Schneier on Security
A blog covering security and security technology.
« "Military Style" Raid on California Power Station |
| Cost/Benefit Analysis of NSA's 215 Metadata Collection Program »
January 2, 2014
DEITYBOUNCE: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE:
(TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads.
(TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7.
(TS//SI//REL) Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on.
Status: Released / Deployed. Ready for Immediate Delivery
Unit Cost: $0
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
The plan is to post one of these a day for the next couple of months.
EDITED TO ADD (1/20): Dell's official response.
Posted on January 2, 2014 at 3:25 PM
• 97 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If by some miracle none of these technologies have yet made their way into the hands of organized crime, it's a pretty good bet they are now taking stock of what they can offer NSA technies in exchange for a few thumbdrives full of these toys.
What's the deal with these unit costs? I am guessing that as it's an internal document for the NSA, that this is the cost that's charged to the cost centre for using such an exploit, and therefore is something that can be used to control usage of some of the more exotic or 0day type exploits?
My guess is through the Dell OpenManage tools. I seem to remember the Open Manage Server Adminstrator web pages had a way to update the bios. I thought there was a login required, but perhaps on windows, there was a way to bypass the login (or use a default login).
From whatI have seen, the software exploits have a "list price" of free, while the hardware has a nonzero list price. I suspect you are right that the prices are for internal accounting and budgeting purposes.
There's no unit cost on software, which this is, since software doesn't have a significant cost to copy. Pieces of hardware do, however, have a unit cost, which I am guessing is used in a cost/benefit analysis of some sort.
Not to excuse it, but this is old enough that it may be the attacks are impractical on current products. But I'm specifically wondering if TPM would stop it, assuming the attacker lacked access to keys. Perhaps if the attack is executed in the context of approved tools then it looks approved.
Scratch TPM. I meant UEFI with secure boot/trusted boot.
Here's an official response from Dell .
"Dell is aware of a story originally reported by Der Spiegel, which has subsequently been picked up in other media outlets, that refers to alleged security ‘backdoors‘ implanted by the United States National Security Agency into products from several technology companies, including Dell.
Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. Our highest priority is the protection of customer data and information, which is reflected in our robust and comprehensive privacy and information security program and policies. We take very seriously any issues that may impact the integrity of our products or customer security and privacy. Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.
Dell does not work with any government – United States or otherwise – to compromise our products to make them potentially vulnerable for exploit. This includes ‘software implants’ or so-called ‘backdoors’ for any purpose whatsoever. "
+1 Evan, which is kind of terrifying.
Solution: only use href="http://www.coreboot.org/Welcome_to_coreboot">coreboot capable motherboards...
I've said this before, let me say it again: In the world Snowden has opened up to us, NO closed source proprietary software (such as in a BIOS) can EVER be safe, ever again, for the rest of time. Never ever.
Open Source has a chance to be safe, it's not necessarily safe either. But at least security professionals have the ability to independently check it. That's a huge step forward.
Our constitutional freedoms being torn from us by dictators must be fought with more openness.
http://fish2.com/ipmi/ scared the hell out of me, not surprising that the NSA is exploiting it. That side of things is a wide open mess from a security perspective.
The interesting thing here is that the malware runs only once in a configurable period. I.e. it may run once a month, or once a day, or on every boot.
This greatly reduces the chance of being caught, since the malicious behavior is sporadic and difficult to reproduce.
An interesting test for a Dell PowerEdge server that is suspected of being compromised would be to advance the RTC several months while the machine is powered off, or to fuzz the BIOS/bootloader with different times.
I don't understand what the payload consists of.. what is it? Don't say it can be anything.
Who are Dell's main customers?
Idea: An open-source toolkit to detect compromised firmwares.
It could rely on various existing tools  to extract system firmwares in a running system, for the purpose of fingerprinting. Validation of integrity could be based on a crowd-sourced database of known (and presumably official) fingerprints.
The toolkit should attempt to determine if some sort of SMM lockdown or other evasion techniques are in effect.
 Example tools: https://bitbucket.org/blackosx/darwindumper/wiki/Tools
I wonder if Linus or Theo De Raadt or other high up developers are infected with BadBIOS, DEITYBOUNCE, or a similar exploit of the Chinese or Russians. How would they know? Kernel.org was owned a while back. They were thinking about just trying to delete the infection without even bothering to wipe the hard drive. The Linux guys at least, don't apparently take strong security precautions.
Are Google and Amazon server BIOSes infected? How do they know?
I'd say industry buyers need to develop some kind of standards to get manufacturers to make firmware that is virus scanable and at least fairly resistant to even high level attacks.
The insidious thing about badbios and similar is it could present a virtual machine to any detection software that runs after it. TO beat that you have to go to the jtag ports and go outside the BIOS software flow control.
So, first, one could dump the bios to a bin file and compare the hash with Dell's clean BIOS hash. Seems like it could be easy enough. It could possibly be implemented as part of conventional AV features. Though, they could be sophisticated and make it lie. Could always fresh boot, dump and scan.
Also, there's been several presentations at BlackHat and Defcon on this topic over the years. Here's one for consideration:
Though I think we may have it backwards. Unless someone notices the server reflashing itself, which is a real possibility, the initial detection will probably be from the wire, or from conventional detection means: server is running strangely, malware detected, covert channel traffic over the wire, etc. At that point one would want to start investigating and determining if BIOS malware is present. At that point, if BIOS hashes don't match, isolate the machine, or kill it with fire, and if you're feeling cheeky, FedEx the remains to Ft. Meade, with Attn to Gen. Alexander.
I believe that the payload is probably some type of software rootkit. Note that this particular tool only supports Windows server and workstation OS. The BIOS malware is probably just the front-end, and key to staying persistent. They likely have a large selection of various meterpreters they can slam down onto the box. That is, unless someone is an absolutely savant for writing in assembly.
Also, they want something that is not going to be attributable to them. Once aunt Maude or Doctors without borders starts finding BIOS malware on their servers, and it's attributable to NSA, the NSA is not going to be viewed well by the public.
RE: Dell's official statement, and a similar response by Apple to DROPOUT JEEP.
These statements seem carefully crafted to not preclude handing over source code & engineering specs to the NSA. I.e., "we never worked with the NSA to create a back door" (but we handed over all the code & specs necessary so the NSA could do it themselves).
At least one executive (Marissa Mayer, Yahoo) indicates company officials refusing to comply with the NSA are threatened with jail time.
I think the idea of a crowdsourced BIOS binary fingerprint database is definitely a good idea. Until then (or in addition) a central repository of BIOS flash chip pinouts and simple instructions for what pins to cut to disable in-circuit reflashing would be good.
One could add a switch to re-enable BIOS reflashing if it's really necessary.
Just like UEFI was never really necessary to protect against unapproved OSes -- just make the user physically throw a switch to enable booting a never-before-seen kernel image. But that wouldn't allow certain monopolistic corporations to gain a stranglehold on the boot process, so UEFI was invented instead.
Ideally, a detection tool would be used also as a preventive measure by people considering themselves at risk of being targeted.
Would be nice to also able to fingerprint networked devices, including WiFi access points and routers.
Amazing that you feel no guilt in publishing classified material on your self-aggrandizing website, "Dr." Schneier. You should feel lucky to live in a country where people like you can publish things like this. Instead, you criticize it based on your partial, biased knowledge of such issues.
Many of us have served the USA with our time sweat and blood, and the lives of our family and friends. Tell me, have you had a friend bleed out in your arms in the dirt, in some far-off war based on lies and crimes of your own government?
Classification of your precious documents are subordinate to the US constitution. Some of us meant their oath to that constitution. I will tell you sir. Anyone active in such blatant unconstitutional action (NSA spying activities) is absolutely committing TREASON, and you absolutely will be prosecuted to the full extent. Following orders and classification procedures will not save you from illegal and immoral actions. Nuremberg demonstrated that. You will rot in a 6x6 cell. God help you.
Bauke Jan Douma
Who are Dell's main customers?
--Pretty much every single desktop computer at my university is Dell. I've noticed some funkiness (and similar, damn near identical, symptoms on other students log-ins); so pretty much all computer use by all students could be affected by this malware.
--Yeah, that's "what make the country great", eh? Now we can start protecting ourselves from our own gov't.
--I think it's a turning point when members of the military and in turn the police start to see what's happening...
I respect the service members (not the higher leaders really) who did the dirty work and who can think for themselves. Thanks for your service (hope you weren't forced to do immoral things). They are doers, that's the best thing about military wo/men.
If you look at all these exploits and their timeframe in the slides, they are all circa 2008; +/-1, sometimes 2, years... match up the NSA slide dates to when the first public proof of concept of any particular attack surfaced, and you can see the NSA exploiting such vulnerabilities within 6-12 months of their disclosure (if not sooner, or even prior).
If you extrapolate on that, then you can assume that today the NSA is actively and quickly exploiting nearly /all/ of the most recently disclosed security flaws, and probably several still unknown ones. If you also assume, which is probably safe, that since 2008 the NSA has /improved/ its ability to exploit flaws as they are discovered and before; then it is almost prudent to assume that they have significant exploits to key security technologies that we still havnt discovered.
Does this make US info networks safer, as is one half of the NSAs mission statement? Thats going to be a tough sell one day in front of congress...
“...In the world Snowden has opened up to us, NO closed source proprietary software (such as in a BIOS) can EVER be safe, ever again, for the rest of time.”
It looks that way!
@ J. Peterson,
“These statements seem carefully crafted to not preclude handing over source code & engineering specs to the NSA.”
I agree. These are legal “non-denials” and do not preclude working with the NSA under threat.
Now, DEITYBOUNCE does show that the NSA has successfully mastered BIOS viruses and/or BIOS root kits. It is no longer theory – it is fact. I would guess the same goes for other firmware attacks on hard drive boards.
I did listen to part 2 of Appelbaum’s talk. He makes a good point that most likely the vendors of said hardware are in bed with the NSA. Changing firmware micro code without bricking the machine takes in-depth information on the working of the BIOS and the board chipset(s).
The odds of flashing a BIOS without bricking the box are slim – unless the NSA had precision inside information on each BIOS version.
I will not venture into the NSA’s abilities to manipulate Intel’s iAMT and SMM OOB management systems. They probably can own most servers with OOB hacks. It’s a nightmare situation.
Here is a report on hacking iAMT via a certificate hack and in some cases with wireless access point floods. See: Chapter 4 for the conclusion and read backwards.
If the NSA "owns" major servers around the world the situation is very ugly.
I have a couple of these servers (Dell 2950s) so I'm following these revelations with a particular interest. I'm running Xen and XenServer on them, however, not Windows so at least that's good.
Also, it seems unlikely that the NSA would be interested in me or any of my client VMs. Just the same, I'm hoping someone will come up with a simple way of testing for the bios infection, just to reassure myself.
(And also, a way to disable the JTAG GODSURGE implant method. I think that one requires physical access to the server, right?)
I also like the idea of a BIOS fingerprint database, although you still have the trust issue inherent in proprietary software and companies that are susceptible to coercion or complicity with the NSA. These revelations make the argument for open source all the more compelling.
You are probably right. That functionality should be built in so people can establish the integrity of the system prior to and during service.
Thanks. We few, we happy few, that fight on St. Crispin's day... Probably 70% of special operations, and a bunch of others are on our side.
No, I didn't cross the line. I do know some who approached that rubicon and have suffered tremendously in their soul for it. It's heartbreaking, and that's why this has to stop here and now.
Arkstream is normal stuff. Deitybounce itself is tiny, highly specific, and freakishly weird. On its own bounce has nothing to do except transmit its existence, it wouldn't normally be used on its own.
Why most people would call the following crazy is beyond me, maybe they have no understanding of how crazy ordinary physics and mathematics are? Maybe they think mathematics doesn't exist unless thought? Such things are why Occam's razor has become a fallacy through popular misuse.
The NSA as such does not know how bouncy works and don't know enough to worry about it nor would they worry much if they could but here is the simple version of what it does:
it pings God.
Although that's slightly tongue-in-cheek it really is all in the name.
One doesn't use results from freely evolving approaches expecting to understand why it works: if one happens to find something interesting and useful enough it will be put to use.
Some first aid for the atheists and determinism-junkies: consider it an extremely advanced version of a tempest attack (but it's not) utilizing non-local emergent properties we do not understand. Do yourself a favor and don't bother adding a "yet" to that. If that's too rich you've got my sympathy but walk away and don't look back.
I.e. the side-channel is/seems to be reality/existence itself. By carefully choosing the interval and the duration (i.e. its propagation through the local system) of the interrupt the signal becomes discernible enough among all the noise of everything else in existence to be useful.
It has not been generalized into something usable for other systems/circuit families. The bandwidth is very low but not strictly binary and "location" comes free due to the nature of the reception/off-site detection.
Theory: those that know cannot speak and those that speak cannot know.
Practice: everyone speaks and for large enough numbers "knowledge" is randomly accidental.
Sleep tight and dream of quantum goats under a sky of drones :)
"Classification of your precious documents are subordinate to the US constitution. Some of us meant their oath to that constitution. I will tell you sir. Anyone active in such blatant unconstitutional action (NSA spying activities) is absolutely committing TREASON, and you absolutely will be prosecuted to the full extent. Following orders and classification procedures will not save you from illegal and immoral actions. Nuremberg demonstrated that. You will rot in a 6x6 cell. God help you."
Reading that made me smile: I made about the same points to a few people "serving their country." I like to remind them that the oath is to protect from enemies both foreign *and domestic.* And the inside threat is always the most dangerous. After all, it's the main reason the Constitution exists. If we could trust those running govt's, we probably wouldn't need it.
We are back to the days of the Homebrew Computer Club. The hardware and software vendors and this criminal government have violated our trust so badly that everything they touch needs to be burned like plague infested blankets.
We must take direct control of all parts of production and operation of hardware, software, and telecommunication systems. We can never trust these agencies and corporations again. Trust itself will be dead for generations.
I've got to echo chuckg here. What part of the latest leak is unconstitutional activity? Army veteran of 8 years here, and I'll say that I doubt anything revealed about the NSA has been unconstitutional, and a lot of people are flipping out for no reason.
Mr. Schneier, I lose respect for you every time you blog about the NSA's activities. I so wish you would stick to crypto (and I guess squids?), the topic where you actually know what you're talking about.
Im not sure if any of the listed Dell Servers, shipped with Win2k, XP, etc. Why would you put a client based OS on a dual-xeon RAID server designed for enterprise data centres?
Something wrong here.
I wouldn't waste time trying to detect this unless one is analyzing attack code for educational purposes. Here's potential solutions to the attack vector itself:
1. Use an open BIOS if possible.
2. Prevent BIOS flashing on your machine.
3. Flash an open BIOS first time you get your machine.
4. Enable BIOS security mechanisms to keep out riff raff.
5. If possible, design your own board and BIOS making sure that the BIOS has write protect ability.
6. If possible, replace BIOS chip on your machine with one that's trustworthy .
I'm not sure what precautions can be taken with Dell machines. The simplest solution is not to buy them or anything that's specifically targeted on the list. Does anyone know if their BIOS's are on a dedicated (replaceable) chip or integrated in main SOC? There's potential options for systems with the former. Trusting the latter might be an insurmountable problem if it's a black box product from a US vendor (esp with Intel chips).
Again, buying non-US systems with securable BIOS's in a way that considers potential interdiction seems the best route. I've always said securing something inherently insecure is likely to go nowhere. Better to start safe. Outside the US, dedicated BIOS chip w/ write block jumper, open code available, etc are good starting point.
Note: Remember that, at some level, the write protection mechanism should be hardware supported. Many software mechanisms for such things have been defeated in the past. It should be *physically impossible* to activate the write feature without manual, physical intervention. That's why I like designs with jumpers.
 Trustworthy here means it has a trusted boot process, critical segments are in true ROM, it's immune to a software attack, and can be updated in a safe way as bugs are eventually found. I keep wondering about using a modified Java or Forth chip for this as certain safer boot strategies used Java or Forth code. There's also open cores for each.
Sounds like a religion or theology .....
Deitybounce is so specific as to be almost useless, probably created to justify the existance of some newly hired grad. Maybe they overhired and had time to burn.
--Damn, ~70% spec. ops? Holy sh*t there are few who can physically stop these guys and less protection for elitists...They must be scared (haha no sympathy). Reminds me of a book I haven't finished yet (ahh..) "Bound Together: How Traders, Preachers, Adventurers, and Warriors Shaped Globalization"--You're definitely in the warrior category!
I like to remind them that the oath is to protect from enemies both foreign *and domestic.*
--Yeah, just it's hard to make clear to...some brain-washed people that just b/c I'm against this mass surveillance/attacking the internet, the airwaves, and the damn metal running my programs on my computer...that I either work for a foreign gov't or don't care about foreign attackers. F*ck them too; I don't care where you're from. Intel agencies in all those other countries, they may be good at HUMINT but that makes me less trustworthy of all your citizens I meet!
Some guy in a diner
--Agreed...assuming the people that take control aren't just as bad or worse. Just...grr...we have to go back to very simple computers to get a baseline of trust, then educate over non-compromised mediums (do they exist?).
--I have an idea for avoiding this exploit, how about not buying any Dell products? I'm going to be forced to use for my education compromised malware sh*t machines...
Nick P RE: Forth
--In the future (hopefully not too long) I'm going to do something similar to what you do, it's more of a review of "4tH", which is an easier environment to learn and use Forth. Sneak peek, it's a really cool program and I highly recommend it to everyone (see if you can get the program to crash, which they claim isn't possible). Honestly, it's best to just read this. It's frickin' 551 pages long, there's some annoying pages but I find it a really nice manual.
//Obligatory shout out to Clive Robinson for the 4tH recommendation.
It really makes me sad that to be "inherently secure", as you say, one must start outside the US. Guess when I can finally afford to leave this country I can be more secure.
OT: compellingly concise framing of key issues with the NSA overreach here.
What worries me more is it's not just the system BIOS, but your RAID card, the storage media (Hard drives/SSDs/etc.), network cards, you name it. Virtually every hardware device now has a Turing complete processor with read/write storage and enough capability in general to actually host nefarious code. I'm sure there are ways to modify the BIOS so for example if you try to dump it you get a "clean" copy (especially with motherboards that have two flash banks for the BIOS to make recovery after a bad BIOS flash possible).
I'm not impressed at all about this exploit. It is incredibly banal if you have physical access to the target devices. The techniques are all well known.
So far I had no time to completely read through the latest revelations, so I'm looking forward to reading the next "exploits of the day". Maybe there will be one which is actually interesting ...
My favorite so far is that the NSA is able to jailbreak an iPhone if they have physical access to it. Wow!
This is the reason I don't believe at all in conspiracy theories that the companies worked together with the NSA. This thought is ridiculous when you consider how trivial all this exploits are. Every teenager can jailbreak his iPhone when he holds it in his hands. People like Appelbaum should know this, but they make a show out of it. And the people are buying the show. _This_ is scaring.
What concerns me most is that these revelations may drive consumers to the trusted computing shit.
The slide focuses on the server editions.
From the slide [Dated 20070108]:
“This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7.”
The slide doesn’t really focus on the clients (XP or 2000 Pro). The slide indicates Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows Server 2003 Standard, Windows Server 2003 Enterprise, Windows Server 2003 Datacenter and Windows Server 2003 Web (and possible Windows 2003 SBS). Further, it is possible to use XP as a server in certain configurations which doesn’t violate the licensing terms.
Oddly, some open source documents indicate that the NSA’s attack servers or injection servers are Windows 2003 Enterprise style servers. I don’t know if this is correct.
I wouldn't be much surprised, if the NSA supports (direct or indirect) the people who search for ways to make new jailbreak tools. What could be easier to get full access to smartphones (especially, if they are a 'must have') if the owner diseables any security feature by themself? Think of the new iPhone with additional microphones to record the environmental noise for besser sound while phone-calls ... surveillance with high sophisticated hardware that are paid for much money of the person they want to spy on (plus so many people near them). With smartphones the wildest dreams of NSA & Co must have become true.
If they have access on BIOS-level, can they write directly to the RAM that this will be executed by the operating system without any implications?
The most worrying thing to my mind is your final sentence.
"...one a day for the next couple of months"
And this information is 5 years out of date!
If we were to see the current list you'd probably have an entry for each day of 2014.
@ Rolf Weber
“…banal if you have physical access to the target devices…Appelbaum should know this...”
As I watched Appelbaum he indicated the “physical access” by the NSA came in the form of “CIA/FBI bag jobs” and shipping computers through the US Postal service (or any US shipping service).
During shipping the computer is removed from the mail and infected (it's well known that all packages and envelopes are photo copied - if necessary physically opened and inspected). In other instances an FBI/CIA “bag job” at the site is the method of infection.
I will say Appelbaum suggested other methods of exploitation. Those infections methods are probably drive-by’s, social engineering, fake web pages, injections, routing diversions, race conditions on the backbone and sheer legal extortion.
Could the computers be infected at the factory? I will leave that up to you to decide.
@Rolf Weber @65535
The "physical access" idea is (fairly widespread) misunderstanding. According to @ioerror, the current iOS exploits do NOT require physical access:
> There are quite a few news articles and most of them have focused on the
> iPhone backdoor known as DROPOUTJEEP - they largely miss the big picture
> asserting that the NSA needs physical access. This is a
> misunderstanding. The way that the NSA and GCHQ compromise devices with
> QUANTUMNATION does not require physical access - that is merely one way
> to compromise an iPhone. Generally the NSA and GCHQ compromise the phone
> through the network using QUANTUM/QUANTUMNATION/QUANTUMTHEORY related
> attack capabilities.
> An example of a vulnerable Apple user is shown:
> "note: QUANTUMNATION and standard QUANTUM tasking results in the same
> exploitation technique. The main difference is QUANTUNATION deploys a
> state 0 implant and is able to be submitted by the TOPI. Any ios device
> will always get VALIDATOR deployed."
> They're not talking about Cisco in that slide, I assure you.
@ Nick. P.
After reading through the revelations on TAO.. the only safe path for a regular user seems to be to use a laptop with:
1. An open BIOS to protect against bios rootkits
2. BIOS flashing disabled after install of open bios
3. Use a linux distro such as Debian
4. Use some sort of hardware tampering detection to protect against Evil Maid attacks
5. Use some sort of whole disk encryption software such as TrueCrypt
The challenge seems to be that the only Open Bios that I could find available is coreboot and that does not seem to support most of current laptops. So what should one do?
This important discussion is unfortunately muddled by the linear format and lack of moderation.
May I suggest that the commentary for each post be carried out at e.g. Hacker News, or perhaps using Disqus (which supports threading and up/down-votes) instead of the Movable Type comment module.
clockmaker Classification of your precious documents are subordinate to the US constitution. Some of us meant their oath to that constitution. I will tell you sir. Anyone active in such blatant unconstitutional action (NSA spying activities) is absolutely committing TREASON, and you absolutely will be prosecuted to the full extent. Following orders and classification procedures will not save you from illegal and immoral actions. Nuremberg demonstrated that. You will rot in a 6x6 cell. God help you.
There's nothing about this catalog that is unconstitutional. Even if you believe that some operations conducted by the NSA are illegal or unconstitutional, that would not justify the disclosure of operations that are clearly legal and legitimate.
One of the applicable legal charges for whoever leaked this catalog is 18 USC 794. It comes with a sentence of however many years the judge thinks appropriate, or a life term.
No idea where you came up with ~70 percent of special operations forces as supportive of this kind of leak, by the way. There's always some range of opinion within any unit, notwithstanding the stereotype of the military as brainwashed automatons, but the vast majority is NOT likely to be supportive of this.
Incidentally, regarding interception of mailed packages for the installation of eavesdropping devices, to do so in the United States requires a special court order, which is not easy to get.
All that said, I agree that there is a legitimate need for devices that can assure the integrity of firmware and hardware, though I genuinely wonder how much of the concern about hardware is layered in tinfoil.
However, one can focus on discussion of ensuring integrity of firmware (or hardware) without specifically targeting legitimate tools used by intelligence agencies of democratic governments.
"May I suggest that the commentary for each post be carried out at e.g. Hacker News, or perhaps using Disqus (which supports threading and up/down-votes) instead of the Movable Type comment module. "
"Incidentally, regarding interception of mailed packages for the installation of eavesdropping devices, to do so in the United States requires a special court order, which is not easy to get. "
Sure. I'm not sure if you've followed or were hiding under a rock, but the point is kinda that *both* there are secret courts handing those by the ton, and that stuff is being done even without them. And I'm not even talking about those fancy "interpretations" that claim "what I'm doing just now does not actually need it because I'm claiming this word means something else than anyone else would think it means".
"... Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company called Clear Hat Consulting."
Our engineers apply their specialized skills to the most pressing computer security problems facing our country ... valuable contribution to our national security.
Required skills include:
Must be a US citizen to apply
Wow polygraph test not even needed.
@ Christian Rishoj
It would not surprise me since I referenced data from 2007. The NSA’s hacking abilities must have gotten better since then.
I also indicated that there were other ways such as injections, race conditions, social engineering, OOB hacks and so on.
The most worrying thing to my mind is your final sentence.
"...one a day for the next couple of months"
And this information is 5 years out of date!
If we were to see the current list you'd probably have an entry for each day of 2014.
I would guess that the exploit targeted server editions of Win2K and 2003 (@65535 listed those), but happens to be compatible to all client editions and Win XP without additional afford. Consequently it was added to the list as (a) there are some cases of strange server configurations around and (b) nobody wants to discus with a non-technical supervisor why “the new thing isn't on the list and did you waste your time on this outdated stuff or what”.
All of this shady NSA business hits much closer to home when technologies that you work with on a daily basis are shown to be targeted and vulnerable.
When you must question the integrity of the very thing assessing and determining the initial integrity of the system, you cannot rely any determination it makes... So unless you intend to jtag/idp every boot sequence with every component/firmware combination, and _know_ the correct outcomes/results, good luck with your list of 'known goods' ;) *cough*northbridge*cough*
Some important facts due to the misguided suggestions of uefi silver bullets in articles spawned from this information:
UEFI implementations, to date, have methods to bypass SecureBoot/PK... The delusion of security of "PKI-based authentication system for code running on the computer" only _begins_ to become relevant should these methods be eliminated.
UEFI does not depend on TPM measurements; and signatures/verifications are dependent on bios code...
I could go on, but I see little use... The short form, it's all "owned"... period...
@ security novice
"The challenge seems to be that the only Open Bios that I could find available is coreboot and that does not seem to support most of current laptops. So what should one do?"
This one meets some of the requirements. One can assume the NSA probably don't have a backdoor but the Chinese might. Just watch out for interdiction.
Well, there's the good news and the bad news about deitybounce: the good news is that *all* those Dell servers are pretty much obsolete. We surplussed all our 1950's several years ago, as the PERC RAID cards started dying, one after the other (amazing quality control, there - not that they weren't way out of warranty, but to die so close together).
The bad news is that we don't know the package that's superseded this, in the years since they built it.
mark "none of them are for linux, I see"
Although there were always readers of your blogs who didn't agree with you, it is remarkable that in the reactions to your current NSA-related blogs we see a more clear separation. People who agree with you and are hoping that these revelations will help us to bring a better (internet) future and a better and more democratic USA, and people who more or less see you as a traitor and who see the actions of the NSA as required, within the law, and necessary to secure the USA from terrorists within and outside the USA.
It are no longer variations of grey, but real black or white. And what is black or white depends on the position of the writers. We trust/like/love you or we hate / distrust you (and see you as a danger to the USA).
I don't trust and hence don't want a surveillance society; I want my privacy secured; I want an open and democratic governance. I hope you continue with your revelations.
Thanks for your work!
@ Skeptical: "Incidentally, regarding interception of mailed packages for the installation of eavesdropping devices, to do so in the United States requires a special court order, which is not easy to get."
Unless it's from the FISA court...
Jan, I strongly disagree with the leak of this catalog, but I don't think Schneier is a traitor, and I'm sure that goes for many others who also disagree with the leaking of the catalog. To be honest, I find the variety of views on this blog refreshing and useful to my own thinking. Opposing views can force one to reconsider one's entire approach to an analysis, and that can be invaluable.
As to the sources and original publishers of the leak... If whoever leaked the entire catalog is a journalist, he or she may think that only the exposure of the identities of intelligence officers would allow the government to impose criminal liability (via the Intelligence Identities Protection Act), but that's not entirely true. The further one wades into the realm of leaks of technical specifics like this, the less certain First Amendment protections become, and the more applicable certain provisions of the Espionage Act become.
Within the US, there is essentially an understanding that the government will not attempt to prosecute journalists for leaks, but that understanding depends on journalists engaging in a good faith effort to not pointlessly publish technical details that harm national security. This leak, just in my own opinion, breaks that understanding, and I don't think it would be out of bounds legally for an aggressive prosecutor to go after the sources and original publishers.
Application of the Espionage Act is a murky business in cases like this, but it would be poor legal advice for any attorney to tell his client that he is certainly shielded from liability so long as he avoids exposing identities.
I also understand why some of the leaks that now, in my opinion, cross the line of understanding are being reported in technical detail in foreign journals, but, in my opinion, that will be less of a shield than may be believed.
These conversations are good to have, but the publication of technical details is superfluous and actually harmful to the goals of anyone who desires greater transparency and democratic control over the long run.
Kurzleg, heh, well an application for an order allowing the government to conduct a search and install an eavesdropping device takes a fair amount of time and won't simply be rubber-stamped. The government has a good idea as to which applications will be successful, and which will not, and so will try to minimize time spent on applications unlikely to meet standards. So while there's probably a high success rate in applications to the FISC for search warrants, that success rate isn't reflective of rubber-stamping on the part of the FISC. It's reflective of the DOJ not wanting look like idiots for wasting time on tons of rejected applications.
For an open-source bios laptop, see here: http://www.fsf.org/news/...
Why are so many people concentrated on fingerprinting vendor bios images, when the Snowden revelations teach us that we can't trust the vendors themselves?
(1) Any hardware maker that ships a factory-flashed bios pre-installed can easily be served a secret court order coercing them to "purposefully" compromise it for all customers.
(2) Any closed source software, including that which is on a bios is secret by definition, which means it cannot be audited by just any security professional for "accidental" security problems.
(3) Any pre-shipment pre-compiled code should also not be trusted. You must compile your bios yourself and install it yourself for it to be trusted.
All this adds up to one thing: Open Source. All of it open source, every line, not just parts of it. Every security professional should be looking seriously at open source. More openness is the solution to all this.
I'm sitting here writing this from my Mac. Yep, some of it is closed source. It sucks. At the same time, I'm looking at all my existing motherboards for all my machines, trying to see if I can get at least one machine going on an open source bios somehow somewhere some time during 2014, though it's looking a lot like it will require a new hardware purchase. I hope a lot of others are doing the same.
Thanks for the link to Appelbaum's post, I wasn't aware of this.
However, something still doesn't add up. He says "Any ios device
will always get VALIDATOR deployed", but if you look at:
Then you can see that the slide claims that "VALIDATOR" only runs on Microsoft Windows systems.
Of course it is possible that "VALIDATOR" first was Windows only and was later ported to IOS systems, and the above slide was outdated. But where is the proof?
Should I just trust Applebaum? Of course he saw much more documents than you and I, and he studied the documents much deeper. But in his presentation, he claimed that Apple joined ths PRISM program. And this is simply wrong, no company joined a PRISM program, PRISM is an NSA internal program. So at least he erred once and claimed false facts. Why not twice?
I would not rule out that the NSA owns unpublished IOS exploits. But I will not believe until I saw clear proof.
FERRET CANNON is still my favorite code name thus far.
OK, so you've got a physical hardware switch to prevent your BIOS from being flashed. It's a jumper or something inside the case that cannot be defeated by software or accessed by a casual visitor to your server rack. So the agency gets a court order and grabs your hardware as it's shipping to you. The agent puts that switch in the "Writes ON" position, installs malware in your BIOS, and switches it back to "Writes OFF" before letting your shiny new machine resume its journey to you. They also register compromised BIOS images in the public BIOS signature whitelist database, so when you check your new BIOS online, it looks legit. If they really know what they're doing, they even make the real BIOS signature look like a fake.
A better solution would be to have a hardware-protected "Reads OFF" switch and an external access connector that cannot be disabled, so you can reliably reflash your own open-source BIOS into the device. This still requires that you have a reliable hardware vendor who doesn't just backdoor the on-CPU boot ROM or something, but it lets you treat the BIOS like a hard drive--something you can wipe and replace, as opposed to something buried deep in your computer where it can be protected from your attempts to regain control of it.
Unfortunately modern computers have firmware all the way down, so when BIOS holes are closed, people just attack something even harder for end-users to inspect and replace. Also, physical switches create a serious reliability problem on modern tiny electronics, so your still-not-really-secure machine is now more expensive and less reliable.
A lot of devices can mess with their own JTAG when they boot (either for security purposes, or just to save power, or as the accidental result of a hardware bug). JTAG is not the auditor's silver bullet one might think it is (ask any engineer who's had to debug a board for a customer who has managed to find a way to crash the JTAG debug port).
This kind of attack has been theoretically possible for as long as there have been BIOSes on flash ROM, and more than a few people have had access to the information required to develop an attack for any specific hardware configuration. "Proprietary trade secret" means "only the thousand or two engineers who worked on the product have access to the information", which means lots of opportunities to subvert someone or something for a copy of the manuals if asking nicely doesn't work.
Consider that while you might not be able to get your hands on chip-level details of a specific server product board, you can probably get your hands on the chip-level details of most of the chips involved, and make educated guesses at the remaining parameter values required to operate on your target configuration. If you have the budget, and you need to determine a 3-bit parameter value by experimentation, you can just go ahead and brick 7 server boards to find it. Usually that's not necessary, since you can just disassemble the BIOS code the server comes with to get all the information you need to program it.
FYI a bricked board is not truly bricked if you have the right tools to fix it. It's all about the tools, and they are freely available (free as in freedom not no cost, they do cost money).
Judging from the deck you link to, VALIDATOR sounds more like an exploit architecture comprising client and server side, including the protocol for "calling home" and queuing operations, rather than a specific implant for a certain operating system.
What do you mean "no company joined a PRISM program"?
Even if (as Apple state ), they "have never heard of PRISM", they were evidently "added" to the program in late 2012. According to a related slide , collection happens "directly from the servers" of the providers, which would in all likelihood not be feasible without the cooperation of said providers. The only plausible conclusion seems to be that they actively joined the program, whether they are aware of the program name or not.
In view of the recent Snowden revelations, the demand for a fully open source hardware (whether a laptop or desktop with Open source firmware down to every peripheral level such as wifi, vga, hdd etc.) should be significantly higher now than it was previously among private citizens and businesses.
Open Source hardware is no longer an academic or philosophical question, but an issue with real world and pretty dramatic implications.
I am guessing, that many regular people would be ready to pay a significant premium, compromise somewhat on hardware specs and even be ready to migrate to Linux with the consequent limitations of business apps for enhanced security.
Unfortunately there is extremely limited offering currently in this arena.
Looks to me like a significant business opportunity with a decent amount of money to be made for anyone who would like to exploit it.
Hopefully this will translate to real open source hardware available in 2014! I am keeping my fingers crossed.
one of these a day for the next couple of months?
So you have a hundred you can comfortably post? Implying perhaps a multiple of that in total?
Thanks for pointing that out.
“…the agency gets a court order and grabs your hardware as it's shipping to you. The agent puts that switch in the "Writes ON" position, installs malware in your BIOS, and switches it back to "Writes OFF" before letting your shiny new machine resume its journey to you.”
“…If you have the budget, and you need to determine a 3-bit parameter value by experimentation, you can just go ahead and brick 7 server boards to find it…”
If you have the ability to sift through the Postal Service, a huge budget, a large technical crew and a Secret Court at your beck and call you can do anything.
‘Even if (as Apple state ), they "have never heard of PRISM", they were evidently "added" to the program in late 2012. According to a related slide , collection happens "directly from the servers" of the providers, which would in all likelihood not be feasible without the cooperation of said providers.’
Those are very good points. If you follow this site you will see discussion of corporations making legal “non-denials” of cooperation with the government. It’s the “word game” in action (or smoke and mirrors).
@ Anno N
'I'm not sure if you've followed or were hiding under a rock, but the point is kinda that *both* there are secret courts handing those by the ton, and that stuff is being done even without them. And I'm not even talking about those fancy "interpretations" that claim "what I'm doing just now does not actually need it because I'm claiming this word means something else than anyone else would think it means".'
Yes. After see the Verizon decision I agree with you.
"On June 5, 2013, The Guardian reported...an order by the Federal Bureau of Investigation (FBI) and approved by the United States Foreign Intelligence Surveillance Court that required Verizon to provide the National Security Agency (NSA) with telephone metadata for ALL calls between the US and abroad, and ALL domestic calls. The order falls under section 215 of the PATRIOT Act. The order was issued on April 15, 2013 and expires on July 19, 2013. There had... been speculation that telecom providers were engaging in dragnet surveillance authorized by the PATRIOT Act."
[Expiring acts that never expire]
"...on June 6, Senator Dianne Feinstein, who is the chairman of the United States Senate Select Committee on Intelligence, and Senator Saxby Chambliss, who is the ranking member, have stated that the three month renewal has been the case for the past seven years [The three month renewal was continuously renewed]… On November 18, 2013 the U.S. Supreme Court denied without stating any reason a “writ of mandamus or prohibition” filed by the Electronic Privacy Information Center seeking to vacate the FISC order requiring Verizon to turn over to the NSA telephone metadata for ALL calls between the US and abroad, and ALL domestic calls."
What the NSA wants the FISA court delivers. It’s a ghastly combination of government agencies.
I guess it's a similar legal procedure with the US Postal Service given that the US Postal Service photocopies all mail items flowing through the USA.
The temptation to interdict and manipulate electronic devices for spying is very high.
So, to summarize:
• Fingerprinting firmwares – limited efficacy, since readouts can be compromised.
• Write-protecting firmwares by jumpers – inconvenient and only possible with a small subset of hardware.
• Detecting call-home UDP traffic on the wire – has potential.
• Open hardware, open firmware – ideal long-term solution, but not feasible today.
You forgot another option comparable to open hardware, open firmware: foreign hardware, maybe open firmware. The strategy I posted before we had details was to use (for anti-NSA) one of the many capable foreign chips from countries that are unlikely to have cooperated. Preferably countries that spied on us even more often. There are SPARC and MIPS chips available as such.
So, it comes down to partitioning as such:
1. Things private from NSA on foreign hardware.
2. Things private from foreigners on Intel, IBM or Freescale chips. (Preferrably those fabbed in or near USA.)
Regarding "VALIDATOR", if you read the document in my link, it is absolutely clear that the client which gets the trojan is a Microsoft Windows system.
Regarding PRISM, for me it is absolutely clear that it is an NSA internal program, giving the analysts a single interface to deal with requests and answers related to the various providers.
The Guardian and the Washington Post did lousy investigations for their "direct access" story. I explained this in detail here:
I completely disagree with you that the only plausibe conclusion would be that Apple actively joined the program. At least there is serious doubt. So if someone like Appelbaum claims that Apple joined the programm -- without having a single evidence -- there are only two conclusions: Either he is bad informed or he is not honest.
That's why I don't blindly trust him when he claims that the NSA possesses an unknown Apple IOS exploit.
@ Christian Rishøj
I wonder why exactly you want to move this site to a tracking-enabled forum. Do you want us to log in with fixed identities? Do we really need more cookies?
The best thing about this site is its openness and its lack of desire to track us. Almost all of the commentary is at least coherent even if it is wide-ranging. Whom would you remove with your moderation?
I doubt that Bruce agrees with me in many ways. But he has important things to say. I think it is brilliant that he hosts such a wide range of reactions on his blog rather than trying to effectively censor some by pushing them into obscure venues. This blog, more then anything else, has shown me that other knowledgeable people feel as I do about these revelations. (Not all of them, certainly!) Thank you, Bruce.
there is only one way: own it back.
hack like you wanna smoke crack
oh, and this is the right way to find one, modulo changing some minor details so they can't have prepared against it:
recursive code, using i/o to it's own memory space, performing a complex calculation with a time benchmark ... over and over until you decide if it's stable, and what should/could affect it ... best if you have other identical systems to compare with, and if some aren't hax0rd
once you have code samples or known infections, only then can you discover specific ways to id, use or abuse said code ...
it would be unusual and dumb for anyone to create firmware that can't be overwritten, especially in the case where the firmware is meant to not exist ... but discovering how might be tedious or too slow if operating from within such a system, rather than pulling BIOS chip and reading 'somehow'
it would be a rare case for such code to be abandoned on any old system, if only because such code is valuable, let alone supposed secrecy of mission ... so one would anticipate that there should be a way to remove it from the system, perhaps it would be self-removing in certain conditions (expiry?)
but ..... ? if they were dumb enough to leak 15million documents or whatever it is, perhaps they also write rootkits that can be found and sprinkle them around ... that would seem to need to be deliberate
... the technique above from Blackhat 2013, may be hard to employ if the machine is doing stuff in SMM, ie power management, display stretching, all sorts of 'hardware' functions ... perhaps if they are all disabled
oh, and use https for the youtube, it helps stop packet injections afaict
This is very feasible if you simply have access to regular (non-root) account on a Linux (or any Unix-ish OS) machine in a corporate LAN with Dell PowerEdge servers.
You can use IPMI to update a BIOS remotely with a tool called 'ipmiflash' if a machine has a BMC (which most Dell Poweredges have). ipmiflash is available here from Dell developers, but is unsuppoerted:
I've used this information to test hundreds of Dells and was able to gain control of the BMCs using the 'cipher zero' technique with a regular Linux account described here:
- Rob Cakebread
@Rob, i think you just missed santa claus, but maybe the easter bunny can sort you out.
hmm more thoughts ... for a criminal hacker, the objective would be for their code to evade any and all attempts at capture, full stealth mode ... but for the NSA would this be so? i imagine that in some cases they would be aiming to get evidentiary material, even if not up to court standards, in this case they may prefer to see their virus in any memory dump captured, so as to be assured that the capture is for-real. ... so although one would expect the code to be stealthy, in some cases it may be able to be dumped using documented dump procedures that would be beyond a kernel dump, but not requiring cold-boot RAM forensics, i suppose.. ? there are patents for these devices ... would the NSA use a patented method? how well do NSA and other forensics users trust each other?
SMM code to be executed lives in system main RAM, and worst-case, there is a race-condition between your software attempt to dump memory, and the rootkit's attempt (if any) to relocate itself to a section of RAM you have already copied, prior to your write-out operation reaching the section of RAM it is currently in, afaict
It's not clear to me whether this race occurs if the memory dump is driven by a hardware DMA process, rather than a CPU/kernel one.
perhaps the following might work:
plug in a IEEE1384 firewire card to PCI or PCMCIA and enable firewire driver but do not restrict memory access -- this now has DMA access to all of memory
jam the CPU using a documented bug, and ensure you have some means to validate that it is truly jammed -- not servicing interrupts etc
attach a laptop by firewire, and read off the total memory by DMA
any feedback welcomed
so for the above, it would be sensible to write a pattern you can identify to memory as much as you can prior to hard-crashing the CPU, so you can validate that the data you read off is probably not being faked by SMM crap
Time spent in SMM leads to "time drift between the real time clock and the operating system time, as well as affecting the real time response to the operating system interrupts." http://ip.com/IPCOM/000189323
So the SMM mode code I guess would need to be small compared with any existing SMM code, if it were not to show up in excessive latency or clock drift. A rootkit might try to hide the clock drift. It would be hard to hide latency, but it's also not usually measured by server admins afaik.
So probably the use of the SMM code would be to install some kind of deniable 'conventional' rootkit hack into the OS at boot-up.
Hiding in firmware and using SMM mode to install into the OS at bootup would enable persistence while remaining effectively invisible, even if there are effects on performance. The rootkit code could be designed to make it hard to obtain a true image of the real firmware or the RAM -- although again, the time spent doing additional operations might be measurable. It's hard to notice physically over a network connection to a busy server though, and again, a stealth rootkit might have ways to fake some metrics.
However, planted stealth code, to avoid being noticed must be small, and therefore cannot employ many tricks to fake results to an administrator. Also an inventive administrator (aka hacker) can always think of new tests, which the code cannot have been designed to anticipate.
Previously demonstrated methods for exposing stealth code must never be considered reliable, and previously published code could be recognised and may be defended against. But any given stealth code is unlikely to even be able to defend against the existing gamut (whole spectrum) of detection methods.
Detecting that code is stealing CPU cycles does not equate to being able to find and/or eliminate the code. To do so could require erasing of some firmware using specialised equipment or additional unpublished backdoors.
But as previously aluded to, rare backdoor code like any code is valuable, and unlikely to be deposited willy-nilly and abandoned. So it probably cleans itself up in normal conditions. One may need to take special effort to preserve the code, and if the author is intelligent, once you notice it's presence, it has probably gone from any persistent storage.
I'd like to call everyone's attention to an absolutely fantastic article by Darmawan Salihun on DeityBounce and indeed everything 'BIOS':
GodSurge, despite the name parallelism to DeityBounce and again restriction to Dell PowerEdge servers requires a large FluxBabbitt hardware implant and exploits the JTAG debugging interface. The best on JTAG seems to be at http://www.alexforencich.com/wiki/en/...
The other items in the ANT catalog having some BIOS aspect are IRONCHEF, SWAP, STUCCOMONTANA, SCHOOLMONTANA, SIERRAMONTANA, SOUFFLETROUGH and possibly GOURMETTROUGH and FEEDTROUGH.
I suspect a fair amount of Darmawan Salihun analysis will carry over to some of these.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.