Schneier on Security
A blog covering security and security technology.
« US Privacy and Civil Liberties Oversight Board (PCLOB) Condemns NSA Mass Surveillance |
| The Politics of Fear »
January 28, 2014
TAWDRYYARD: NSA Exploit of the Day
Back in December, Der Spiegel published a lot of information about the NSA's Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software "implants." Because there were so many items in the catalog, the individual items didn't get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that.
(TS//SI//REL TO USA,FVEY) Beacon RF retro-reflector. Provides return when illuminated with radar to provide rough positional location.
(TS//SI//REL TO USA,FVEY) TAWDRYYARD is used as a beacon, typically to assist in locating and identifying deployed RAGEMASTER units. Current design allos it to be detected and located quite easily within a 50' radius of the radar system being used to illuminate it. TAWDRYYARD draws as 8 mu;A at 2.5V (20mu;W) allowing a standard lithium coin cell to power it for months or years. The simplicity of the dsign allows the form factor to be tailored for specific operational requirements. Future capabilities being considered are return of GPS coordinates and a unique target identifier and automatic processing to scan a target area for presence of TWDRYYARDs. All components are COTS and so are non-attributable to NSA.
Concept of Operation
(TS//SI//REL TO USA,FVEY) The board generates a square wave operating at a preset frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal, the illuminating signal is amplitude-modulated (AM) with the square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the clock signal. Typically, the fundamental is used to indicate the unit's presence, and is simply displayed on a low frequency spectrum analyzer. TAWDRYYARD is part of the ANGRYNEIGHBOR family of radar retro-reflectors.
Unit Cost: $30
Status: End processing still in development.
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on January 28, 2014 at 2:13 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think the "Page, with Graphics" link is to NIGHTWATCH rather than TAWDRYYARD ?
Bruce - I read this, but don't have a clue. Perhaps a layman's transmission of each exploit would generate broader discussion. Could be just 1 sentence. Thanks in advance.
Since this is designed to " assist in locating and identifying deployed RAGEMASTER units" which are embedded in VGA cables and do the actual tramission. So this is essentially, a "turn this on and point it this direction to find out where the RAGEMASTER you are looking for is and can focus the collection". It's just a locator for the bugs.
This brings up a good point though, with so many things compromised, I guess the NSA really needs to compartmentalize the signals from each compromise, otherwise it becomes a mess to find the one you want!
What I find really interesting though is the referenced RAGEMASTER https://upload.wikimedia.org/wikipedia/commons/2/2a/NSA_RAGEMASTER.jpg
With a device so small that it is embedded in the cable (they said in the ferrite, but I bet it has gotten smaller since 08) what I wonder is this: If I'm the NSA, and I already have inroads to every CEO and manufacturing plant, why don't I just go ahead an put one of these in every cable produced (If I can do it discreetly enough)?
@Jockular: Basically a specialised RFID tag.
It is a miniaturised radar beacon that provides a detectable response to one of the NSA radars like PHOTOANGLO or CTX4000 when the radar is pointed at it and the beacon is close enough (50 feet is mentioned). The TAWDRYYARD returns a signal modulated with an identifying tone (which may well be ultrasonic) when illuminated by radar and can be used to locate an item to which it was previously attached or as a way of aiming the radar at something which cant be seen visually. How far away it can work and how accurately it can be located will depend mostly on the radar antenna and to some extent whether the TAWDRYYARD tag is obscured by radar-absorbing materials (think of the "interesting" bag under a pile of others on an airport baggage trolley, for example.
This exploit shows that the tinfoil hat guys weren't that crazy after all...
What I suspect is this bugs main purpose is is to be "narrow band" to speed up Aquisition Of Signal time for the wide band signal reflector.
The range a signal has whilst still being inteligable is inversly proportional to the square of it's bandwidth, with the signal to noise threshold being -174dbm for a one Hertz bandwidth.
The only way to extend the range is by using a high gain receive antenna, the problem is it's gain is inversly proportional to the square of it's beam width...
So a wide band video signal would not be receivable on an omnidirectional (colinear) search antena where as the narowband becon would. Having found the becon frequency in range the searchers can switch to a hi-gain antenna on the becon frequency and use the becon to point it in the right direction and elevation for maximum signal. Then do a slow frequency sweep to find the wide band bug that may be just down on the noise floor.
Sounds like the kind of thing you'd want to attach to your keyring so you can go radio-direction-find your keys when you've lost them. 50 feet isn't very far (about the range of my car's remote door lock); if the range were better and I could get my cat to wear a collar instead of always wriggling out of them, it'd be useful for finding him if he gets outside.
@ Bill Stewart:
Nah, just super-glue an old iPhone to the cat and use "find my iPhone."
Charging the phone just requires that the charging cable terminate on a sunny window sill where the cat will nap.
"I think the "Page, with Graphics" link is to NIGHTWATCH rather than TAWDRYYARD ?"
"Bruce - I read this, but don't have a clue. Perhaps a layman's transmission of each exploit would generate broader discussion. Could be just 1 sentence."
This one is pretty jargon laden. But that's why I'm doing this -- so we can start to pick apart the jargon. Perhaps this one will make more sense after some additional disclosures.
Picking apart some of the jargon: RF = Radio Frequency; COTS = Commercial Off-The-Shelf (meaning, it's made of ordinary commercial components); CW = Continuous Wave (meaning a transmitter that just transmits a signal of fixed amplitude and frequency, not modulated to carry any signal with it).
Detecting this would be fairly simple, as that's it's whole purpose in life - to be detected. You'd need a microwave transmitter and reciever, mix the recieved signal with the transmitted one and output the result to a spectrum analyser. The TAWDRYYARD will appear as a fixed low frequency signal on the spectrum analyser.
I suspect this could be improved by having it cycle through a CDMA-style chip code, which means you couldn't detect it without knowing the chip code sequence. This would come at the cost of battery life and time-to-detect.
I agree with Iain this is basically a custom RFID tag.
I guess by adding a cheap battery (coincell) they can power this for several years. The circuit is probably nothing but a square wave generator maybe driven by a simple programmable divider that outputs a certain sequence, say from an LFSR (RC or Crystal oscillator with less than 100 Flipflops and a small fuselink memory wold do the job). If they target say 100Khz operation than this can attach directly to the Gate of a FET with Source/Drain connected across a suitable tuned printed antenna. Low frequency operation means low switching losses and long battery life.
The antenna will generate RF backscatter spurs at the Carrier+-oscillator frequency or at the sequence (if LFSR is used)
The fact that it has no ID / enable makes it less useful because you cant locate one item amoungst many rather you must use this technology sparingly so that there will only be one item in the vicinity of the detector at any one time.
My guess is this is used to allow quick location of an item that might be hidden, say a laptop where a team needs to get in find the laptop make modifications and get out.
OR simply to track items of interest as they pass controlled points, say keep track of PLC equipment by hiding this tag somewhere inside the equipment. Export order says its going to Malaysia yet its tracker says it got unloaded in Iran Hmmmm. With a 50ft radius I can simply setup an unmanned observation point near the ports gates and see whenever export controlled items pass that point.
For this system the tags need to be cheap the receivers are less cost sensitive.
Still not sure why they would not simply attach standard commercial RFID tags (25 cents each) and have all the electronics / system ID protocols done for them. Maybe others are looking for hidden RFID tags so the custom circuits avoid detection by operating at a different modulation frequency from standard RFID.
Might be a bit premature to assume that. The seven-league boots of paranoia may let one leap from "technology available" to "technology deployed ubiquitously", but the leap itself is still essentially irrational, no matter where you jump from.
With the right tools you can fabricate an ak-47 in your garage, but that doesn't mean everybody with the right tools is doing so, or that every garage has the right tools in it.
That's the trouble with tin foil hats...they tend to fall down over your eyes and leave you staring at the inside of your own head, rather than at the real world around you.
The fact that it has no ID / enable makes it less useful because you cant ocate one item amoungst many rather you must use this technology sparingly so that there will only be one item in the vicinity of the detector at a time
Err I think you missed a bit "preset frequency" does not mean that they are "all set to the same frequency".
Lets assume it means "set to a chosen frequency for your specific receiver" like a SelCal system.
As what is being transmitted from all the bugs in the area is "synchronus AM" with the same RF carrier the would all appear at the receiver with stable phase off sets but at different baseband frequencies and thus easily seperated in the IQ output of a homodyne receiver.
I suspect this could be improved by having it cycle through a CDMA-style code sequence, which means you couldn't detect it without knowing the chip chip code sequence.
Err not true, because this device is in effect the modulator of an AM transmitter with a low modulation depth.
Even if it was not modulated it would be detectable because of the presence of the resting or zero crossing carrier. Thus it does not matter what you modulate it with, if the illuminating carrier is present it's going to be reradiated and you can detect that.
> you must use this technology sparingly
that's what TAO is for.
The items of the same type can be at least differentiated by their modulation (low) frequency, e.g. one buzzing at 1 kHz, the other at 2 or 20 or 200 kHz etc.
The other way to tell apart different TAWDRYYARDs is to manufacture them tuned to different radio frequencies.
A device tuned to 1.8 GHz will appear brighter on that frequency, and will look dimmer (provide less return power) on, say, 1.1 GHz. Or will no visible return at all. That depends on the Q-factor of the implant which I don't know.
@ Clive Robinson
if it was not modulated it would be detectable
d'oh. Not modulated -> it will look like yet another random piece of metal re-radiating whatever outside RF hits it. That's provided you can see it at all. See below.
Thus it does not matter what you modulate it with, if the illuminating carrier is present it's going to be reradiated and you can detect that.
Though you'd need a high dynamic range receiver to notice the faint return buried below a much more energetic illuminating carrier.
And the TAO team SOP would state something like "refrain from illuminating if a 'technical measures' bug sweep is under way or suspected."
Thus it does not matter what you modulate it with, if the illuminating carrier is present it's going to be reradiated and you can detect that.
Not sure I agree. there are lots of naturally occurring reradiation sources however so you'd spend a lot of time chasing down all these false positives if examined ALL reradiation sources.
For the beacon to be effective it needs to change state and we need to be able to detect that state change. Detecting a CDMA coded RFID tag would be very similar to detecting a DSSS transmission which kinda requires you either get real close to the source OR you need to know the spreading code.
If you can move into the tags near field things become a little easier. because the changing load on the TX side can be measured.
Am I missing something?
Couldn't the bug just be multiple thin plates separated by a dialectic, with know inductance, that would effect the electric field from this device, which would look like a impedance on the transmitter antenna, with the value based on resonance of the rfid.
"A device tuned to 1.8 GHz will appear brighter on that frequency, and will look dimmer (provide less return power) on, say, 1.1 GHz. Or will no visible return at all. That depends on the Q-factor of the implant which I don't know."
Thinking the device could be like a cm2, made of 100 plates capacitors in series, with the top and bottom layer with a planar inductor cut from the same plate sizes and connected.
It should be easy to detect thought, just raise a source to a couple hundred volts, with a changeable tuned circuit(based on distance) and Fourier analysis at 1.8ghz, then measure the volts amplitude in millivolts
the myths about CDMA or DSSS or even FHSS or whatever is that they are undetectable.
Yes, those emissions may be hard to demodulate (extract data from), but such transmitters still radiate power power in finite bandwidth. And are quite visible on the waterfall display, especially when not buried in noise and in the near field while moving around.
Imagine a half-wave dipole consisting of two quarter-wave wires and a switch (the FET) in between.
When the switch is closed, the whole thing is a half-wave piece of conducting material which readily re-radiates any incoming RF at or around its fundamental frequency.
When the switch is open, though, the abovementioned doesn't happen.
There might be a probable getting in the near field of the tracker, if you light it up at half and quarter waves frequency(harmonics), to measure the negative signal of quarter wave, and the positive signal of half wave, with a feed back from the near field it could have a system that has a T(cap/inductor/cap) network, that produce reflections between the two antennas it could cancel out the signal, stopping people detecting it.
RAGEMASTER might be intimidating to law abiding businessmen, but it shows promise forensically. It probably could not modify the picture, and the resulting video, say of a drug dealer accountant balancing his books in Excel, might reasonably be admissible in court - presuming [a warrant based on] good probable cause before the cable was emplaced.
This sounds remotely like an aircraft transponder, which replies with a squawk code and some additional information when a secondary radar asks for it
I see you understand not just the idea of changing the antenna frequency but the modulating tone frequency to make it work like a Selective Calling (SelCall) system.
However have you considered what is actually required to make such a system work in practice?
They claim a fifty foot radius yet the object shown is only about a CM per side what kind of efficiency do you think it would have for converting the illuminating signal (1-2GHz) to reradiated signal?
Further what directionality would an etched PCB antenna on that board have?
Then assuming just a 20KHz modulating signal at 6db above the noise threshold at 16meters work the figures back to work out the likely illumination power at the same 16meter spot as the receiver.
Even on the back of a napkin calculations will tell you the field strength at this device is going to be very very obvious on a spectrum analyser with a broadband omnidirectional antenna such as discone etc.
Which means the picture is wrong in some way such as it's shown without it's antenna...
But even alowing for that the illuminator signal level is still going to be head and shoulders above anything else in that 1-2GHz band and the fact it's CW kind of makes it even more obvious. If either you or they are mobile you are going to see them coming long before they see the device. Therefor simple deductive reasoning tells you that you have a problem without you actualy having to go look for the device.
Without going into labourious details it's actually not that dificult to design a scanning device that would not only cover the 1-2GHz band but with an appropriatly designed electronicaly rotating antenna direction find the illuminator signal. With three of these antenna systems set up (they are about the size of a stack of four dinner plates or small pizza box) you can not just fairly acuratly know the direction they are in but their range as well. A slightly more elaborate system using IQ systems will actualy map out the environment and all objects within it which is the principle behind using WiFi etc to act as pasive radar system.
As for finding the device you don't have to be as elaborate as passive radar, because an antenna can be viewed as a length of very lossy transmission line. Therefor it has not just a measurable impedance but also a narowband as well as broadband frequency response and associated cut of frequencies.
It is unlikely that the antenna on this device is going to have much of a response to a frequency sweep below it's designed band of operation and thus many of the spurious reponses in the room can be fairly quickly eliminated. Likewise a radiator that is twice the length of an inband antenna is going to have more responses in the harmonic band than the antenna thus enabaling others to be eliminated.
But there is something else to consider, even though this device may not be modulating all the time it's still got active electronics attached to it. Even FETs can be detected by various nonlinear techniques especialy when operated in particular "battery saving" ways.
Yes and no...
Theoreticaly you can use the device as a spread spectrum system, but practicaly no.
Firstly as you noted the design spec calls for long battery life which means the code would be "oh so slow".
Secondly it's designed to be detected thus the code sequence would have to be very short as well to alow for changes in the physical properties of the device and any changes in it's local environment changing the resonant frequency of the antenna.
Thirdly this stuff is not being used in a lab but from a covert serveillance point. I don't know if you've ever tried to work in those conditions but it's not conducive to good working practice (it's not like the films) so the whole system needs to be not just robust but simple to use reliably.
Thus the illumination power is going to be well over the odds etc etc. And it's charecteristic a dead give away
So the upshot is in practice there is a very wide margin alowed in the system in which a sophisticated target will be able to play.
As I mentioned several days ago I'm actually redesigning an old system similar to this I developed years ago, the idea this time is to have the illuminated antenna isolated from the electronics by a baseband filter such that not only do you need to know the antenna frequency but the base band frequency as well.
Thus the baseband frequency can also be manchester encoded data or any other code with random data that goes nicely through the baseband filter.
What this does is tell us something about RAGEMASTER, and possibly about the NSA's development process. If you could get information out of RAGEMASTER setups by pointing an antenna in their general direction (e.g. knowing that the target laptop/desktop/whatever was in a given house or office) you wouldn't need this extra dongle. And generally, planting two devices rather than one is something you want to avoid.
At the same time, if this is a member of a family of beacons, that probably means that the NSA has known about needing extra dongles to improve S/N for their bugs for a long time.
At any reasonable distance I'd expect the backscatter return to be below the noise floor especially if it were just a beacon spread over say 1Mhz bandwidth. If the Tx CW were actually burst transmissions than the spread sequence start could be triggered off the burst. My guess is they are not doing this because it would require a VERY sensitive wide dynamic range Rx...Google "Burst mode penalty"
It would appear from the description that they are not using the Rx power from the CW to run the tag (coincell used for power). This probably also means that they are also not shunt regulating the antenna power with some RSSI circuit controlling a damping FET operating in the linear range. So technical BS aside the absence of the RF power shunt would mean that the built-in over-voltage protection of the signal FET is triggering, this is likely to be very non-linear and hysteretic. That would give you an easy way to locate the tag.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.