Schneier on Security
A blog covering security and security technology.
« CSEC Surveillance Analysis of IP and User Data |
| Hacking Airline Lounges for Free Meals »
February 3, 2014
JUNIORMINT: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) JUNIORMINT is a digital core packaged in both a mini Printed circuit Board (PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to be used in implants with size constraining concealments.
(TS//SI//REL) JUNIORMINT uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the obsolete HC12 microcontroller based designs. A mini Printed Circuit Board (PCB) using packaged parts will be developed and will be available as the standard platform for applications requiring a digital core. The ultra-miniature Flip Chip Module (FCM) will be available for challenging concealments. Both will contain an ARM9 microcontroller, FPGA, Flash, SDRAM and DDR2 memories.
Status: Availability -- mini-PCB and Dev Board by April 2009, FCM by June 2010
Unit Cost: Available Upon Request
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 3, 2014 at 2:09 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"MRM9 microcontroller" should be "ARM9 microcontroller."
fyi, that should read "ARM9" microprocessor, not MRM9.
Reading through all these posts, its interesting that basically none of the hardware the NSA has here is super-magical with special classified ASICs on it, its all off-the-shelf components being used with the software doing all the magic.
@Jonathan Wilson - that's probably intentional so a found implant can't be positively attributed to whence it came - use of COTS hardware for that reason is mentioned elsewhere in the catalogue.
@ Jonathan Wilson
It wouldn't surprise me if there perchance was this type of practice of having hands-on-documentation in departements for governments, generally speaking, all over the world being kept off the normal ways of storing records in a computer system or file cabinet and are instead being kept as temporary property of individual departements or groups or even individuals; and maybe even moved around every now and then to keep it in some kind of perpetual state of never ever becoming filed as records anywhere.
To complete this notion of mine, of elusive documentation in the same spirit of being speculative, perhaps such on-hands records that I imagine could simply end up being maculated when it is believed to be of no use anymore, perhaps being viewed as being technical legal as well.
However, this is just me being very speculative and imaginative though. :| I am probably not being original in thinking about hiding documents from an office/departement this way.
Current commercial technology is so miniaturized and capable that the capabilities available to basically anyone that can hire a few EE's have hit a ceiling. The difference is the analysis, collection, scale.
Another conclusion is that it's the lack of miniaturization in servers that allows these bugs to be implanted. If a server were as tight on space as an iPhone, it would require much more sophisticated means to achieve this (i.e. replacing a chip with a bugged one). Here, they are just adding a complete computing system to your existing server, hidden in a USB+networking port or some other convenient place.
It has to exist. This stuff is pretty boring if you've been into security and/or engineering a while. Makes you wonder if it's not part of some psyops(intentionally leaked to curve discontent from other possible leaks)..
I always pictured un-packaged ASIC silicon on extremely small PCB with printed antenna and some extremely refined on-board algorithms, power management, and filtering.
The HDD firmware package is the only remotely interesting thing, some of the radar and sonar stuff was kind of interesting.. But I could see all that without leaks.. What has DARPA, Northdrop Grumman, and Boeing been doing for the US gov. all these years(they all have non-weapons product development and constant contracts with US defense)?
It's a fairly powerfull bit of hardware for 2009 and would still be more than "just usefull" today.
The main item of interest as far as I'm concerned is th JTAG interface, I'm assuming because it's shown on the functional diagram that this device can be used to get at other parts in standard COTS systems via their JTAG interfaces.
This gives this unit quite a lot of control at a quite fundemental level...
‘It's a fairly powerfull bit of hardware for 2009 and would still be more than "just usefull" today.’
Yes, I think so. And, your JTAG observation seem on point.
@ G. Bailey
“Another conclusion is that it's the lack of miniaturization in servers that allows these bugs to be implanted. If a server were as tight on space as an iPhone, it would require much more sophisticated means to achieve this (i.e. replacing a chip with a bugged one). Here, they are just adding a complete computing system to your existing server, hidden in a USB+networking port or some other convenient place.”
The size conclusion is true. But, most smart phones are basically thin clients who depend upon a server. If you want to hack a number of cell phones the server/router is the place to start.
You did mention USB which I suppose is the power supply (there doesn’t seem to be any data on the power requirements).
I know I have missed a lot of post. Given the NSA’s hardware and software implants I wonder the out come of Bruce’s letter to antivirus companies since the publication of “How Antivirus Companies Handle State-Sponsored Malware”.
“Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply.”
@Clive Robinson: It's a programmable IO board fabricated for concealment. It's no more advanced than economical proto boards at the time..
Again, not impressive. I'm not saying this to instigate a response or be a minority opinion either. I just don't see the big deal with *most* of these kits.. They aren't THAT economical and require more logistics than they would have to based on even public manufacturing tech and costs of the time..
This is why I continue to get the impression this was low classified field equipment..
"I just don't see the big deal with *most* of these kits.. They aren't THAT economical and require more logistics than they would have to based on even public manufacturing tech and costs of the time.."
They're better than the tech we knew about from before. Their reuse of COTS and prior spying tech kept development costs low. The lack of signature tech in the implants is deniable. The cost of most of them is cheap by defense standards. They were flexible enough to be used in many ways, including with other spy tech. And they were still a secret when the catalog was published.
What more could an intelligence professional [in the real world] want in spy gear?
I don't see what your gripe with the list is. It's consistent with other trends and data from military industrial complex. Almost everything they do involves custom configurations or deployments of components that aren't custom. Or evolutionary improvements to existing solutions. It's rarely radically different or high tech custom down to the metal. That's why you see them pushing "security enhanced" versions of Linux, VMWare, etc for internal use instead of software that's actually secure. Even they can't resist the promised (and sometimes delivered) benefits of the commercial marketplace.
I think there are also certain mandates or at least incentives for COTS to be in the supply chain. I'll leave it to someone else to confirm, deny, or clarify that, though.
They aren't THAT economical and require more logistics than they would have to based on even public manufacturing tech and costs of the time..
I was not commenting on the economics of the units (though I have commented on it with other devices). What I will say having designed and built surveilance equipment is that even though the prices are high there is little or no profit in it for the manufacturer untill they have sold the first "production run" which even on twenty five units could take a year to do. And as a general rule the smaller the number of units made on a production run the higher the "return rate", likewise the greater the component packing density the greater the return rate. As there is no photo of the device it's not possible to say how these have been produced, but other items in the catalogue have the hallmark of "hand produced" which also increases the return rate. It's realy not possible to "cost up" the "factory gate price" from just the electronic component BOM which is why it's not possible to say what the economics of it are.
This is why I continue to get the impression this was low classified field equipment..
With rare exceptions equipment is not classified by content but by function. That is next to nothing in say a crypto device is classified in it's own right, a resistor is still a resistor and likewise an ARM processor and FPGA are not classified. Even the way the components are put together may not be classified ie COTS PC motherboards in TS and above use equipment. And not even the packaging of the system ie consider classified TEMPEST -v- uncassified EMC / hardened equipment, in a number of cases the diference is in the testing and labeling not the bit of kit on the end customers work bench.
And in the case of surveilance equipment a primary requirment is based on the certain knowledge that it's use is in "your enemy hands". Thus it will almost certainly be not just discovered but pulled apart and analysed by the enemy who is sometimes technicaly more sophisticated than your experts...
In the main the only secrecy involved in surveilance equipment (out side of comms/storage keymat) is the "trade craft" in getting a device into your enemies hands without them knowing you have done it.
So yes by definition this equipment is going to be "the lowest classified field equipment" there is, and probably why the higher classified "officer use" equipment such as the illuminators and associated receivers are of more interest to you. The other type of field equipment that falls between the two which would also probably be of interest to you is "agent / contractor use" equipment which includes the likes of "spy radios" and "minox cameras" etc for "agents" and the "data collectors" that sit in the secure rooms/cabinets in telephone company premises.
I suspect that only the "contractor" phone company data collector equipment will be in the Ed Snowden documents as "agent" equipment would not generaly be in the NSA responsabilities (unless for secure comms).
On a side note, the drawing should have classification marks too, and it doesn't.
After looking at the architecture for a while, I agree that the JTAG is for COTS systems. So, apparently, is the I2C bus capability. The presence of the FPGA for both JTAG and I2C interfaces would allow interception of data from very high speed devices. It also looks like there is a JTAG control interface, directly out of the ARM.
In sum, it looks to me like the exploit would be most useful where the COTS system doesn't permit for built-in networking or network driver capability and/or operates at too high a rate for data to be sent over the Ethernet connection. The FPGA-to-DDR2 connection, in particular suggests interception of selected data from devices operating at very high speeds--speeds much too high for an ARM processor to keep up.
Non-networked, high-speed targets: Weapon control systems come to mind.
The JTAG+FPGA+DDR2 combination should also support exploits where external control is imposed on the target system. If it really is for weapons systems, then perhaps the control capability is used to pass the extracted data over available telemetry channels by bit-stealing.
Oops, seems like I had a case of really bad English above.
Maculation = (supposed to mean) shredding.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.