NIGHTWATCH: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

NIGHTWATCH

(TS//SI//REL TO USA,FVEY) NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals).

(U) Capability Summary
(TS//SI//REL TO USA,FVEY) The current implementation of NIGHTWATCH consists of a general-purpose PC inside of a shielded case. The PC has PCI digitizing and clock cards to provide the needed interface and accurate clocking required for video reconstruction. It also has:

  • horizontal sync, vertical sync and video outputs to drive an external, multi-sync monitor.
  • video output
  • spectral analysis up to 150 kHz to provide for indications of horizontal and vertical sync frequencies.
  • frame capture and forwarding
  • PCMCIA cards for program and data storage
  • horizontal sync locking to keep the display set on the NIGHTWATCH display.
  • frame averaging up to 2^16 (65536) frames.

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) The video output from an appropriate collection system, such as a CTX4000, PHOTOANGLO, or general-purpose receiver, is connected to the video output on the NIGHTWATCH system. The user, using the appropriate tools either within NIGHTWATCH or externally, determines the horizontal and vertical sync frequencies of the targeted monitor. Once the user matches the proper frequencies, he activates "Sync Lock" and frame averaging to reduce noise and improve readability of the targeted monitor. If warranted, the user then forwards the displayed frames over a network to NSAW, where analysts can look at them for intelligence purposes.

Unit Cost: N/A

Status: This system has reached the end of its service life. All work concerning the NIGHTWATCH system is strictly for maintenance purposes. This system is slated to be replaced by the VIEWPLATE system.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 23, 2014 at 2:39 PM • 27 Comments

Comments

Matt HurdJanuary 23, 2014 3:41 PM

It looks old and somewhat dated.

There has been remarkable progress over the last few years in image improvement via super resolution, so you'd expect some of those capabilities in new gear if they were on their game. Super resolution may also allow you to collect data below the traditional wavelength barriers by beating the diffraction limit which was previously considered impossible.

Super resolution is particularly adept at cleaning up sharp edges such as fonts on screens and would be applicable to a next-gen NIGHTWATCH.

Machine learning super resolution is the next frontier where you could take even just one grainy picture of a PCB, such as on some of the NSA pages, and apply super resolution techniques with electronic component learning and bingo, much improved visualisations.

CarpeJanuary 23, 2014 4:09 PM

So is this the CRT monitor device we all suspected existed as soon as tempest was revealed? Does it target LED/LCD's?

Iain MoffatJanuary 23, 2014 4:27 PM

@Carpe: It begins to make sense if read together with the catalogue pages for the radars (CTX4000 and PHOTOANGLO) and the RAGEMASTER hardware implant. Because RAGEMASTER makes the VGA video signal on the monitor cable visible to the radar it is agnostic as to the display screen technology (CRT, LCD or Projector).

The classic "Van Eck" CRT remote viewer passively picked up the radio signals leaking from a CRT and was always going to have a tougher job with LCDs and projectors. This method has no such limitation but is potentially open to compromise if the victim either detects the radar / RF illuminator or finds the RAGEMASTER attached to their video cable.

JeffJanuary 23, 2014 9:49 PM

How is posting this useful? This doesn't seem like something that the NSA would use to spy on US citizens. So now we're just leaking data for the fun of it?

Matt HurdJanuary 23, 2014 10:28 PM

@Jeff

On balance I think you're right, especially w.r.t. mass surveillance.

However it is out there already thanks to Spiegel, so it is worthy of a discussion. Also, given the history of untruths, what is to say it is not being used unconstitutionally on US citizens?

This particular one can forward the screen captures to a networking centre so imagine the newer version that auto syncs, cleans the image and transmits back to Fort Meade. It could be very small. You could have zillions of automated screen captures all around the world and in the US as a dragnet. Perhaps not likely, but they have $10B a year to spend.

This particular one is pretty out of date anyway...

BJJanuary 23, 2014 10:33 PM

@Iain Moffat
"RAGEMASTER makes the VGA video signal on the monitor cable visible to the radar"

Understood, but what about DVI-D, DisplayPort, and HDMI cabling?

Does the switch to digital video signaling make capturing the signal easier or harder?

What are the frequency limits here? Do the higher frequencies in DP and newer HDMI versions exceed what can be picked up by RADAR?
(up to 18 Gbit/s in HDMI 2.0)

I do know that HDMI provides DC power, so even an active device could be powered off the standard connector. For the NSA, that is probably a big improvement over VGA.

01January 23, 2014 10:36 PM

@Jeff

why not?

I mean, this is likely to be used "wholesale", but what's to keep NSA from using it against a specific citizen of US... Law, you say?

BJJanuary 23, 2014 10:46 PM

News:
"Microsoft will allow foreign customers to have their personal data stored on servers outside the U.S., breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal. "
http://www.cnbc.com/id/101356752

Clive RobinsonJanuary 23, 2014 11:46 PM

@ BJ,

The question is... Will Micro$haft breaking ranks be just a crack in the dam, that can be repaired, or a major breach leading to a total dam burst?

Hopefully the latter, but I suspect the bought legislators will try to patch it up with a typical bodge job.

I know some people will claim it's the equivalent of "Barbarians at the gates of Rome" to imply it will cause "the colapse of the American Empire" and thus "American Society" but on looking you will find they have vested interests or hope to curry favour with those who do.

I'm wondering just what sort of influance Bill Gates is regaining over MS, after all from his point of view his name is still intermately linked to it, thus he's bound to be upset about how things are currently playing out.

01January 24, 2014 12:29 AM

I might be overthinking it, but isn't the gesture utterly trite since MS foreign servers are still owned by MS and thus subject to US jurisdiction (so you get spy risks from US and from whatever State that has influence in the foreign datacenter)?

Clive RobinsonJanuary 24, 2014 12:30 AM

@ BJ,

    Does the switch to digital video signaling make capturing the signal easier or harder?

Traditionaly you would look for a "serial signal" with high frequency content and either the analog video signal or CRT gun signal was the favourit to go for.

This was due in part to the fact that parellel data signals effectivly only radiated noisy avarages that were at best a "majority vote". However parellel data buses have fallen out of fasion for various technical reasons so serial is back but at several magnitudes of order increase in clock speed. And worse for the evesdropers the serial data on the cable is starting to be either compressed or differance data thus removing the advantage of averaging.

Further work started at the UK Cambridge Computer Labs has gone into removing high frequency content in analog images.

Thus I suspect that "illuminating the cables" is becoming a thing of the past.

The question is what's going to replace it...

You have to view the likes of the NSA, GCHQ, et al like "Drug Addicts", you make heroin unavailable and they will find an alternative opiate to get their fix, rather than face the pain and loss of withdrawal. In fact as with Drug Adicts the loss is likely to push their aggression and criminality buttons hard to societies cost.

So to predict what they will do you have to start thinking like them and the thoughts you have are not nice, even when for you they are just theoretical and to others apparently paranoid.

So where to start on the "paranoid thinking" well for non contact systems you want to find a clear serial signal with low bandwidth or significantly repeated data such that averaging will buy you an advantage.

If you can not find one then you have to start thinking about contact systems such as either bugs or implants. In the case of bugs they need to be both easy to fit and covert which is going to be difficult with modern technology.

So you start thinking of implants at the design, manufacture or supply chain stages. And it's here where traditional and mass surveillance differ. Anything done in design or manufacture stages is going to enable mass surveillance the supply chain less so.

The easiest and cheapest and potentialy the most covert way is to build something into standards or licencing requirments, which is where I would start.

65535January 24, 2014 3:34 AM

Good question particularly with multiple high end video cards loaded with RAM and GPU’s (possibly using SLI technology).

What is the screen collection method of choice for DVI and HDMI (from NSA’s view point)?

@ Matt Hurd
“This particular one can forward the screen captures to a networking centre so imagine the newer version that auto syncs, cleans the image and transmits back to Fort Meade. It could be very small. You could have zillions of automated screen captures all around the world and in the US as a dragnet. Perhaps not likely, but they have $10B a year to spend.”

That is possible – and a very disturbing thought.

@ 01
“…isn't the gesture utterly trite since MS foreign servers are still owned by MS and thus subject to US jurisdiction (so you get spy risks from US and from whatever State that has influence in the foreign datacenter)?”

Yes, that is my first thought – and the fact it reduces American jobs. MicroSquish would have the Sysop privilege to manage all aspects of their network and probably fall under the current FISA rules and various “National Security” rules.

Further, what the NSA can’t do the GCHQ can do (or any combination of the 5 eyes). It appears that very strong encryption is the only method of security for cloud computing at this point.

“Sysop prerogative is a legal concept used to understand what powers a systems operator has and which they do not. It states that a sysop has the prerogative to make any rules they choose providing they have not given the right to do so by contract and that legislation in the country they are in permits and does not prohibit the rule they want to make…”

https://en.wikipedia.org/wiki/System_operator

“In many jurisdictions… permission for telephone tapping is easily obtained on a routine basis without further investigation by the court or other entity granting such permission. Illegal or unauthorized telephone tapping is often a criminal offense. However, in certain jurisdictions such as Germany, courts will accept illegally recorded phone calls without the other party's consent as evidence.”

https://en.wikipedia.org/wiki/Telephone_recording_laws

Iain MoffatJanuary 24, 2014 4:12 AM

@BJ: I think Markus Kuhn at Cambridge already proved recovery of video from passively radiated signals from DVI - see http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf - so all the radar/implant does is makes the job easier from further away.

@Jeff: While I accept that there is a distinction between mass surveillance and directed surveillance, now the ideas in the TAO catalogue are published beyond recovery into the secret world, we have to assume that the "private sector" will be considering how they can be misused for gain, and try to understand how to protect our own and our employer's data from such misuse of NSA designs. So I think it is legitimate to discuss them - some are obviously more likely to appear at a "cash machine near you" than others but it depends how much $$$ is in it for the criminal. In any case they are 6 years old and I would hope that your NSA and my GCHQ have spent some of our taxes on newer methods ! Here in the UK we have an ongoing major criminal trial of newspaper executives for abuse of (mostly low tech) surveillance and corruption of public officials which is an existence proof that misuse by or on behalf of the "private sector" is a real risk and only design of robust and secure IT and communication systems will achieve anything for legitimate personal or corporate privacy in our modern electronic world. Otherwise it's back to atoms locked in steel boxes for storage and long walks in the mountains near waterfalls where the wind howls, to exchange information.

Clive RobinsonJanuary 24, 2014 8:18 AM

@ 65535,

With regards the bit you quote,

    Illegal or unauthorized telephone tapping is often a criminal offense. However, in certain jurisdictions such as Germany courts will accept illegally recorded phone calls without the other party's consent as evidence

It's actually conflating two seperate legal issues,

1, The legality of intercepting common carrier traffic.
2, Getting consent to record the specific traffic.

It is perfectly legal to connect recording equipment to a telephone line "behind the demark" providing the equipment is type approved under the prevailing legislation in the juresdiction. That is as the owner of the property or one who holds title on it you may connect to the telephone line even if you are not the person paying for the service, likewise you can engage an agent to do the work for you. Further use of a phone pair is not considered exclusive to a person paying for a service, otherwise various shared/party lines etc would be illegal for the service supplier or others to operate.

Now having quite legaly placed a recording device on the line there is a thorny issue of what is and is not "presumed consent" with another party or parties, and this gets very very complicated depending on if you are the first party (initiating the call) the second party (terminating the call) or a third party (evesdropping on the call).

As the first party you are supposed to inform the second party that you are making a recording (as opposed to making a record) of the conversation prior to it starting and at regular points within it. That is there is no presumed consent for an audio recording but there is for you making a personal written record...

Likewise similar rules apply to the second party which is why you get that automated message about "calls are recorded for training purposes". Basicaly it translates to "we are going to record the call wether you like it or not, we will play it to who ever we chose when ever we chose, but you have no rights to a copy at all even in the event of legal action". BUT the fact they are recording does not give you consent to also record the call for training or other purposes without notifing them (though you are still free to make a record).

Now as a third party you again have no presumed consent to record a call but you can if you "chance" to hear the call make a record (Parellel Construction anyone?). However as a third party you can gain contractual consent, that is as the service provider you put it in the T&Cs and as the person with title to a property you can put it in a lease or tenancy agremment, likewise with shared service it will be in the contract small print probably under "technical" or "repair/servicing" terms.

Now there is a big fat loop hole of a legal get out for making audio recordings without gaining consent. Remember you are alowed to make a written record of the call. The law says nothing about how you arive at that written record... Thus whilst it's not permissable to make an audio recording for evidentiary purposes, it is permissable to do it as an "aid memore" for making a contempranious written record or transcript. The law does not say what you can or cannot do with this aid to your memory after you have made and checked your written record.

Thus if you go to court and you present your written record as evidence (which is legal) the other party can chalenge it (and probably will) you maintain it's accurate and that they are wrong. If the other party is a chancer they will press you as to why you belive that to be true and you simply say "because I checked carefully"... Now at this point if the other parties council is an idiot they will make further enquires. If they don't the judge may well or your own council will under re-examination. It's then you say how you checked importantly saying of the recording "to use as an aid memore" but don't say "I've still got the audio recording" untill you are asked to which you simply say "yes" and if you are then asked as you probably will be why you did not include it in the evidence submition you simply say "I was under the impression that the evidence submission was only for my written records". At this point it's game over because if the judge does not ask to hear the tape as confirmation they have to accept the written evidence as fully factual not doing so and ensuring that the jurry understands this point is probable grounds for appeal should the final judgment go against you.

As always it's not what you do or how you do it, but how you present it at the appropriate time...

Clive RobinsonJanuary 24, 2014 8:30 AM

@ Iain Moffat,

With regards Markus Kuhn's device as I posted just the other day it's actually best to go to the Camb Labs blog, because he and I had a discussion there about extending things including using the output of a photo multiplier rather than a specialised radio receiver.

As for "using the techniques" you might have missed the UK news item a month or so ago about a bank having it's branch computers having illicit KVMs with a radio interface being fitted by criminals posing as service techs. Such that they could both see and type in just like a bank employee so basicaly be capable of doing all sorts of financial fraud...

idunnoJanuary 24, 2014 10:37 AM

Next step, thinking like them (as recommended): screen capture seems like a very poor cousin compared to keystroke logging and usb readers in terms of bridging the airgap, life is better if target is online via sms/email and url interception.

Ask yourself, how boring has your screen been the last twenty-four hours?

Very rarely is a target so interesting that NSA could assign an $120k a year analyst to sit there and watch them by screen capture. Or even watch a one second per frame animation of it later. The target would have to be looking at something like a map or photo brought by courier on a memory stick to make it worthwhile.

The real limitation here is the ill-fit of screenshot content with megabasing. NSA does not want images. NSA does not want rambling text. They want neat rows and columns filled with controlled format and controlled vocabulary that are rapidly machine searchable for associations.

Here screen capture would have to be followed by OCR to get text (if any), that text would have to be sliced for metadata content if any. As we saw the other day for SMS in the DishFire document release.

http://nsa.gov1.info/dni/2014/index.html

NightWatch sounds like the device side of their 'all of the above' strategy of doing it just because they have the budget to do it.

NobodyJanuary 24, 2014 10:58 AM

I posted Windows registry the other day exposing Wireless Zero Configuration, which provides automatic configuration for the 802.11 adapters in many PCs and laptops.

For some strange reason, my post was censored. Why?

ToNobodyJanuary 24, 2014 12:16 PM

Maybe your post contained special characters (eg angle-brackets aka less than or greater than symbols) which confused the form processor into thinking it was malformed HTML or some such similar. How about trying again but leave out special characters (eg for less-than sign explicitly state 'less-than character') etc? Or posting it elsewhere (even as an image) and putting a link here?

IT GuyJanuary 24, 2014 12:35 PM

I pretty much assume all my computers are open to NSA for spying, and so far I took no action. Of course, I will use antivirus and other stuff, to prevent ID fraud from Russia crooks, but other than that, I would not do anything further.

I assume all US made/influenced IT products as extremely unsafe and will adjust my habit accordingly. I predict huge drop of Cisco stock price after Feb 12th.

Iain MoffatJanuary 24, 2014 1:51 PM

@Clive: it was 4 months ago - the BBC News report on the wireless KVMs in banks is here: http://www.bbc.co.uk/news/uk-england-london-24077094; as I recall a more technical article elsewhere it was a combination of a KVM and a 3G mobile dongle. I suspect the NSA version would be harder to find (I seem to remember there is an implanted USB cable to come, having read ahead in the TAO catalogue) !

I will go read the blog when (if) I get time at the weekend.

Mod PointzJanuary 25, 2014 6:09 PM

"Of course, I will use antivirus and other stuff"

Before you do, please read their EULAs.

I recently read Avira's EULA for their free anti-virus and found the data collection methods and sources to be too disturbing to use. Dr. Web's Cure It program is another which wants to send massive data back to the mother ship.

Please people, READ THE EULAs before you install!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..