity it's quite likely that low preasure gas discharge lights (strip lights, low energy bulbs and neon indicators) will visably glow.
Clive Robinson
--Won't they flicker too w/ the pulses? Kind of close to wifi freq too, no? My bro playing video games may detect it too b/c his headphones always get interfered w/ my dad's beacon lol. Little ferrite bead took care of it for now though.

I've noticed some random dropouts in wifi but I just attribute it to service provider or neighbor just got online. One time, there was a plane flying overhead and a wifi SSID popped up "AirForce1", thought no way that could be true lol (someone is a jokester in the neighborhood). The little RF detector we have is old too, I need a better one; but w/ all the RF, kind of like Bruce's statement w/ computers, it's hard to determine enemy vs. normal operation.

JoeJanuary 20, 2014 4:06 PM

It would be great to see funding for open-source versions of these tools, so they can become better known and defenses developed.

Clive RobinsonJanuary 20, 2014 4:12 PM

As for the way it works, I described it's likely operation before (

That said any wire is an antenna and has either a resonant or anti-resonant response at various frequencies. If the wire is connected to a load at either end then the resonance will be partialy quenched. If the load is an electronic componant then depending on how linear it is will decide at what point it causes harmonic signals to be generated (this is how some anti-theft tags work).

Now if one end of the wire is connected to half bridge output the load impedance will be different for a logic high or logic low signal this will effectivly modulate the CW signal that is then received. If a locked Direct Conversion on frequency receiver or one locked to a harmonic is used then the logic signal is trivialy recovered.

If you want to know more Ross J Anderson at Cambridge labs supervised some experiments EM illuminating PC Keyboard cables which he wrote up in his book on security engineering (which you can download PDFs of via his home page).

That said as I've said befor I was doing this sort of thing back in the early 1980's to electronic wallets and pocket gambling machines.

I actually took it quite a bit further in that I modulated the illuminating EM carrier to do active fault injection. Even though I mentioned this to Ross and to Paul Kocher neither of them followed it up (although the latter appears to have tried to patent it). It was not untill fairly recently that a couple of Cambridge Labs students used an unmodulated EM carrier at around 3CM (X-band / 10GHz) on a 32Bit TRNG and reduced it down to a little over 7bits of entropy that the academic community has taken any interest (and then just as quickly forgot about it again).

I'm kind of hoping that a few PhD students having now seen the Ed Snowden revelations will actualy start doing open research on Active Fault Injection by Modulated EM Carrier.

Handle92773January 20, 2014 4:16 PM

It seems to me that the idea of this is that while you might be able to easily detect that this radar is in your neighborhood, you wouldn't necessarily know that it is a surveillance transmitter rather than having some innocent purpose. And because it saturates your entire room with the signal, you would have a hard time figuring out if there is a microphone in your room at all, and if there is, where its exact location is.

Brian BaldridgeJanuary 20, 2014 4:19 PM

I really don't think publishing any and all information on these topics is in anyone's best interest. Things related to domestic surveillance, yes. Other information is merely helping the adversary.

FigureitoutJanuary 20, 2014 4:22 PM

Clive Robinson
--What kind of "faults" do you mean? I know some traffic products that use radar are getting jammed w/ radars on the backs of newer cars now; whether that's deliberate or just accident or even the cause, I don't know.

Normal citizens aren't going to defend against these attacks, that's probably why there's little interest.

Iain MoffatJanuary 20, 2014 4:27 PM

@Clive: I would have thought the 1KW option was for long range, to penetrate walls, or to power an electrically isolated device in the target premises at a fair distance ? I agree it would have noticeable effects on things in the beam within a few tens of feet. The TAWDRYYARD simple RF tag data gives a range of 50 feet which is surprisingly short - presumably that is with the 2 watt basic radar and a sub optimal antenna at both ends for concealment. Given that the relation between radar range and transmitter power is a fourth power law (so 16 times more power to double the range with the same antenna, target and receiver) a 1KW set should give about a 4.7 times increase (to approx 230 feet) over a 2W set. Use of larger antennas could easily increase range much more.

Looking at the ANGRYNEIGHBOUR family of devices used with radar the common factor seems to be that the device contains an electronic switch (FET) that alternately turns on and off the reflection/re-radiation of the radar signal (probably by shorting the antenna when closed). That this is described as a pure amplitude modulation system is slightly surprising because normally continuous wave (CW) radars rely on a frequency shift between transmitted and received signals to identify "real" targets. There is a way to do it (frequency modulated CW or FMCW) but to work at such short ranges would require a fairly high modulating frequency to get much difference between the returns and the current transmit frequency. See: http://www.radartutorial.eu/02.basics/rp07.en.html - use of FMCW may be another reason for the claimed 45MHz bandwidth.

Handle92773January 20, 2014 5:12 PM

@Brian Baldridge - The Chinese, Russians, and foreign industrial espionage groups very likely already have similar devices. In addition, Congress and the American intelligence community have been caught violating the Constitution and lying to the public about it, so they can not be considered a fully trustworthy ally. We still need to know how to defend ourselves against the Richard Nixons in the government.

Maybe2ParanoidJanuary 20, 2014 5:13 PM

Interesting, that note about VAGRANT gathering information from the computer screen.

Any relationship to that software Vagrant at www.vagrantup.com..?

Clive RobinsonJanuary 20, 2014 5:29 PM

For those thinking "microwave oven" you appear to be in company with Julian Asange of WiKi leaks fame...

Apparently he made comment about this 1KW device and the death of Hugo Chaves from cancer,

http://dissenter.firedoglake.com/2014/01/03/the-nsa-has-special-technology-for-beaming-energy-into-computer-systems-you/

@ Iain Moffit,

I wish people would stop calling it a RADAR unit, it's not and it just confuses people.

The transmitter and receiver are two seperate units, whilst the continuous wave transmitter works in the 1-2GHz range the receiver could be working at two or three or five times that frequency.

If you take a 1.5GHz dipole stripline antenna and put a couple of schotkey diodes in anti-parellel across the middle and then illuminate it with 1.5GHz signal it's going to push out a nice harmonic rich signal (with a few more components you can turn it into a harmonic mixer ( http://www.qsl.net/va3iul/Homebrew_RF_Circuit_Design_Ideas/2.4GHz_Microstrip_Harmonic_Mixer.gif ) The shop anti-theft tags work in a similar way generaly down in the UHF band.

jonesJanuary 20, 2014 5:34 PM

What is this thing?

It gets data off computer screens and printers with radar?

I think I'm missing something.

Also, radio waves of this strength would be really noticeable, why wouldn't they use a passive radar system like Silent Sentry? This is not meant to be used where stealth is needed? Are the passive radar systems not living up to their promise?

NateJanuary 20, 2014 6:41 PM

@Brian Baldridge: "Other information is merely helping the adversary."

_We_ are the adversary. I'm fine with being helped.

Let's not forget that not everyone on the Internet is a US citizen, and that non-Americans hear arguments along the lines of "but it's the NSA's _job_ to spy on the intimate personal details of absolutely everyone on the planet outside America!" as "2010s America decides it wants to be 1910s Germany and 1980s USSR combined; shocked, stunned that this charm offensive isn't endearing itself to the planet; figures its economy is doing fine on purely domestic sales and it didn't need any technology exports ever again anyway".

Jonathan WilsonJanuary 20, 2014 6:58 PM

This reminds me of the "van eck phreaking" described in Cryptonomicon only more sophisticated (and able to work from further away)
Its pretty clear from this (and other) NSA leaks, programs and things that if the NSA wants to see what you are doing on your PC, they can probably do it.

Matt HurdJanuary 20, 2014 7:05 PM

I believe CTX4000 was confused by the NY Times with the NIGHTSTAND. NIGHTSTAND has an eight mile range on its data sheet. I doubt that CTX4000 would have this range, though uwave links can do 40km and much would depend on the discrimination ability of the rx unit. OTHR shows much is possible that would not think, so you never know.

The NY times inferred that HOWLERMONKEY based implants could be read up to eight miles in the way I read their story. I think that is wrong. Only NIGHTSTAND mentions that distance explicitly so they might have been confused.

What range do you think CTX4000 could do?

BenniJanuary 20, 2014 7:08 PM

Stupid question: What heat does this thing produce? By heath, I mean heat visible for an infrared camera.

google "Wärmebilder der US Botschaft" (heath signatures of US embassy) gets lots of articles that investigate strange heath signatures on the roof of the US embassy, for example:

http://daserste.ndr.de/panorama/media/usbotschaft113_p-1.html

Spiegel the suspicion that on the roof of the US embassy in Berlin would be a nest of spies.

Do they have such a radar station on the roof of their embassy in Berlin to spy on the german parliament or the ministries that are just a few meters away?

Or are these heath signatures on the roof just because the walls are thin so that they can hide the usual communicaton antennas in there?


Matt HurdJanuary 20, 2014 7:11 PM

PHOTOANGLO is listed as a successor and ups the bandwidth from 45MHz to 450MHz. Interested in any theories on range on PHOTOANGLO as compared to CTX4000?

Nick PJanuary 20, 2014 7:19 PM

It's probably an active emanation attack that combines with their passive emanation leaking devices. The first bug primes the process by making more data leak in a controlled way. This device blasts that target with radar, collects the return signal, and analyses the difference to try to derive what information was in the device. This may be doable without an implant. However, combining the two techniques makes a 1-2 punch of a solution for getting plenty of information out.

@ Clive

They call it radar because it *is* radar. They bounce L-band waves off the target and process the returns. I always wondered if the EMSEC attackers had a special name for it but seems they just use generic term radar.

65535January 21, 2014 3:52 AM

@Clive

I agree that 1 kW microwaves do pose a human hazard if close enough and irradiating constantly. I think the term "Radar" is fairly accurate.

“…radar dish or antenna transmits pulses of radio waves or microwaves that bounce off any object in their path. The object returns a tiny part of the wave's energy to a dish or antenna that is usually located at the same site as the transmitter…”

[Think police radar with both the sender and receiver in the same unit]

“It is possible to make a Doppler radar without any pulsing, known as a continuous-wave radar (CW radar), by sending out a very pure signal of a known frequency. CW radar is ideal for determining the radial component of a target's velocity. CW radar is typically used by traffic enforcement to measure vehicle speed quickly and accurately where range is not important.”

http://en.wikipedia.org/wiki/Radar

@Nick P

You are correct, it is radar.

@ others

Since the ctx4000 is obsolete I think we should be looking at how to identify the “laser microphone” and how to neutralize it.

“A laser microphone is a surveillance device that uses a laser beam to detect sound vibrations in a distant object. This technology can be used to eavesdrop with minimal chance of exposure. The object is typically inside a room where a conversation is taking place, and can be anything that can vibrate (for example, a picture on a wall) in response to the pressure waves created by noises present in the room. The object preferably has a smooth surface. The laser beam is directed into the room through a window, reflects off the object and returns to a receiver that converts the beam to an audio signal. The beam may also be bounced off the window itself. The minute differences in the distance traveled by the light as it reflects from the vibrating object are detected interferometrically. The interferometer converts the variations to intensity variations, and electronics are used to convert these variations to signals that can be converted back to sound. However, countermeasures exist in the form of specialized light sensors that can detect the light from the beam. Rippled glass can be used as a defense, as it provides a poor surface for a laser microphone."

http://en.wikipedia.org/wiki/Laser_microphone

sobradoJanuary 21, 2014 5:00 AM

@Brian

"I really don't think publishing any and all information on these topics is in anyone's best interest. Things related to domestic surveillance, yes. Other information is merely helping the adversary."

So people living outside the United States do not have human rights?

Clive RobinsonJanuary 21, 2014 5:16 AM

All those who say this is RADAR obviously don't know what the letters stand for,

    RAdio Direction And Ranging

This device does not do direction finding or rang finding thus it's not a RADAR device.

In exactly the same way as a flashlight / torch is not a LIDAR.

The fact it "waddles like a duck and quacks like a duck" does not mean it's not a goose.

sobradoJanuary 21, 2014 5:22 AM

@Matt Hurd

"I believe CTX4000 was confused by the NY Times with the NIGHTSTAND. NIGHTSTAND has an eight mile range on its data sheet. I doubt that CTX4000 would have this range, though uwave links can do 40km and much would depend on the discrimination ability of the rx unit. OTHR shows much is possible that would not think, so you never know."

I understand confusion by journalists, they are not experts in technology.

Eight mile range in ideal conditions... e.g. this means that first Fresnel zone between both communication endpoints is obstacles free. In real conditions it is not much better than other high-end equipment like Ubiquiti Networks access points.

"The NY times inferred that HOWLERMONKEY based implants could be read up to eight miles in the way I read their story. I think that is wrong. Only NIGHTSTAND mentions that distance explicitly so they might have been confused.

What range do you think CTX4000 could do?"

This one is an interesting question. As these implants only transmit information, sensitivity is not a key factor on the sender's side. Only receiver needs a carefully designed antenna. One up to two watts is not a lot of power, but they are transmitting on frequencies that usually do not have a lot of difficulties with walls or windows. Most urban structures are mostly transparent to these frequencies.

A different matter is what happens to NIGHTSTAND, as it transmit at microwave frequencies (~2.4 GHz). Walls are less transparent to microwaves, not to say paper (e.g., libraries) and water (trees, human bodies, ...) that are nearly opaque to these frequencies.

To get some real numbers think on CTX4000 as a Ricochet network pole-top, and on NIGHTSTAND as a high-end wireless device.

Bruce SchneierJanuary 21, 2014 8:51 AM

"I really don't think publishing any and all information on these topics is in anyone's best interest. Things related to domestic surveillance, yes. Other information is merely helping the adversary."

That's a valid argument, and were I making the publish decision I would have a hard time deciding what of this to publish and what not to publish. That decision was made by Spiegel at the end of December, and everything I am quoting has already been published.

At this point my fear is that the bad guys know it all, and we in the security community haven't been paying close enough attention to the details. That's why I am republishing one implant a day -- so that we have time to think about each one.

Nick PJanuary 21, 2014 9:43 AM

Partly what herman said. The other part is the definition of RADAR expanded since its use expanded. Anything that works similarly might be classified under the now broad term. See:
https://en.wikipedia.org/wiki/Radar

Also, acronyms only indicate historical meaning. For instance, nobody is going to argue AT&T is only good for telephone or telegraph buyers. Or that HTTP isn't used for file downloads because its name says "hypertext transfer." ;)

IlluminatiJanuary 21, 2014 12:10 PM

The embassy rooftop parabolic radar illuminator (80 sites + Canadian) is code-named EINSTEIN/CASTANET. We're told it has a directional pointing accuracy of a fraction of a degree.

They have members of the ANGRYNEIGHBOR family of radar reflectors implanted on some fixed devices, like cryptofaxes and in secure landlines.

Microwave goes right through buildings -- it is attenuated by dielectric constant, not a consideration with bricks and sheetrock.

It's not so easy to build a good Faraday cage. Refrigerators and aluminized Dorrito bags don't work. Any gap and you've created a slit antenna instead! Oddly the best thing is a microwave oven (if you don't have a SCIF tent handy).

I think a classical silver hip flask could be readily adapted to hold an iPhone -- haven't seen them on the market to date.

https://www.eff.org/files/2013/11/15/20131027-spiegel-embassy.pdf

Iain MoffatJanuary 21, 2014 2:04 PM

@ Clive & Nick - I guess the CTX4000 is either an illuminator or a range only radar (probably either depending on role). The mention of I & Q Video output implies a receive capability and 45MHz bandwidth would imply a few metres range resolution against non moving targets if used in FMCW mode. Range Only Radars called as such have a long history (Americans may consider AN/VPS2 or AN/MPQ-34 for example)

The ability to receive harmonics of the transmit frequency created by a non linear device connected to an antenna is what I referred to in my first post on this topic. Since the CTX4000 has at best a 2:1 frequency range and the 2nd harmonic is double the transmit frequency a 2:1 frequency range isnt really enough to do that so a separate receiver would be needed for 2000-4000MHz to work in that mode - probably why the small target devices like the ANGRYNEIGHBOR family work by keying a re-radiating element on the same frequency. It may also be harder for the victim to find a "bug" based on a linear device like a FET than a harmonic generating diode or transistor.

@Jones - I think the monitoring of VDUs or printers is mostly done by attaching something to the target device that is able to change it's reflection/re-radiation of the radar signal based on the video signal or printer activity. So it is possible to do it without a transmitter in the monitored premises and without a direct network connection. Looking ahead in the TAO catalog it appears RAGEMASTER is one such hardware implant.

@Benni: the best constant power RF amplifiers in communications use are a bit over 50% efficient. So the basic 2W CTX4000 will be producing a little less than 2 watts of heat for 2 watts of radiated power, and if the 1KW amplifier is used there will be almost 1KW of heat as well!. Bear in mind that 1000-2000MHz RF power can be carried over long distances - tens of metres - by coaxial cable as seen in GSM base stations so there is no reason for the antenna and the transmitter (heat source) to be anywhere near each other.

Hope this helps

Iain

Clive RobinsonJanuary 21, 2014 4:22 PM

@ Matt Hurd,

    Just a reminder that you don't always need resonance or piggy backing to capture an LCD

Markus's own blog entry for that back in 2006 can be found at,

http://www.lightbluetouchpaper.org/2006/03/09/video-eavesdropping-demo-at-cebit-2006/

In the comments section you will see that Markus and I swapped one or two ideas.

Since then the price of a suitable FPGA card and the bits to make a suitable IQ wide band receiver and wide band IF converter has dropped to well within a "home experimenter" budget.

For anyone doing it I would still recomend a four antenna design feeding two receivers simply for the "front end" advantages it gives you.

Anonymous CowardJanuary 21, 2014 4:54 PM

@65535

These microwave-frequency devices are far from obsolete. And laser microphones are not nearly as sophisticated as what's being discussed here. If you want to take the laser mic threat up a notch, start looking into modulating retroreflectors.

Matt HurdJanuary 21, 2014 6:06 PM

@ Clive Robinson

Thanks for the link to Markus's blog. Interesting. I liked the further link from there to the reflection reconstructions, such as from walls using photo-multipliers. Reminds me of the guy who used his hobby telescope and a little de-warping code to reconstruct a screen from the reflection of the screen in a user's eye. I note eye reflections from hi-res photos to id people has been getting some press this month too.

I've used Ettus Research gear in the past. They have some new more capable stuff just announced using Kintex-7s. Cheaper stuff about, but hard to beat for the eco-system that goes along with it for experimenting on a budget.

Decent handheld spectrum analysers can be had for under $300 that cover up to 3GHz, not quite the full CTX4000 range. More formal analysers are in the range of 10k to 100k.

SteveJanuary 22, 2014 12:12 AM

Not that the NSA would care, but emitting 2 watts of CW into some parts of the 1-2 GHz frequency band flagrantly violates the International Telecommunication Union Radio Regulations. For example, the band around L1 = 1.57542 GHz is the center frequency for the GPS civil [C/A] signal.

Several bands in this range are classified as Aeronautical Radio Navigation Service (ARNS) frequencies. These are designated as "safety-of-life" bands, and any emissions at these frequencies are tightly regulated.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..