COTTONMOUTH-II: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

COTTONMOUTH-II

(TS//SI//REL) COTTONMOUTH-II (CM-II) is a Universal Serial Bus (USB) hardware Host Tap, which will provide a covert link over USB link into a target network. CM-II is intended to be operate with a long haul relay subsystem, which is co-located within the target equipment. Further integration is needed to turn this capability into a deployable system.

(TS//SI//REL) CM-II will provide software persistence capability, "in-field" re-programmability, and covert communications with a host software implant over the USB. CM-II will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-II will be a GENIE-compliant implant based on CHIMNEYPOOL.

(TS//SI//REL) CM-II consists of the CM-I digital hardware and the long haul relay concealed somewhere within the target chassis. A USB 2.0 HS hub with switches is concealed in a dual stacked USB connector, and the two parts are hard-wired, providing a intra-chassis link. The long haul relay provides the wireless bridge into the target's network.

Unit Cost: 50 units: $200K

Status: Availability -- September 2008

Status: Availability -- January 2009

Unit Cost: 50 units: $1,015K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 6, 2014 at 2:18 PM • 6 Comments

Comments

43jn3kjnkjMarch 6, 2014 4:25 PM

This is made to be used in foundries by manufacturers which means it's not just in government target networks..

The US accuses China and Korea for putting stuff in consumer and business hardware all the time..

JMarch 6, 2014 7:01 PM

"This is made to be used in foundries by manufacturers"

Where does it say that? Sounds to me like it's something that gets physically installed on a target's machine when access is available. Most of these posts seem to be in that realm.

43jn3kjnkjMarch 6, 2014 11:15 PM

@J

It's a double stack USB socket with solder point PCB mounting and integrated backdoor controller.. Sounds to me like you didn't read or look at the pictures...

Tony H.March 7, 2014 1:16 PM

This is made to be used in foundries by manufacturers which means it's not just in government target networks.
I doubt that - it sounds much more to me like something installed during "interdiction", i.e. when the machine is diverted from UPS or Fedex or whatever on the way to its target. Replacing a double-stack USB connector on a motherboard that they've had lots of practice on, and making it invisible to all but a well-trained inspector, is perfectly doable in a marginally well equipped field station. It would only add an hour or two to the transit time, assuming they have the cooperation of the couriers as they do of the telcos. Quite probably the field station is right in the courier's building, or just next door. And presumably they can redirect a shipment from (say) China to (say) a European or Middle Eastern country so it goes through a US hub without anyone noticing. Just like IP packets, I see courier shipments going gratuitously through the US between third countries all the time. Hub & spoke, don't you know.

43jn3kjnkjMarch 8, 2014 7:42 PM

@Tony H

That'd make sense if you totally ignored logistics and economics and deniability.. But yeah, bringing logistics firms in the public sector in on blag bag highly classified jobs is all kinds of smart..

Nick PMarch 8, 2014 8:07 PM

@ 43jn

"But yeah, bringing logistics firms in the public sector in on blag bag highly classified jobs is all kinds of smart.."

But we already know they do that: interdiction. So, it's a plausible hypothesis.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.