Schneier on Security
A blog covering security and security technology.
« Side-Channel Attacks on Frog Calls |
| Another Credit-Card-as-Authentication Hack »
January 30, 2014
HOWLERMONKEY: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in conjunction with a digital core to provide a complete implant.
(TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB layouts are tailored to individual implant space requirements and can vary greatly in form factor.
Status: Available -- Delivery 3 months
Unit Cost: 40 units: $750/ each, 25 units: $1,000/ each
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on January 30, 2014 at 8:38 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I know I'll be blasted for this: but isn't this just a digital carrier RF transceiver?
Based on what little information is on the page I would say that's a fairly reasonable first impression.
Although the pictures are quite grainy the circuit appears to be made of the same components on each board and at a guess I'd say there's a single chip microcontroler and an RF RX/TX chip on there as well as a voltage regulator.
One of the photos --YELLOWPIN top right-- appears to have a printed circit loop around it's periphery of a total length of around 110mm. Now this might just be an artifact of the layout or it might be a loop antenna. Theres no easy way to tell, and as it does not appear on the other photos it would tend to suggest artifact not antenna, but... it has a seperate product name which could be because it is different to the others with the difference being it has the antenna on board. So flip a coin and make your choice :-)
Now this is where I take a real leap in the dark and say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the milliwatt or less range as there is no apparent "heatsinking", thus the working range unit to unit being in the low tens of meters.
I want to know who has the job of naming these programs?
Find the person with a warped sense of humour...
Many of the intel types have a selfbelief of mental superiority that's strong enough to trip over(and they do), and can result in a purile humour, that they believe only they have the intelect to understand. I came across this with the UK's DWS several decades ago and I suspect these people or their ilk are still calling the shots...
Thus I suspect a look up of words in a thesuras or by running through automated translation systems through three or four languages will reveal some kind of insult or put down.
However there was before everything became Ultra PC in the US a "techie" expression used by hardware engineers to describe the latest bit of kit being speedy as "It moves like a r4p3d ape" (why it came about I have no idea nor do I wish to). Apes and monkeys are both primates and "screaming" is sometimes used as a discription of speed as in "It went screaming past" etc, an alternative word for screaming is howling...
No doubt other latteral thought will provide other connections
If they continue to allow their tools such colorful names, one almost suspects that the 2014 TAO Catalog will have BRUCESCHNEIER listed as an exploit.
(TS//SI//REL) BRUCESCHNEIER is a custom nano implant that can function as both software and hardware over a wide array of systems. It operates in conjunction with PGP and a COTS-based system.
(TS//SI//ORCON//NOFORN) Status: In development. Presently self-initiating implant encrypts target system, emits memorable password to the target system user via system speakers, scolds target system user for thinking the target system to be secure, and then uploads itself to the Woods Hole Oceanographic Institute site where it conducts security tests on servers containing squid studies. NSA suspects implant is prank by US Navy. TAO exploring possibility of replacing all USN on-ship entertainment content with an audible version of Knuth's TACP, using the voice of Arnold Schwarzenegger. ---message ends
@ Clive R
“Although the pictures are quite grainy the circuit appears to be made of the same components on each board and at a guess I'd say there's a single chip microcontroler and an RF RX/TX chip on there as well as a voltage regulator…
“…YELLOWPIN top right-- appears to have a printed circit loop around it's periphery of a total length of around 110mm. Now this might just be an artifact of the layout or it might be a loop antenna…
“Now this is where I… say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the milliwatt or less range as there is no apparent "heatsinking", thus the working range unit to unit being in the low tens of meters.”
Yes, that looks like a good estimate. Now, I just googled around for power consumption and I found RX and TX mode on a Intel PRO Wireless (WPC2011EU) used, “561 mW RX typical, 990 mW TX typical…”
[Power consumption of WLAN network elements, page 8]
That would be enough for a fairly close AP to link the implant board to the outside world.
The only problem I see is the metal case. I assume the implant intends to TX out of the cooling slots and fan holes in the case. That could be chancy.
On the whole, the implant looks unpleasantly effective given the time constraints of a server facility Admin and his ability to keep all servers running (let alone finding the implant). It’s a real threat to data confidentiality.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.