COTTONMOUTH-I: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant which will provide a wireless bridge into a target network as well as the ability to load exploit software onto target PCs.

(TS//SI//REL) CM-I will provide air-gap bridging, software persistence capability, "in-field" re-programmability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-I will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-I will be a GENIE-compliant implant based on CHIMNEYPOOL.

(TS//SI//REL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. MOCCASIN is the version permanently connected to a USB keyboard. Another version can be made with an unmodified USB connector at the other end. CM-I has the ability to communicate to other CM devices over the RF link using an over-the-air protocol called SPECULATION.

Status: Availability -- January 2009

Unit Cost: 50 units: $1,015K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 5, 2014 at 2:27 PM • 17 Comments


kmeMarch 5, 2014 10:21 PM

You might be able to detect this by X-raying the USB connector that houses it.

Nick PMarch 5, 2014 10:40 PM

How about cutting the old USB connector off and wiring a new one from a different device to it? Shouldn't be too difficult. Anything in USB protocol operation that would prevent this?

renkeMarch 6, 2014 4:10 AM

STRAITBIZARRE seems to be NSA's swiss army knife. Would be interesting to learn more about this tool, afaik we know next to nothing about it.

TIMMarch 6, 2014 5:00 AM

Sorry, if this question has already been answered somewhere on this blog before, but, why are so many documents so old (I mean from around the year 2008)?
Is it to protect the national security of USA?

I don't want to imagine what they are able to do today, when they were in 2008 so far :(

Jonathan WilsonMarch 6, 2014 5:54 AM

@TIM, the reason they are so old is that 2008 or so is when Snowden was able to steal the documents he did, i.e. he has never been in a position to steal documents newer than 2008 (or if he was, he chose not to steal such documents)

RoyMarch 6, 2014 6:03 AM

The number of NSA exploits is overwhelming. It seems that nothing related to computers is secure or out of their reach.

TIMMarch 6, 2014 6:03 AM

@ Jonathan Wilson

Thank you, I didn't knew that. This might be one reason why the NSA has had problems to identify what he has stolen, too.

f3j4hfbj34hfbMarch 6, 2014 7:47 AM

Just look in windows task bar... detected.. or put a policy on USB ports and block it all together..

I'd find a windows USB zero-day and load a rootkit to hide the NIC and create a covert channel to send my data over. But then you still have a stick sticking out of a occupied USB port..

This isn't good for audited or technical user environments..

TIMMarch 6, 2014 8:23 AM

@ f3j4hfbj34hfb

You don't see all USB-Devices in the windows task bar (e.g. HID). I played a little bit around with a programable teensy-stick and if it's configured as keyboard the user won't see it and windows gives it's own driver for it.

I don't know what possible ways for code execution exist only with windows keyboard drivers, but I'm sure there are always ways to abuse it ;-(

65535March 6, 2014 8:54 AM

It is fairly old but I would guess it has gotten smaller and better. Also, I would guess the black hats are in a race with the NSA to see who make the best air-gap hack.

f3j4hfbj34hfbMarch 6, 2014 4:19 PM


It takes extensive hooking and table patching in Windows to hide a WIFI NIC from taskbar and all the COM interfaces native UIs and policies query. Even if you relayed it through another class of device with a generic driver, like USB audio, you still have some expensive coding to do and a occupied external port..

I'm pretty sure it is NIC class and I don't see any rootkit mentioned.

Shawn SmithMarch 11, 2014 1:11 PM


So, you're saying something like this Trojan mouse only with the electronics of a wireless router implanted inside a keyboard would not work or be easily detected? And at ~$20k per unit when purchased in bulk--that sounds like some expensive coding to me.

darrenAugust 14, 2016 4:52 AM

wHi, is there anyway that persons can use this material to spy on you for there own amusement and personal gain.i feel as around my house in key locations I'm being monitored.and my personal life has been invaded for years. I think they use this type of air gap ,can they do this and see you using a I pad many miles away,, like they are using this technology to play games with my mental stability. they see me wherever I go in society. Also using objects around me to gain access into personal moments,.would you please tell me how this is possible to do. I greatly appreciate it if you have time to listen to my story. I've been a victim for years and personally tortured.I beg you for your assistance in this matter. I no its sounds unreal, just talk to me and with the answers of questions u ask.. I think you'll be greatly surprised, and see my arguments, thank you,

Clive RobinsonAugust 14, 2016 8:21 AM

@ Darren,

is there anyway that persons can use this material to spy on you for there own amusement and personal gain.

There are several devices here and the aproximate $50 / unit price with the usuall 100:1 mark up on the BOM of this type of security / intel / mil product tells you that in reality there is very little in these devices.

Take the MOCCASIN device you can now buy similar technology via the usuall asian outlets for as little as $4 plus --very expensive-- "shipping".

Making it yourself is actually quite simple the "USB Keyboard" protocol is not realy "USB" in many keyboards and the old PS2 protocol is very well known and thus all you need to know to "make your own" is up on the internet. You can get a surface mount RF chip like the NE602 / NE612 / SA612 [1]from many places and it requires very little in "other components" to turn it into an effective phase reverse modulated transmitter with a range of 150-300 ft. I've actually used the 612 with a modern surface mount "vhf xtal" and "ModAmp" amplifier to work over 20miles clear line of sight as a transverter.

So it would also work for the lower speed USB signals all be it with a very wideband --thus range limiting-- signal.

There are plenty of similar chips that were designed to work at cellphone or higher frequencies that you could buy as "flip chip" or "ball grid array". Thus easily available to mount in a standard USB moulded connector with a little knowledge.

I've actually designed in the past such products for various professional organisations that sell such products to the likes of tax funded LE-Int agencies at eye watering prices.

You can also get SMD Computer chips not much bigger than a grain of rice that you can use to downconvert the USB data rate or connect bi-directionaly with both the USB and Air interfaces. The last time I looked DigiKey had all the parts you need for a few dollars on your credit card. All you need is the knowledge to build such a device and as I've indicated it's not in anyway dificult to find. The hardest part for a home constructor would be making a believable outer case, and that can be solved by joining a "maker group" with a 3D printer...

If you are a little more well funded you can go insearch of WiFi SoC chips such as those used in the ultra small WiFi dongles. Such systems would load their own drivers into MS Win etc or use the standard drivers and load other software, due to a flaw in the USB protocol.

Thus the technology is out there if somebody wanted to make / use it. Thus the questions you should be asking are not the technology ones, and this is not the place for such questions.


ianfAugust 14, 2016 11:31 AM

Sez Clive Robinson:

[…] The hardest part for a home constructor would be making a believable [cable spy device] outer case, and that can be solved by joining a "maker group" with a 3D printer...
This, design and mechanical manufacture of a well-done outer casing, is indeed the hardest part, and thus can not be so easily pooh-poohed as does Clive.

For starters, mastering a volume or wireframe CAD program to design the part can be a daunting task. And the smaller the casing, the fine-grainier the 3D printer/ method would have to be. I'm not sure what the final part's volume we're talking about, but if it is to be <1cm3, #then fuggedaboutit in this fashion. Only specialized biomedical and dental-work 3D printers (or, more often, 5-axis miniature milling machines) would be capable of that, and they cost, say, €200k and up[*]. Do not expect a 3D maker arts/ crafts cooperative, even such tied to some technical college, to own any such; and, anyway, if they come onto you for attempting to make something for "spying purposes," they'll boot you out. But of course, first you'd have to clear the hurdle of having a working CNC file for the printer… which is not something easily arrived at (of course not in Clive's wonderful sage land ;-))

[^^] my dentist has one such. Asked in jest what it'd cost to (additionally program it to) have one's initials milled on so-produced porcelain tooth, he couldn't say, but presumed ~€1k.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.