FIREWALK: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same target network.

(TS//SI//REL) FIREWALK is a bi-directional 10/100/1000bT (Gigabit) Ethernet network implant residing within a dual stacked RJ45 / USB connector FIREWALK is capable of filtering and egressing network traffic over a custom RF link and injecting traffic as commanded; this allows a ethernet tunnel (VPN) to be created between target network and the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) FIREWALK allows active exploitation of a target network with a firewall or air gap protection.

(TS//SI//REL) FIREWALK uses the HOWLERMONKEY transceiver for back-end communications. It can communicate with an LP or other compatible HOWLERMONKEY based ANT products to increase RF range through multiple hops.

Status: Prototype Available -- August 2008

Unit Cost: 50 Units $537K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 10, 2014 at 2:33 PM • 16 Comments


name.withheld.for.obvious.reasonsMarch 10, 2014 3:03 PM

Sounds great, where do I get one--only about 5 times less expensive? This is a boon to network administrators--oh, that's not what is used for?

Now why can't these types of things be poised in a positive way? Does the same company that compromises your liberty, privacy, and property have a solution for you--at the right price--maybe I can call BAH, SAIC, or Raytheon and get on their customer...I list.

Why not just stop subverting our liberty instead of trying to sell it back to us after stealing it from us (emphasis on U.S.). Sorry north and south Americans, Europeans, Asians, and Africans, Australians, New Zealanders, Antarcticans, and anyone stuck on the north pole; if we don't address it here first the wave will subsume you--if it hasn't already.

Nicholas WeaverMarch 10, 2014 3:32 PM

Overall I think this is one of the coolest implants in the catalog: Its a drop-in replacement for a standard factory USB/ethernet jack combination (probably for servers/desktops, since that arrangement is too thick for notebooks), where the device also includes a small transceiver/computer with an RF interface.

This would require physical tampering to install, and not easy physical tampering either, but specifically interdict, unsolder, solder replacement. This is exactly the kind of cool thing the NSA is supposed to do:

Its expensive (not just the reasonable $10K/unit, but the interdiction/installation is high effort), its insanely useful (it gets into air-gapped networks), and also very target specific: the only ones who get this are real-targets.

At the same time, its strange that it isn't RF retro-reflector. This this is not RF-quiet.

Bill StewartMarch 10, 2014 3:37 PM

> From name.withheld.for.obvious.reasons: Where do I get one?
Check out Pwnie Express. Theirs may not be quite that small, but they've got a range of similar tools for network administration / penetration testing. Or get yourself a really fast laptop with two ethernet ports.

Clive RobinsonMarch 10, 2014 5:01 PM

@ Nicholas Weaver,

    This would require physical tampering to install, and not easy physical tampering either, but specifically interdict, unsolder, solder replacement.

The difficulty depends on when they "interdict". The reality is that there are not that many current motherboards out there, thus it's possible to have "boards ready to go" such that the interdict on a "new purchase" is simply a board swap and minor change to the hard disk OS image to account for the hardware change.

The question is could an already used machine owned by the target be just as quickly changed on crossing a boarder or whilst the target is out to lunch etc.

Perhaps we should consider the development of a security tool that somehow checks all the hardware in the system for it's unique signitures that cannot be changed and run it from write protected media at start up etc.

4kj3kjnfk3jMarch 10, 2014 6:25 PM

@Nicholas Weaver: Yeah in the 90s when even the public sectors had the fabrication tech for such a chip and assembly..

In spook communities it's always been said NSA equipment is at least 10 years ahead of public sector. I could make these in the late 90s with less than 200k worth of manufacturing equipment and a clean room..

The NSA scoops up the top minds in the world on annual recruiting cycles, they clearly aren't using them for their field equipment..

BenniMarch 10, 2014 6:44 PM

@nicolas weaver:
You say that this only snoops on the real target.But what if this target is google? Or a major telecommunication provider? Remember: bruce said in his lecture thatnsa gets their adress books from google by listening on specific google servers. (This is different from their muscular program where they sit on googles dark fibers). If you think that this implant could collect your adress book from google, you might perhaps not longer say that this can not be used for masd surveillance. It can. It depends on the target where it is used

NopeMarch 10, 2014 11:40 PM

I continue to be amazed at the sheer magnitude of the trade craft that Snowden has given away to friend and foe alike.

Today, he spoke by video to the SXSWt conference. Supposedly, going through many different proxy servers protected his location from being discovered. The upshot of this is that he appealed to the assembled bunch of hip people who attend the conference to pay more attention to security and privacy, and to develop more technology and products for it.

The thing that continues to be most bizarre is that he claims that he is defending the US Constitution by releasing these millions of documents. A most amazing example of living a delusion. Delusion, according to WikiPedia: a belief held with strong conviction despite superior evidence to the contrary. As a pathology, it is distinct from a belief based on false or incomplete information, confabulation, dogma, illusion, or other effects of perception.

The guy is nuts.

FigureitoutMarch 11, 2014 12:00 AM

--Lol supposedly it was "7 proxies". This is an internet meme; as in "I was behind 7 proxies bro, I'm anonymous". And just like me, where people have to trust the first-hand accounts I give them, you provide nothing of significance to back up statements.

Except you can try me if you want to find out some things and I'll let you know; but some people get a little scared (understandably so). I also gave a physical location where anyone who doesn't believe me can come and physically meet me and talk and you will see what happens when an investigation goes wrong...horribly wrong.

Clive RobinsonMarch 11, 2014 4:44 AM

@ Nope,

    I continue to be amazed at the sheer magnitude of the trade craft that Snowden has given away to friend and foe alike

Not realy, what you call "trade craft" was known to be more than possible back before the time these devices were designed. It's one of the reasons the likes of OBL were apparently so paranoid in not having an electronic foot print.

The US/Russia "blew the gaff" on electronic serveilance when they attacked sat-phone users with missiles some years before that.

This TAO catalog is just an uup market version of ones you can see in a number of high end commercial surveilance shops in London, Paris, New York and I asume a number of other places.

As for the actual "trade craft" of how you deploy such surveilance toys the journalists Ed Snowden gave the documents to have revieled nothing. Probably because that informtion if it is in the supposed 1.7 million documents is being held back for various reasons.

If you want to argue "leaking trade craft" look no further than the UK govenment and the Cabinate Office, who in a fit of peek with at the Guardian editor started a "pissing contest" which resulted in two operatives from GCHQ going to the Guardian offices to "destroy" the computers that had supposadly held the documents.

The two operaatives acted like Tweedle Dee and Tweedle Dummer in the way they went about things and after giving there "if you knew what we know" speach promptly gave a practicle demonstration of which parts of the computers were "suspect" by instructing staff which chips etc had to be destroyed with grinding tools. The Guardian staff then published pictures of the boards, so anyone with half a brain can compare the photos with actual hardware they have to determin which chips are suspect. It then takes only a modicum of effort to find out more about these chips.

I suspect that several academic and other security researchers have already done this...

The point is that much of this information is already well know indirectly and published on the internet, where the old school Hacker mentality has show many peripheral and other chips that can be re-programed to harbour malware or as in the case of some criminals to make thumb drives etc look bigger so they can be sold at a higher price.

All this TAO catalog does is to focus peoples attention on what was already know and talked about on this blog and in other places on the Internet.

Oh and show that some people are "getting out" to much and thus not doing their homework/research which has had the secondary effect of allowing many in the "security industry" to sell snake oil by the tanker load and thus the leaders of many empires have discovered that they have been left as crudely expossed as the Emperor in Hans Christian Anderson's little story [1].

[1] Proving that "fairy tales" realy can come true, but not quite in the way many would like/hope, after all as the Fairy Godmother might say "Walking around with one's A55 hanging out of one's trousers is not the most dignified way of deporting one's self, and to have payed so much for it as well, what can one say?" :-)

paulMarch 11, 2014 8:20 AM

Although this calls itself a surveillance tool, the description sounds much more like something that would be used for attacking other people's systems. Also, I'm not that good on tech history: how prevalent was gigabit ethernet in 2008? Because that doesn't sound like attacking a terrorist base or HQ, more like going after decent-sized state actors or third parties suspected of carrying evildoer traffic.

bigmacbearMarch 11, 2014 10:43 AM

Gigabit Ethernet to the desktop was available although not widespread in the engineering organization where I worked until mid-2005, so by 2008 it surely would not be uncommon in large enterprises (which would include government/military contractors). SOHO on the other hand is probably still constrained by external connectivity.

bobMarch 13, 2014 5:31 AM


I think we all know the definition of delusion. Hopefully, we're all also intelligent enough to see that if we're under a delusion we wouldn't be aware of it.

On that note, have you actually read the constitution?

nodotsJune 17, 2014 4:34 PM

@bigmacbear, et al

The US government regularly spies on US corporations (to make various assertations beyond the scope of a mere comment...) The golden rule in the world is: Those with the gold make the rules, but sometimes it's a war between those with the gold and those who make the rules.

Also, as to the timing... You adopt a new technology (and get involved / place your RFC's) before the masses get it all, or it gets secure to you in a GD hurry. To quote the vernacular, "Just sayin'."

FooJuly 22, 2014 11:04 AM

lateral question - how is it okay to discuss/refer/disseminate top secret documents, at least for the Americans here? I thought that was not allowed, even on leaked documents.

What I am asking is what is the legal justification — not taking a position on whether it is the right or wrong thing to do.


Nick PJuly 22, 2014 3:05 PM

@ Foo

I think most of the pro-leaker side's position is that the NSA is conducting illegal activities and illegally lied to oversight/Congress about their activities. The classification laws of the United States forbid the classification of illegal activity. So, their position would be that secrecy laws shouldn't even apply if they're just trying to cover up illegal and devious activity.

One might also try to push the First Amendment as more important than some classification laws developed in the 40's-50's. One of the main purposes of the First Amendment is accountability of the government to the people. So, here we have the government spying on everyone (violating 4th Amendment), trying to hide it with secrecy laws, and then getting busted via 1st Amendment by the leaks. It would seem to be a good case study on the power of the press to hold a government accountable.

name.withheld.for.obvious.reasonsJuly 22, 2014 8:48 PM

@ Nick P
Here, here. Well said. I'm a fan of national security but not a "national security blanket/noose" fanboy. With the likes of @ skeptical that cannot see past their noses, they also fail to see the "spirit" and history of our laws. This type of absolute myopia is completely dangerous.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.