COTTONMOUTH-I: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant which will provide a wireless bridge into a target network as well as the ability to load exploit software onto target PCs.

(TS//SI//REL) CM-I will provide air-gap bridging, software persistence capability, "in-field" re-programmability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-I will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-I will be a GENIE-compliant implant based on CHIMNEYPOOL.

(TS//SI//REL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. MOCCASIN is the version permanently connected to a USB keyboard. Another version can be made with an unmodified USB connector at the other end. CM-I has the ability to communicate to other CM devices over the RF link using an over-the-air protocol called SPECULATION.

Status: Availability -- January 2009

Unit Cost: 50 units: $1,015K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 5, 2014 at 2:27 PM • 14 Comments


kmeMarch 5, 2014 10:21 PM

You might be able to detect this by X-raying the USB connector that houses it.

Nick PMarch 5, 2014 10:40 PM

How about cutting the old USB connector off and wiring a new one from a different device to it? Shouldn't be too difficult. Anything in USB protocol operation that would prevent this?

renkeMarch 6, 2014 4:10 AM

STRAITBIZARRE seems to be NSA's swiss army knife. Would be interesting to learn more about this tool, afaik we know next to nothing about it.

TIMMarch 6, 2014 5:00 AM

Sorry, if this question has already been answered somewhere on this blog before, but, why are so many documents so old (I mean from around the year 2008)?
Is it to protect the national security of USA?

I don't want to imagine what they are able to do today, when they were in 2008 so far :(

Jonathan WilsonMarch 6, 2014 5:54 AM

@TIM, the reason they are so old is that 2008 or so is when Snowden was able to steal the documents he did, i.e. he has never been in a position to steal documents newer than 2008 (or if he was, he chose not to steal such documents)

RoyMarch 6, 2014 6:03 AM

The number of NSA exploits is overwhelming. It seems that nothing related to computers is secure or out of their reach.

TIMMarch 6, 2014 6:03 AM

@ Jonathan Wilson

Thank you, I didn't knew that. This might be one reason why the NSA has had problems to identify what he has stolen, too.

f3j4hfbj34hfbMarch 6, 2014 7:47 AM

Just look in windows task bar... detected.. or put a policy on USB ports and block it all together..

I'd find a windows USB zero-day and load a rootkit to hide the NIC and create a covert channel to send my data over. But then you still have a stick sticking out of a occupied USB port..

This isn't good for audited or technical user environments..

TIMMarch 6, 2014 8:23 AM

@ f3j4hfbj34hfb

You don't see all USB-Devices in the windows task bar (e.g. HID). I played a little bit around with a programable teensy-stick and if it's configured as keyboard the user won't see it and windows gives it's own driver for it.

I don't know what possible ways for code execution exist only with windows keyboard drivers, but I'm sure there are always ways to abuse it ;-(

65535March 6, 2014 8:54 AM

It is fairly old but I would guess it has gotten smaller and better. Also, I would guess the black hats are in a race with the NSA to see who make the best air-gap hack.

f3j4hfbj34hfbMarch 6, 2014 4:19 PM


It takes extensive hooking and table patching in Windows to hide a WIFI NIC from taskbar and all the COM interfaces native UIs and policies query. Even if you relayed it through another class of device with a generic driver, like USB audio, you still have some expensive coding to do and a occupied external port..

I'm pretty sure it is NIC class and I don't see any rootkit mentioned.

Shawn SmithMarch 11, 2014 1:11 PM


So, you're saying something like this Trojan mouse only with the electronics of a wireless router implanted inside a keyboard would not work or be easily detected? And at ~$20k per unit when purchased in bulk--that sounds like some expensive coding to me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.