Schneier on Security
A blog covering security and security technology.
« "The Mask" Espionage Malware |
| DRM and the Law »
February 11, 2014
SURLYSPAWN: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL TO USA,FVEY) Data RF retro-reflector. Provides return modulated with target data (keyboard, low data rate digital device) when illuminated with radar.
(TS//SI//REL TO USA,FVEY) SURLYSPAWN has the capability to gather keystrokes without requiring any software running on the targeted system. It also only requires that the targeted system be touched once. The retro-reflector is compatible with both USB and PS/2 keyboards. The simplicity of the design allows the form factor to be tailored for specific operational requirements. Future capabilities will include laptop keyboards.
(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) The board taps into the data line from the keyboard to the processor. The board generates a square wave oscillating at a preset frequency. The data-line signal is used to shift the square wave frequency higher or lower, depending on the level of the data-line signal. The square wave, in essence, becomes frequency shift keyed (FSK). When the unit is illuminated by a CW signal from a nearby radar, the illuminating signal is amplitude-modulated (AM) with this square wave. The signal is re-radiated, where it is received by the radar, demodulated, and the demodulated signal is processed to recover the keystrokes. SURLYSPAWN is part of the ANGRYNEIGHBOR family of radar retro-reflectors.
Unit Cost: $30
Status: End processing still in development.
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 11, 2014 at 2:55 PM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I have to give the NSA props on the engineering solution to this problem. Tiny board, only a handful of components, and really cheap (even with hand assembly).
The hardware might actually be usable to tap any digital data line, as long as the baud is low enough. Just have to change the software at the receiving end.
This sounds conceptually a lot like the passive Soviet audio debugging device, Thing. (ref: http://en.wikipedia.org/wiki/...
A small device, sits inside an otherwise innocent enclosure and only activates when agitated by an external energy source.
@ Mika Boström,
This sounds conceptually a lot like the passive Soviet audio debugging device, Thing.
Firstly I think you mean "bugging" not "debugging" ;-)
And "The Thing" was given that name by Peter Wright who at the time worked for MI5. The device was invented by the man who also invented the electronic instrument named after him (Theramin) that is most well known on the Beach Boys record "Good Vibrations".
This device works by using a FET to change the impedence of an antenna, which changes the amount of energy it "re-radiates". Thus at another antenna on a receiver the signal amplitude is the vector sum of the transmitter illuminating signal that impinges on it and the re-radiated device signal. As the two signals have a constant phase difference due to the differing path lengths the resulting signal has an envelop that coresponds to the signal driving the gate of the FET.
Whilst the gate signal could be just the "aquired signal" the use of the squarewave generator serves two purposes. The first is to remove "DC offset ambiguity" and the second is to use a frequency above the audible range (think 20KHz and up). This not only cannot be heard if the signal interferes with audio equipment, but also falls well out side the IF bandwidth of the majority of receivers that might tune in to the transmitted iluminator signal. This also includes the majority of "bug hunter" devices or likely settings used on spectrum analysers and other test equipment used to "sweep an area".
In practice these days you can buy "all band scanners" which provide an IF output signal taken before the "narrow band" IF filters. This can be fed into a "Video bandwidth" IQ vector demodulator or be "direct converted" into a suitable wide band A-D converter pair on a PC for software to demodulate and analyse (See various web forums on "Software Defined Radio").
You don't need to use FETs although these require the lowest "drive" power. You can use a "bridge rectifier" made of Schotky diodes mounted between the two arms of a halfwave dipole antenna.
I've mentioned all of this on an earlier posting on another (similar) page of this blog.
Even though this "bug" is nearly passive there is a problem with the FET, if the illuminating signal is sufficiently strong it exhibits a square or higher power charecteristic which will generate harmonics of the illuminator signal. These can be used to detect the bug.
One way to do this is with a spectrum analyser with tracking generator, you take the output of the tracking generator digitaly divide it down in frequency and amplify the resulting signal to a level suitable for illumination. By sweeping the band repeatedly every other time with the illuminator signal off you end up with a "blinker signal" if there is a bug of this type present.
One of my friends from graduate school developed a Tempest certified workstation at his first post-grad job at Zenith. It eliminated this issue by using light-pipes from the keyboard to the system unit, and the keys just were shutters - press a key, and break the beam. It was the first such system to pass all Tempest tests on first run... :-)
Man, this sounds almost like a little exploit I could put together pretty quickly. This was one of the reasons why I liked PS/2 keyboards, the simplicity and I would have to physically verify all 4 lines, even ground. Haven't taken apart my keyboard yet, I would laugh out loud if I found some little goody. FSK, CW, AM, and RADAR; damn all very familiar subjects to me lol. I bet me and my dad could come up w/ something but he has morals and he's getting too old and it's not good for his health. So I'm the protector now and this looks like fun. Square waves are cool, won't be perfect like I want, but PWM lol.
@Tom: Thanks for the link.
For those who havent investigated yet, it is a spoof NSA report by Poul Henning-kamp - the actual pdf is at http://phk.freebsd.dk/_downloads/FOSDEM_2014.pdf . Although it is a spoof he does make some good points about the possibility to subvert FOSS in the interests of ease of interception. I am not convinced that all the cases he cites are due to foul play (although I think the decisions would have been different now than a year or more ago) but all of the mechanisms proposed are credible and have been cited here before.
I do think he stretches a point about Firefox warning users more than once before a user can add a security exception for self-signed certificates though; anyone doing it on purpose should understand enough not to be deterred.
Back on Topic: Looking at this it is about twice the size (and 4 times the circumference) of Tawdryyard for which a detection range of 50 feet was claimed in the ANT catalogue - so it potentially has a bit more efficient antenna and longer range. But I can't see it working at hundreds or thousands of feet and range at the usual NSA frequency band of 1-2GHz will be reduced significantly by walls and anything with much water content in the way (people or vegetation). So I am not sure of the operational use case especially if it doesn't work for laptops which knocks out the "next hotel room" and "internet cafe" scenarios for most potential targets - to monitor desktop machines from within a few hundred feet would be difficult unless you can rent the office above/below/next door or park outside all day.
Of course if it can use an external antenna such as an extra wire within the insulation of the implanted cable (it would need to be at least 7 cm / 3 inches to be efficient at the highest frequency) then the range may be increased to the point that monitoring a target machine from "outside the campus fence" becomes possible.
Yep. That patent looks a lot like what he did at Zenith, a year or two after the patent grant. I would guess that he became aware of the patent when working on the Tempest terminal project. I would expect that Zenith licensed it for their use but I don't know that much about it other than our conversations about it back before 1980 when we were prototyping a rally computer - we were both serious amateur rally drivers/navigators.
Couldn't this device be mitigated by placing a "choke" on either end of a keyboard cable? The chokes can be made with magnets.
Aluminum foil could also be placed around a cable. As an added measure, then ground the foil.
"Aluminum foil could also be placed around a cable. As an added measure, then ground the foil."
They might find what you use for ground connection and put a tap on that, The crosstalk from the cable and Al foil would pass a decent signal.
Then a Faraday cage could be placed around the workstation and keyboard.
The Al foil around the keyboard cable would reflect signals in both directions. Grounding may not be neccessary.
The ground could be the negative terminal of a DC battery. Run a section of "balanced line" audio cable (with chokes, perhaps) from the inside of the Al foil covering to the negative terminal of a 3V lithium button battery that is placed inside the covering. The battery wouldn't touch the covering or keyboard cable.
The negative terminal of the battery won't work as expected, no more than the Al foil, a ac source with one terminal and a diode would do it.
Have a couple layers separated by plastic sheets not grounded would stop alot.
fiber optic communications for keyboard input were used in at least one commercial computer, the 1980s Texas Instruments Explorer. The purpose was to extend the cpu-to-desk distance rather than for TEMPEST. the keyboard itself used electrical signalling which was modulated to an optical pulse by hardware inside the "console" or display unit.
A thought I had about the ANGRYNEIGHBOR devices is that they seem to use breaks in RFI shielding to exfiltrate their signals. Question 1: is the position along the cable at which the implant is placed tuning its radio frequency? There is a type of antenna called a collinear which is tuned by cutting a coaxial cable's shield at specific points.
2: Such a hole in the shield is hidden because of the peripheral cable's design. opaque pvc prevents visual verification of shield integrity (although a near-field RF pickup could be used?). If shielded cables were sleeved with transparent plastic and used solid metal connectors with externally clamped shielding collets, any tampering with the continuous shield would be readily apparent. Ferrite chokes, if used, would be movable so the shield beneath was inspectable.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.