COTTONMOUTH-III: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) COTTONMOUTH-III (CM-III) is a Universal Serial Bus (USB) hardware implant, which will provide a wireless bridge into a target network as well as the ability to load exploit software onto target PCs.

(TS//SI//REL) CM-III will provide air-gap bridging, software persistence capability, "in-field" re-programmability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-III will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-III will be a GENIE-compliant implant based on CHIMNEYPOOL.

(TS//SI//REL) CM-III conceals digital components (TRINITY), USB 2.0 HS hub, switches, and HOWLERMONKEY (HM) RF Transceiver within a RJ45 Dual Stacked USB connector. CM-I has the ability to communicate to other CM devices over the RF link using an over-the-air protocol called SPECULATION. CM-III can provide a short range inter-chassis link to other CM devices or an intra-chassis RF link to a long haul relay subsystem.

Status: Availability -- May 2009

Unit Cost: 50 units: $1,248K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 7, 2014 at 2:41 PM • 10 Comments


MattMarch 7, 2014 3:40 PM

It's quite clearly a hardware chip put in a computer by an agent (a "hardware implant"). Not an exploit. And finding it and exposing it puts the person that planted that bug at serious real risk of harm.

You've said yourself Bruce, and I quote (link: )

This sort of thing [TAO] represents the best of the NSA and is exactly what we want it to do. That the United States has these capabilities, as scary as they might be, is cause for gratification.

Undermining the bits of the NSA that are "cause for gratification" by deliberately seeking to expose them forces the NSA to rely more heavily on the bits that you disagree with, and makes the Intelligence Community move from SIGINT-reliance which is safe, to HUMINT-reliance, which puts real agents at risk.

I appreciate that you have a bunch of secrets and you want to leak them because secrets always make for good stories. But exposing tools and techniques that you yourself have said are "exactly what we want the NSA to do" - and in doing so putting CIA agents at risk to get the intelligence the NSA can no longer get - is at best stupid and self-defeating, and at worst unethical and dangerous.

zzzzzzMarch 7, 2014 3:44 PM

@Mark Why don't you go back to that nice office in Fort Meade? Nothing that is relealed here is new, it has already been leaked and not by Bruce Schneier. On the other hand, everything the government does should be public knowledge ;-)

galamMarch 7, 2014 5:13 PM


You make good points and are quite reasonable. That said, the concern here is that since another organization already leaked these, there will be copycats from other nations. Since the information is now public, we must prepare to be able to defend ourselves when we start seeing bad governments and malicious actors use them against us.

Bruce has not leaked anything on his own to my knowledge. He's been analyzing what's already been leaked by another organization.

Nick PMarch 7, 2014 6:10 PM

@ Matt

"Undermining the bits of the NSA that are "cause for gratification" by deliberately seeking to expose them forces the NSA to rely more heavily on the bits that you disagree with, and makes the Intelligence Community move from SIGINT-reliance which is safe, to HUMINT-reliance, which puts real agents at risk."

Our main enemies already knew we could bug hardware, do EMSEC attacks, etc. That the US knows that is evident from their panicked DARPA funding for firmware protection, malicious hardware detection, etc. Russia and China have been using high tech attacks to steal corporate I.P. and classified information for a long time according to US govt documents. They probably had many Snowden files before Snowden.

The countries hit hardest by news of the leaks are the allied and neutral countries that found out we were massively subverting their infrastructure and systems. If that undermines NSA's mission, then maybe they should focus on countries that are actually a threat rather than spying on harmless countries to rig contract and treaty negotiations.

Additionally, that NSA knows enemies are using the same EMSEC and firmware level attacks means they should do more to protect us from those. Currently, it's a felony for you to possess TEMPEST (EMSEC) defense and they've taken no effort to increase assurance of lower layers. They also push insecure tech as secure, making enemies' job easier. Props to NSF, DARPA, certain corporations and academia for producing tech that actually protects us. It would be great if NSA was doing that...

65535March 8, 2014 1:18 AM

I agree with Nick P, zzzzzz, and galam. These implants just encourage copycats and an arms race to build and distribute the most efficient air-gap jumper and persistent bugs.

It is not beyond imagination, that countries like China could make these implants at a fraction of the cost and spread them to unfriendly states or criminals – in large quantities. China could also build the associated infrastructure on the CC and ex-flirtation side on a low cost basis.

It’s even possible that these implants could be installed at the factory for criminal activity. You could speculate that these devices have already trickled down to the cyber criminals and script kiddies. Once you start and arms race it is hard to stop.

Scott "SFITCS" FergusonMarch 8, 2014 1:39 AM


I agree with Nick P, zzzzzz, and galam. These implants just encourage copycats and an arms race to build and distribute the most efficient air-gap jumper and persistent bugs.

Keeping them secret doesn't mean they won't be duplicated - only that you won't know they've been duplicated (as you won't know of the original). If anything these disclosures just give a better idea of the capabilities of others (if you can see clear of nationalistic fervor).

Presuming their development was unique to the NSA defies technological (and scientific) history which is littered with examples of parallel, independent, "discovery" and invention.

I'd propose that these exposures may well encourage other countries (and agencies) to develop the same ability. But that takes resources - resources that would not have been laying idle otherwise. Instead those resources may well have been devoted to developing abilities different and beyond those of the NSA. The limited ability of the USSR to know of US technology during the Cold War meant they took different paths in the development of spying technology - I don't know how much money they devoted to dead ends, but they did develop abilities the US/UK did not have (Clive may know more).

As for "encourage an arms race" - that's like saying "encourages progress" - it doesn't need encouragement, only the perception that someone has something you don't have which leads to trying to find ways to shift the balance in your favour. Development of spying technology doesn't stop, or slow, when leaks don't occur.

Disclaimer:- I'm neither American nor a nationalist, so I'm not cheering for the NSA or under the illusion they have my countries best interests at heart.

FigureitoutMarch 8, 2014 8:14 AM

--The biggest threat to agents is their own incompetence that will blow their covers. I obviously haven't tested them all, but if they easily get caught up in emotional/sexual mental games and falling for false intel w/o verifying it w/ the channels that they have access to; they are getting themselves killed. Death is a part of the job description.

It's a matter of professionalism, and having a sense of picking out what is and is not a threat; both of which were seriously lacking in the agents I tested.

BenniMarch 8, 2014 10:30 AM


The problem with these "devices" is that that they are employed on "targets" that can not be identified as "bad guys".
On the rooftop of the berlin embassy is a radar antenna called Einstein/Castnet. This antenna emits radar waves and lists for the returned waves by radar bugs that get activated with the incoming wave.

NSA bugged the cryptofax of an embassy of the european union with that techniques. And in Berlin, these bugs certainly are not only for the embassy in north korea, since nsa also tapped the german chancellor. Germany is an ally of the US with troops in Afghanistan.

Another thing: google. Nsa sits with the program muscular in googles internal fibers, but bruce also mentions in his lecture that they sit on specific google servers to collect adress books.

It may certaninly be that google is used by terrorists.
But the fact that terrorists use phones can be no reason to bug all phones.

Similarly, deploying bugs in companies like google, just because google is used by terrorists, is highly problematic. Google is not an enemy. Even if google is used by enemies.

As long as nsa deploys their bugs on companies or near politicians that are not an "enemie" these TAO devices must be published. And they all must be made public.

Some of the TAO devices are used for killing enemies, e.g the devices with find/fix/finish capabilities. One might think these devices are a good thing.

But then, these things are just for finding phones. the afghan president Karzai complains that instead of firing at taliban camps, the drones would attack civillian villages. It is reasonable, that the talibans simply sell their phones after a few days of real talking to civilians, in order to make the us appear as child murderers when the drones attack the phones that were used by the terrorists.

As long as it is that way, the nsa bugs should all be published. period.

They are used to spy on non-enemies, like politicians who are allies of the us, they are used to spy on telecommunication companies, they are used to spy on companies like SAP that deliver office software, and they are used for locating the phones of terrorists, who then sell their mobiles to civillians, making the drones attack children. These things are not good things.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.