PHOTOANGLO: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

PHOTOANGLO

(TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are:

  • Frequency range: 1 - 2 GHz, which will be later extended to 1 - 4 GHz
  • Maximum bandwidth: 450 MHz.
  • Size: Small enough to fit into a slim briefcase.
  • Weight: Less than 10 lbs.
  • Maximum Output Power: 2W
  • Output:
  • Video
  • Transmit antenna
  • Inputs:
  • External oscillator
  • Receive antenna

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) TS//SI//REL TO USA,FVEY) The radar unit generates an un-modulated, continuous wave (CW) signal. The oscillator is either generated internally, or externally through a signal generator or cavity oscillator. The unit amplifies the signal and sends it out to an RF connector, where it is directed to some form of transmission antenna (horn, parabolic dish, LPA, spiral). The signal illuminates the target system and is re-radiated. The receive antenna picks up the re-radiated signal and directs the signal to the receive input. The signal is amplified, filtered, and mixed with the transmit antenna. The result is a homodyne receiver in which the RF signal is mixed directly to baseband. The baseband video signal is ported to an external BNC connector. This connects to a processing system, such as NIGHTWATCH, an LFS-2, or VIEWPLATE, to process the signal and provide the intelligence.

Unit Cost: $40k (planned)

Status: Development. Planned IOC is 1st QTR FY09.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 24, 2014 at 2:09 PM • 21 Comments

Comments

BJJanuary 24, 2014 3:05 PM

I posted this in yesterday's thread, but now that we have some new frequency info, I'll ask again...

Yesterday, the system was based on VGA (analog signal) remote collection...

What about DVI-D, DisplayPort, and HDMI cabling?

Does the switch to digital video signaling make capturing the signal easier or harder?

What are the frequency limits here? Do the higher frequencies in DP and newer HDMI versions exceed what can be picked up by RADAR?
(up to 18 Gbit/s in HDMI 2.0)

I do know that HDMI provides DC power, so even an active device could be powered off the standard connector. For the NSA, that is probably a big improvement over VGA.

AcrosRusJanuary 24, 2014 3:45 PM

LPA here stands for log periodic antenna. The pros and cons of the four designs mentioned here are discussed in the Sigint/Elint context at http://tinyurl.com/kqscjkf -- mostly it revolves around directional sensitivity and the range of microwave frequency reception, here from the illuminated, modulated retro-reflector implant for red video. They might be using SDA (software defined antenna) by now.

Homodyne is defined right there in the blurb, more at wikipedia, as with off the shelf bayonet coaxial connectors (BNC). The system seems rather pricey at $40k just for a CW (continuous wave) signal, antenna and processing computer extra. LFS-2 may be a corporate product line rather than an NSA acronym.

It's hard to see what is consuming the $40k -- maybe ultra-low volume. Or perhaps the issue is small and light -- handheld tactical field unit or drive around the 'hood with it in your vehicle.

There's an eight month wait from the time of this document, July 2008, to Initial Operating Capability (IOC).

ModeratorJanuary 24, 2014 3:57 PM

You linked to the wrong image. You linked to the NIGHTWATCH page instead.

Fixed. Thanks for pointing it out.

M@January 24, 2014 8:09 PM

Wow, $40k unit cost. *whistles* Must be awesome to have an unlimited budget. I want one.

hermanJanuary 25, 2014 12:40 AM

Hmm, the $40k price is cheap actually. This type of thing could easily sell for $100k in small quantities of 10 or so.

Clive RobinsonJanuary 25, 2014 7:28 AM

For those with a raised eyebrow over the 40K cost, I can assure you that it is vastly over priced compared to equivelant technology that you can buy off the shelf and put together your self.

But there are reasons that might explain the cost over that of blatant profiteering...

At one point or other I've designed bespoke one off electronics, MilSpec electronics, limited run electronics and Fast Moving Consumer Electronics. The first thing you learn is good engineered development is expensive and this cost has to be paid either seperatly or amortized across a production run.

The second thing you learn is buying the latest components is expensive, mainly for two reasons. The first is if you are in the US,UK or Europe there is a large distribution chain with each step taking 30% in "middle men fees". I once got a quote in the UK for unit pricing on an IC that at 100K parts the unit price was 1.5 times the manufactures unit cost price on ten pieces in the far east (South Korea) and the delivery times were equally as stupid. It's one of the major reasons small startups are at a very significant disadvantage.

Now there is another issue with distribution chains and that's manufactures "minimum order quantity" since surface mount components come on reels most manufactures have a minimum order of one reel which could be a thousand or three thousand items. I might be getting a unit price of 1-50USD but if I have to buy 3000 of them as a minimum order quantity then thats realy 4,500USD as a starting price for any number upto 3000 parts...

Because of this --not so-- minor issue often the latest technology is unavailable to me as a designer for anything other than FMCE production of +50K/run. So I have to either scale back to older products that could well be on the "obsolecent" lists or up my costs.

Now for what this unit --supposadly-- does I know I can get just about everything required for less than 2000USD. Now after a bit of "striping back and recase rebranding" that would add around 100USD parts and labour lets say my cost is for 10 units 20K USD and I think I'll sell ten units in a year I'm likely to get a returns rate of 20% (law of small numbers, even thought in larger runs it might only be 5-10%) so the reality is 10units cost +2units return costs + storage + sales&marketing giving me a real cost of ~35K USD before any profit so realisticaly I'm going to be looking at a minimum of 50% profit so I want to clear as a minimum 53K. However I know that the customers are going to want a 30-50% discount on multiple purchases so realisticaly I need to effectivly double the unit cost price to 11,000 USD each... or a little over five times the basic parts cost to me and keep my fingers crossed I actually sell out.

If I was actually designing from scratch rather than re-case/re-brand you would be looking at around 50 times the Bill Of Materials (BOM) cost dropping to 10 times on larger production runs with "fast out the door" times and no marketing costs...

Which is why the price for such items can be high. Personaly these days I'd not get involved with manufacture I'd sell you a design and two pre production prototypes (including cases manuals and shipping carton design) for around 60,000 USD for items such as these. Oh and if you wanted me to get appropriate regulatory approvals (if possible) then stick another 200K USD and six months on the delivery time as an absolute minimum...

tysonJanuary 25, 2014 8:45 AM

I am scientist that uses radar to measure physical signals. I wish this was better documented, because I cannot believe this really works. Our fmcw radars would unintentionally pick up AC off nearby power lines, so I don't doubt the principle of measurement. But there are so many challenges involved... This is possible, but I'm not a believer until I see proof of concept. I've seen too many over priced military projects that were poor implementations of public technology. Is this merely a funded project or a real deliverable.? Playing the skeptic here.

tysonJanuary 25, 2014 9:32 AM

Me again. This summary says it was a project under development with results expected in 2009. A document stating operational capabilities would be more convincing.
Take a look at the USA SBIR website. Tons of high priced projects promising (mostly military) tech, few of which are successful.

Moving on, 2 W of CW at those frequencies isn't going very far. Most consumer 2.4 GHz devices are in the 100 MW range. Directional antennas will help. I'd guess this device could access any point in a house from the street.

And I expect it would have to be customized for each type of desired signal, due to their different frequencies and bandwidth.

I can imagine capturing old analog video. But forget HDMI. That's something like 8 independent conductors with overlapping freq and bandwidth. USB is single channel... And where the most valuable information is.

Darn. Now I want to try this ;)

Nick PJanuary 25, 2014 12:12 PM

@ tyson

NSA and Russia have been doing active EM attacks for decades. Finished or not, they have the expertise to deal with most challenges it would seem.

name.withheld.for.obvious.reasonsJanuary 25, 2014 2:04 PM

@ Clive (I will get right this time) Robinson

ALOT (a lot off topic), do or can you give the listeners here a guide to purchasing and catalog sources? When I'm in the UK, Farnell seems to be the most obvious choice for components. Recently my preferred supplier, mouser based out of Texas, moved its online customer procurement to China. I no longer order from them. Seems that the procurement landscape is a WAG. Any help or assistance could help some of your listeners.

Clive RobinsonJanuary 25, 2014 3:34 PM

@ Name.Witheld...,

If you want to use generalised middle men in the UK then along with Farnell there is Radio Spares now called RS and DigiKey are here as well.

Not that I tend to use them that much as they are not sufficiently specialised for much of the stuff I use.

Oddly perhaps a lot of the stuff comes direct from the manufactures or via one or two trusted suppliers in the Far East. Much of the specialised stuff is "returned stock" due to over ordering for production runs. The trick is to have a rough idea of what potential customers want and buy speculativly.

RobertTJanuary 25, 2014 3:58 PM

Great margin where do I sign up to produce these toys.

Lets see: 450Mhz Rx bandwidth
Hmm : I'd use standard 16 bit ADC's intended for cell phone towers (cost about $50USD each 50Mhz BW at 16bit). I'd probably need to develop a custom Sample and Hold stage for interlacing the ADC's, this would run off a divided main clock 900Mhz, so a 4 bit divider might be easiest. That'd mean 16 ADC's sampling at 56Mhz. Interesting that 900Mhz is the sample frequency might be because this is easily available as an ultra low jitter clock source for cell phone base station systems.


As I said at $40K I'm definitely interested in supplying equipment. Costs less than $2000.

RobertTJanuary 25, 2014 4:28 PM

Makes me wonder if this is being used as part of an active fault injection methodology targeting high speed interconnect.

The basic problem is that good high speed interconnect cables radiate very little power under normal operation because they use differential balanced transmissions on twisted pairs. IF you induce a significant Common-Mode signal onto the cable than this must be dissipated at the cable ends. Most consumer level equipment is not intended to reject any common mode signal so the High speed driver Transmit stage is forced into an unbalanced state and guess what this results in a modulation of the CW injection signal with the data from the cable. It's easy to build a cable to reject this mode of attack but.....

Clive RobinsonJanuary 26, 2014 3:31 PM

@ RobertT,

OK on the 16DACs but unless you are just going to multiplex them out, what are you going to use as a baseband converter either to fully process or to generate the 450MHz I&Q outputs?

As for active fault injection I'm surprised that it's kind of avoided. As I've said before I know certaily the DWS (as was, and now part of MI6 over at Hanslop Park) were aware of it back in the 80's because I demonstrated it to some of them. And back then under Maggie Thatcher certain inter-service rivalries were at quite a low point as Maggie had turned on the Finance tap fairly equally so there is a reasonable possability that GCHQ knew. I found out from a conversation with Tony Sale that MI5 were aware of it in the late 80s so...

RobertTJanuary 26, 2014 4:32 PM

@Clive Robinson
The input to the ADC's is a Sample and Hold this clocked with a square wave at the 56Mhz (900/16) rate. The edges of the 56Mhz are all offset by one cycle, this circuit needs to be non-glitching (when counter changes) and VERY VERY low phase jitter. This is basically how you build an ADC interlacer.

The outputs of each ADC (probably serial data) would be re-assembled by muxing the different ADC outputs, in the right order naturally.

The key to making this work is getting very low phase jitter at the sample head which means having an ultra low jitter source and very fast settling low-output-impedance amplifier driving the S&H stage. typically you want the impedance of each section of the S&H to look constant so you need to match/cancel the parasitic signal injected when the sample Fet turns on /off (CGS/CGD signal injection)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..