RAGEMASTER: NSA Exploit of the Day

Today's item -- and this is the final item -- from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL TO USA,FVEY) RF retro-reflector that provides an enhanced radar cross-section for VAGRANT collection. It's concealed in a standard computer video graphics array (VGA) cable between the video card and the video monitor. It's typically installed in the ferrite on the video cable.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) RAGEMASTER provides a target for RF flooding and allows for easier collection of the VAGRANT video signal. The current RAGEMASTER unit taps the red video line on the VGA cable. It was found that, empirically, this provides the best video return and cleanest readout of the monitor contents.

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) The RAGEMASTER taps the red video line between the video card within the desktop unit and the computer monitor, typically an LCD. When the RAGEMASTER is illuminated by a radar unit, the illuminating signal is modulated with the red video information. This information is re-radiated, where it is picked up at the radar, demodulated, and passed onto the processing unit, such as a LFS-2 and an external monitor, NIGHTWATCH, GOTHAM, or (in the future) VIEWPLATE. The processor recreates the horizontal and vertical sync of the targeted monitor, thus allowing TAO personnel to see what is displayed on the targeted monitor.

Unit Cost: $30

Status: Operational. Manufactured on an as-needed basis. Contact POC for availability information.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 11, 2014 at 2:05 PM • 10 Comments


BenniMarch 11, 2014 4:29 PM

@chris: there may be one method to find out. We know that the station on the rooftop of the us berlin embassy is emitting radar waves ald listens for such devices. One would have to carefully study the emissions, replicate them, and then one could go on a radar bug hunt in the city of berlin

Chris AbbottMarch 11, 2014 6:08 PM

@Benni: That's a good idea, because we know they target people and networks that they shouldn't be, especially in Berlin. The implant would be easy to sneak in because nobody would expect their friends to spy on them. Somebody should do this. I wonder what the range on that thing is.

pianissimoMarch 11, 2014 6:27 PM

@ Benni:

This type of eavesdropping is possible in an entirely passive way because VGA cables have leakage EMI. The implant just makes a stronger signal when lit up by CW radar, so the target can be distinguished from other sources and at a greater distance. It's notable that the catalog says "typically an LCD", since CRT (and plasma) displays have high-voltage amplifiers that already leak plenty of signal to be detected.

It's interesting that the catalog does not seem to have any implants for digital video in the style of RAGEMASTER or ANGRYNEIGHBOR. However, given that DVI, HDMI, and DP have mostly replaced analog video for both desktop and portable computers, it is likely the NSA has programs to exploit them. These digital signals require a completely different method of surveillance, so my bet is on a custom ASIC wirebonded to the connector shell of the cable, or inside the computer or display.

LeakyMarch 11, 2014 8:22 PM

Slightly off-topic, and I'm probably asking a silly question, but that's how I learn: Since I can isolate my cell phone by wrapping it in aluminum foil, is it reasonable that wrapping my desktop cables (monitor/keyboard/USB/RJ-45) in aluminum foil would reduce EM leakage?

Go ahead, crack tin foil hat jokes at my expense. :)

AnonMarch 11, 2014 9:02 PM

Moderator: FYI When I visited the main page about 20 minutes ago it showed 6 comments for this topic (RAGEMASTER exploit), but when I clicked the comments link this page had no comments on it. Went back up one level, refreshed, and it still said 6 comments. Re-clicked the comments link and still got nothing. Went back up to the main page again, refreshed, and now it showed 0 comments for every post. Tried refreshing that page a few more times and suddenly the comments counts all returned and now when I visit this page I see 6 actual comments. I don't recall ever observing that on this site. Hoping it's due to periodic maintenance.
21:00 - Edited to add: tried submitting this comment & received an 'invalid request' error.

Matthew WeigelMarch 11, 2014 9:10 PM

Is it that "interesting" or surprising that the catalog didn't handle digital video signals in 2008? Most new computer and/or monitor purchases at that time were LCD, but there was still a fairly sizable installed base of CRT monitors, or older computers that had been upgraded with an LCD monitor (but were probably still using VGA output). That has probably been a focus of work in the intervening 6 years.

yesmeMarch 12, 2014 3:30 AM


The biggest problem, by far, is the RJ45. Today's internet security is a joke. It is way too complex. If you are on the internet they probably have everything.

The TAO equipment is only for the "real spying". High valuable targets.

So if you want to "secure" what you are doing, don't use the internet on your working computer. Use an air gap.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.