The NSA and GCHQ have successfully hacked Israel’s drones, according to the Snowden documents. The story is being reported by the Intercept and Der Spiegel. The Times of Israel has more.
EDITED TO ADD (2/11): Cryptanalysis of intercepted Israeli drone feeds.
@b
I’m neither surprised nor annoyed that the NSA have hacked Israeli drones and I suspect Bruce is of the same opinion.
Spying on foreign powers is the bread and butter of intelligence. Mass surveillance on one’s on citizenry is different.
As this is a security blog I assume the story has been posted to keep people abreast of newsworthy stories and not to criticise (in this instance).
Clive Robinson • February 1, 2016 3:52 PM
@ Bruce,
You might want to dig back in time a few years, to when the –supposedly– secure IDF radio systems were being “listened into” by the –supposedly– technicaly unsophisticated Hezbollah. Who were to some outside observers doing rather better than expected at the war than the IDF (it’s an open debating point according to others ;).
Thus some people are starting to think that IDF tactical radi)o systems may not be keeping upto date as far as security goes…
Others have indicated that “external ElInt&SigInt help” came from North of the Black and Caspian Seas. Which just so happens to be in the news over ISIS and support of Syria (it’s not just the US playing “The Great Game” in the ME).
Nick P • February 1, 2016 4:38 PM
(radio marketing voice) “The good news is that DARPA has been busy funding ways to prevent your drone feed from being hacked in the near future! Please check out our catalog and project page of all the steps we take to keep your drones aimed at the right people.”
Anon • February 1, 2016 5:58 PM
To people saying that this is what the NSA is supposed to do, well, it’s a fair point.
But have you considered that if we can hack them, then they can probably hack us?
So, is it wise to be building a drone fleet that the US increasingly relies on, that can be taken over by a hostile entity and used against the US?
Doesn’t this dependence remote controlled warfare strike anyone as extremely unwise? Heaven forbid we ever see a war with Russia or China, but it’d be nice if our weapons were not trying to kill too. At some point smart weapons become a really dumb idea.
Clive Robinson • February 1, 2016 6:57 PM
@ Anon,
But have you considered that if we can hack them, then they can probably hack us?
I wold have thought the answer to that is obvious.
The question I would have thought that would have come up is “How do you scramble video in a transmission channel designed for unencrypted video?” especialy if done at short notice (it’s the same problem a crowd funded organisation is having with “audio” and mobile phones).
In effect it’s the same question “pay TV vendors” have been asking for years, and it’s not an easy one to answer as history has shown.
In the past the usual way was to tweak some of the lower frequency signals used for frame and line sync. In more recent times other tricks like sending lines out of order via frame buffers have been used.
The real problem is video is wide bandwidth with poor spectral utilisation and bandwidth especialy via satellites is expensive. Which is why video gets compressed prior to transmission, the problem is the compression is designed to work on relatively slow changing analog signals and produce a narow bandwidth output “that is tailored for an unencrypted channel”. Neither the signal or the transmisdion channel can deal with truly random signals, which is what either encrypted raw video or compressed video would look like…
Thus with the “short notice” requirment, what’s the betting that they used a bunch of low cost Commercial Of The Shelf (COTS) chips designed for the “pay TV vendors”? Which might also account for why fairly readily available software can brut force it…
Having being involved several years ago in the design of a secure “teleconferance system” that would survive commercialy available satellite channels, I can tell people for free “it ain’t easy”…
65535 • February 2, 2016 3:50 AM
@ Clive
‘“In more recent times other tricks like sending lines out of order via frame buffers have been used… Having being involved several years ago in the design of a secure “teleconferance system” that would survive commercialy available satellite channels, I can tell people for free “it ain’t easy”’
That makes sense. It would also explain why just single frames are being decrypted in the Snowden documents [2009 -2010 time frame]. By now the advancement of said decryption must have quickly advanced.
I wonder how the F-16 heads-up display was decrypted. Was a back door in American made communication equipment implanted? Was it a bug in the interface of the Comms with “fly-by-wire” air-frame navigation system?
Was it compromised satellites or repeater systems? Was it a software bug or a deep firmware backdoor?
If all American sold F-16’s have this problem then new foreign buyers may think twice about buying American aircraft. This thinking could extend down to American “smart munitions” and so on.
If the NSA has backdoored American weapons systems or possible the chips that go into said weapons systems the out come could be huge negative for future sales of said American systems.
Bruce Schneier • February 2, 2016 4:55 AM
“I’m neither surprised nor annoyed that the NSA have hacked Israeli drones and I suspect Bruce is of the same opinion.”
Yes. I am not surprised. And hacking foreign military networks is exactly the sort of thing I am paying the NSA to do.
blake • February 2, 2016 6:58 AM
Is the theme:
If the Israeli military can’t harden combat drones against hacks, how can you reasonably hope that the video camera on your smart TV is safe from that Ukranian botnet?
Maybe the theme is: we haven’t heard about the weapons systems that the Chinese / Russians / etc have hacked because they have better OpSec. Troubling.
@65535
If the NSA has backdoored American weapons systems or possible the chips that go into said weapons systems the out come could be huge negative for future sales of said American systems.
If?
NSA has already backdoored (and front-doored) US-based email providers and social networks. Would you say these would be a higher or lower priority than weapons systems sold offshore? If you were in charge of securing a country, which would you tap first?
Clive Robinson • February 2, 2016 8:22 AM
@ 65535,
If all American sold F-16’s have this problem then new foreign buyers may think twice about buying American aircraft. This thinking could extend down to American “smart munitions” and so on.
It should apply to anything that is not purely mechanical, where all inputs and outputs can be seen, and component parts tested and replaced by localy sourced parts.
The reason is simple “Only a fool gives a potential enemy a gun to shoot them or their friends in the head at a later date”. Thus you would think the US is being very foolish selling weapons to other countries…
There is however another issue that has to be considered, which is the problem of “How do you get your money back from buying raw resorces from a foreign country?”. In the case of the US buying oil from the Saudi’s it’s sell them something that is vastly over valued… But to ensure they buy the Saudi’s must have “a need” that is not going to be satisfied by others.
Thus “Trouble in the ME” is good for weapons sales into the ME and Saudi Arabia in particular. Weapons especialy high tech smart weapons are ridiculously over priced to a point well beyond obscene. And by and large they are a compleate waste of money, even if you do use them[1]. If you do the ROI calculations Saudi is getting a much better deal exporting “radical medieval religion” than it is buying US smart weapons.
The Israelis know that at some point they are going to get attacked by another ME country supplied with weapons from a Super Power like the US, Russia or China (or even European consortia). Thus Israel rather sensibly is developing their own independent military capabilities, and financing it by foreign sales. The Israeli government are however, as has been seen with the Israeli Premier giving an invited “hate speech” in the center of the US legislature, keeping in very close with certain US political parties (hence the recent out cry from some US politicos when they discovered they were NSA and GCHQ targets).
Thus it is almost certain that there are several “kill or miss switchs” in all smart weapons and delivery platforms the US sells to potential anti-Israeli countries (likewise it’s a certainty there are kill or miss switches in what Israel sells). Such switches will be built in, in a way it’s very difficult to find, and effectively impossible to remove and still have a functioning weapon or delivery platform…
Which means that the US has a control mechanism not just on any anti-Israeli country they have supplied weapons to but also on Israel as well, and thus a very very powerful political tool, sgould they wish to use it.
The British learnt the hard way during the Falklands War the problem of smart weapons and a lack of kill / miss switches. The Argentineans had purchased “anti-ship” long range missiles from a French arms manufacturer. The country with probably the second most advanced anti-missile systems in the world at the time found they had a very real problem. Likrwise during the Gulf war Israel found that modified 1960’s designed Russian scud missiles were difficult to impossible to stop even with what was portrayed as the worlds most advanced anti-missile system.
You can be sure that the lesson of not having a kill / miss switch was not lost on the UK / France and US / Israel and it’s probably safe to assume Russia and China as well.
One of the mildly amusing things in UK Politics currently is the new leader of the current oposition party, has indicated that the “UK Nuclear deterrent” is not something he thinks the UK needs or more importantly can afford. In all the rhetoric going backwards and forwards one thing no politico has dared come clean about is “The US veto” on the UK Nuclear missile launches. When you read about it it’s usually expressed ad a “gentlemans agreement” and nobody talks about “technical measures”. Even though there is the so called “special agreement” it’s realy only about the original BRUSA –later UKUSA– agreement, nothing else. As history shows the US in no way trusts the UK and has frequently sabotaged in one way or another any UK lead in technology that has potential, especialy military potential. Thus the UK has a unique claim to fame, it is the only country in the world that having developed not just ICBM but space launch rocket capability and deployed a satellite into a long orbit, has given up on the technology because of the preasure of a foreign –supposadly allied– nation… Which means the UK “independent” stratigic nuclear deterent is anything but… The UK has to beg the US to “uhlock it” if the UK is ever to use it and as the Falklands war demonstrated the US will say NO… Thus the UK nukes realy are a waste of money on “political puffery”.
[1] The reason smart weapons and their delivery platforms are a waste of money is it’s “the price of US&Western home politics”. The US voter does not want to see US troops in body bags, or the US slaughtering other nations civilians, likewise other Western Nations (the self delusion of the “moral high ground” is realy “a cost to far”). Because of the “civilisn sensibilities” the military is “ham strung” by it’s political lords and masters who have to pay at a minimum lip service to the media that tells their civilians what to think and who to vote for…
Thus Smart weapons minimise “collateral damage” and the platforms such as drones minimise “body bags”. The development cost of these systems will never be repaid when considered against more conventional systems used in “all out war” where collateral damage is mainly irrelevant.
Take for instance a 1000Kg “iron bomb” it is basically a heavy iron case –for kinetic fragmentation– with a large quantity of explosives that are around 20% fuel 80% oxidizer with a tail end “air log” arming screw and sometimes delay detonator if pre contact explosion is required. The iron case is designed in a reasonably areodynamic way to “fly” a reasonably reliable path to a target. Most aircraft inertial navigation systems provide sufficient information for a 10USD SoC computer to compute the drop point and automaticaly release the bomb…
All the smart electronics does is provide a little flight adjustment to make it more accurate that is take the targeting error down from tens of meters to tens of centimeters. Or from the size of a carpark down to a car or even it’s boot. Thus you see a funny looking “nose” and more “boxy” tail strapped onto the existing iron bomb. The nose is simply a “tracker” not to disimilar to those toy “light following” robots that sends a “bang bang” flight adjustment to the boxy tail fins.
The information you need to build such a “smart device” can be easily found on the internet. A slightly more sophisticated version would use giro’s and other systems to reduce the ability of the enemy to jam or misdirect the chosen bomb path. The ability to develop such a smart device is well within the capability of most second and quite a few third world countries if they wished to do so.
But they don’t wish to because by and large they don’t need to. In “all out war” especially with asymetric adversaries, then a helicopter loaded with oil drums with explosives and scrap iron or white phosphorus / magnesium or other “flare material” is all that is realy needed. Slightly more sophisticated is oil drums filled with a fuel and a core rupture to disperse and flare to ignite system to make much more effective “blast wave” FAE capabke of turning tanks over and leveling city blocks.
With the addition of other matetials to an FAE such as PTFE flare material you can profile the FAE blast wave to turn them into “hyperbaric” or “Tunnel / bunker buster” bombs. And it’s only for these you would need the “smart” targeting system…
Such design and development is well within most engineering and chemical science graduates abilities…
anon • February 2, 2016 10:46 AM
here is a “cryptanalysis” of this operation which may be of interest to readers here http://samvartaka.github.io/cryptanalysis/2016/02/02/videocrypt-uavs
Jacob • February 2, 2016 12:14 PM
@ blake
“If the Israeli military can’t harden combat drones against hacks, how can you reasonably hope that the video camera on your smart TV is safe from that Ukranian botnet?”
Rob Graham just tweeted this today:
“There’s a little alcove in my living room, just out of sight of my Samsung TV, where I write in my diary.”
Vesselin Bontchev • February 2, 2016 12:35 PM
In 2009, the US military used unencrypted drone feeds in Iraq, which were intercepted by the insurgents.
I guess, the Israeli military learned from that experience. They decided to get “real secure” and use… Videocrypt?! S’rsly? WTF, man, WTF.
Clive Robinson • February 2, 2016 1:36 PM
@ Jacob, Blake,
That almost describes a sceen from the black-n-white movie of Orwell’s 1984…
Clive Robinson • February 2, 2016 1:53 PM
@ anon,
Very much as I thought it would be.
It’s surprising how few people actually understand the issues with encrypting analog signals that have to go over existing “psudo analog channels”. It’s why the kickstarter project to make an analog inline voice encryptor for mobiles hit real problems.
@ Vesselin Bontchev,
As I indicated further up the problem the Israeli’s had was retrofitting an existing analogue system with some kind of encryption without changing the analog charecteristics of the signal.
So they went the way of “pay TV” and “scrambled” rather than “encrypted”. The advantage of scrambling is that it does not change the signals spectral charecteristics very much, there are plenty of Commercial Off The Shelf (COTS) chips / sysytems / solutions and proven designs. So no major / impossible changes to systems, fast availability of component parts and very high probability it will “work of paper” without much need for testing, basically win / win / win in the short term.
The major hurdle to overcome and at an eye wateringly high price is the satellite payload… You can’t just send “a man with a van” to make changes up there…
Curious • February 2, 2016 2:40 PM
Please forgive my dense text below, this is I think the most efficient and what makes best sense for me, though the readability of the text probably suffer to some degree.
I am not a fan of nation states conducting espionage or conducing hacking on other nation states, so:
I wonder if Bruce has given consideration to if the idea of hacking into computer systems and networks in general could be a thought of as being an act of war, or not, on a general basis (and, perhaps paradoxically if such hacking also couldn’t possibly be an act of war on a general basis).
I am attempting to provide commentary around the specific and general use of such a word like “hacking”, so I am compelled to try use generalizations on my own to make my points clear.
Admittedly, having everyone judging what is and isn’t an act of war probably isn’t very interesting, nor wise (as if having a national vote for going to war in interpreting something otherwise considered to be a threat), however I would argue that the accountability of a democratic society is at stake if the description of actions, consequences and opinions on a political level can’t be evaluated for logical or philosophical soundness, if the way in which a state and a nation prepares for, supports or sustain in ways in other countries, or wages war, by pragmatism (hysteria, as in anger, insecurity, loathing, or, vengeance) or any relativistic views on reality (inconsistencies).
A concern of mine is then that interpreting what is and isn’t an attack (a common word describing something generally deemed very offensive) then wouldn’t be subject to common sense in discussing these things when discussing the “hacking” of computer systems and networks as events; and instead an interpretation of what is and isn’t an attack is subject to the power of projection on a political level (military, police, etc), as opposed to having a real or hypothetical event regarding intrusion into computer systems and networks (unauthorized access) being subject to this more basic human power of interpretation of reality (which imo would be the basis of academia and any discussion of politics). And so, the mere notion of an intrusion into computer systems or networks would imo risk being a supposition without meaning, if such events were simply thought of as being an act of “hacking” in general, and worse, whatever practices are involved in performing hacking attacks into computer systems and networks would imo easily be sanctioned efforts, that in any case would be subject to a kind of whitewashing based on claims of legality, and not on morals for purpose of understanding the intent and the motive for any case of hacking operation. Please compare now wide-scale-hacking activities or goals, with wide-scale-warfare of today; an utmost serious series of event having become trivialized I would argue.
I can foresee a bunch of issues, which basically have society being nothing more than yes-men to politicians or other leaders on a soap box, specifically if the powers of interpretation about en event is either: a secret, something pre-emptive so as to enact planned actions with no recourse, or being lies, or something tragic (i.e being overlooked for no reason), or simply being generalizations which in turn could spur seemingly random outcomes in a society, briefly or over time.
A problem as I see it, is the difficulty, or rather, the impossibility of understanding “hacking” as a meaningful term when used as a generalization to characterize a real live event between nation states, because how can a “hacking attack” be a meaningful phrase, if one in an act of contemplation deemed that the act of hacking into computer systems and networks in general shouldn’t, or, couldn’t possible be an attack (ref. “everyone is doing it, relax” type of argument), or on the contrary, if such an attack were to be understood as being “hacking” (“everyone is doing it, but lets get angry”). So, I would think that “hacking” and “attack” when used as verbs (transitive verbs) used in the same context, or rather when implied as such, might as well be meaningless as references of actions, because of how “hacking” and “attack” the way I see it, could then have no inherent meaning when used together, nor separately, when using one for describing the other; as if the meaning for what would easily by people be described as hacking and attacking, would be deferred, the same way killing people in war, isn’t considered ‘murder’ by the ones supporting the killing, a linguistic ploy in a way, by, or perhaps, for, the powers at be, effectively wanting to hold themselves accountable by their own society by simple logic (cue law and powers as excuses).
I think a subset problem of not being able to call a shovel a shovel, so to speak, might be doubly unfortunate when the language used for describing government policy and government action becomes either one sided to favor one party of interests, or that it voids any meaning to would otherwise be had from common sense in a public debate.
Although Bruce apparently voices support for US’ NSA to literally be hacking foreign military networks in a comment above here, I think it is a mistake to take a back seat position to such activities this way. One local issue raised in my country (very briefly) was Norway’s attack on Libya, in which F-16 jetsbombed Gaddafi’s palace and whatnot, based on the whims and perhaps more importantly sanctioned by a very few countries having a permanent seat in UN’s security council: countries like USA and UK which otherwise aren’t known to be peaceful.
Skeptical • February 2, 2016 7:18 PM
@65535: Was a back door in American made communication equipment implanted? Was it a bug in the interface of the Comms with “fly-by-wire” air-frame navigation system?
Incredibly unlikely for numerous reasons, not least of which is that this type of intelligence would probably not have been reported (referring to the original internal reporting of it as disclosed by the media article) in the way that it was (and note its distribution to nations like Canada, Australia, and New Zealand, all of which purchase and use American military technology). It sounds more likely that the aircraft was being used to conduct the same type of reconnaissance as the UAVs, perhaps transmitting a similar feed.
@Clive: Thus you would think the US is being very foolish selling weapons to other countries…
It has nothing to do with balance of trade as you imply later in your comment. In 2015 the US imported 2 billion dollars more from Saudi Arabia than it exported, for example. Primarily the US uses weapons sales to affect balances of power.
the UK … has given up on the technology because of the preasure of a foreign –supposadly allied– nation
Source?
Which means the UK “independent” stratigic nuclear deterent is anything but… The UK has to beg the US to “uhlock it” if the UK is ever to use it
Sounds deeply unlikely to me. Source?
and as the Falklands war demonstrated the US will say NO…
Not sure what this is about. The US provided military and intelligence support to the British, even offering a carrier at one point. Supposedly the Soviets unwittingly provided satellite imagery.
The reason smart weapons and their delivery platforms are a waste of money is it’s “the price of US&Western home politics”.
The ability to reduce civilian casualties is certainly an advantage of more precise weapons, but that’s not actually why they were developed or why they’re so valuable from a military perspective.
Essentially the idea is that the precision, guided nature of the weaponry, when joined with sensors and communications, acts as a force-multiplier by reducing the effects of defensive measures taken against the effects of modern firepower. The Soviets were particularly concerned about this technology – part of the development of what were termed reconnaissance-strike complexes – due to the threat it posed to second and third echelon forces in the event of war between NATO and WP/Soviets. In fact the Soviets may have defined this as a likely and dramatic shift – a military technical revolution – before anyone else.
Moreover there are vital functions provided by the aircraft mentioned here that you don’t describe, which accounts for a large part of their expense. And even what you do mention is quite a bit more complicated than you make it sound.
Remember that nations purchasing such weapons are doing so not to stave off insurgencies but to maintain a credible military force against neighboring, sometimes hostile, states. Exploding barrels with a predictable point of detonation dumped out of helicopters won’t do the job if your adversary has a fleet of air superiority fighters or a modern air defense system.
And even if your mission is against an enemy without an air force and without anti-air capabilities, such weapons will not be as effective as precision weaponry that can provide friendly ground forces with close air support.
Clive Robinson • February 3, 2016 8:53 AM
@ Skeptical,
Sources ?
You need to view things in the setting of the run up to Oct1957 through to the early 1960’s. At that time there were only three countries that had the knowledge and resources to put a satellite in space. The UK certainly had the scientific knowledge and some practical knowledge, from it’s own Blue & Black missile / rocket devekopmrnts. Most contempory information indicates the UK was the leader on this. Due in part to Eisenhower’s appointment of “engine charlie” wilson and his personal financial intetests the US were not realy looking at IRBMs let alone ICBMs. Center stage was given to Curtis LeMay and his “psycho” tendencies. The only limmited interest in satellite’s was the CIAs Bissle who –fell from grace over the bay of pigs– was running the U2 program. Over in Russia LeMay’s psycho tendencies and his demands over the “bomber gap” were causing significnificant alarm in Russia. Premire Khrushchev knowing full well that there was no way that Russia could close the “Bomber Gap” decided to back Rocket designer Korlov and develope IRBMs (that gave rise to the Cuban Missile crisis) and ICBMs that initialy were to be the R7 rocket. However it was the 1million pound thrust of the R7 that launched the 182 pound Sputnik 1, that caused the US to “wake up and smell there fear it was in”.
As history shows Eisenhower’s view that balancing the US economy and cutting back on defence was probably the correct choice for the US well being. Contray to what MIC players like LeMay were banging on about there was no nukes threat let alone “gap” from Russia, there was no “bomber gap” and later there was no “missile gap” either.
However US politics, ever a dirty game that totaly lacks reason and sense took center stage and was pushed and used by notable political personalities including later JFK.
Thus at the begining of Oct 57 news of Sputnik 1 produced little reaction in the US citizens. However by playing the press in a few short weeks there was near panic that Russia would be dropping nukes on the US. This was despite common sense and science. At the time functioning nukes were not in the 500pound weight range let alone the near 50pound Davy Crocket of later times, they were up in the 5000pound+ range, and there was no way those rockets were going to lift thirty times the weight of Sputnik in any short period of time.
But drum banging had caused near panic in the US population, thus the US for political reasons had to not just catch up with the Russians it had to actually catch up with the British first… It was made worse because due to various political actions in the US, the US apparently went from disaster to disaster with it’s rockets whilst Russia went from success to success. Thus the US had to go into face saving mode. As a result the US has it’s student loans system and NASA.
But the US had for face saving reasons to “become the leader of the pack”… This was because it was felt that the only way to get elected as President, the US had to be “The World Leader” hence the later speach by JFK about getting to the moon in the next decade. It was a target thought so impossible to reach for any nation other than the US with it’s vast industrial resources.
But the British were not playing the game the US wanted… And the US had by 1960 two advantages. The first was the crippling UK war debt from “lend lease” the second that the US Army rocket research under Von Braun and the other German scientists and technicians became –in part due to Walt Disney– the backbone of NASA. As the US significantly strengthend by WWII had spare industrial capacity this fairly quickly provided the German scientists and technicians the ability to “catch up” even if it was by using “Devil’s Brew” propelents that were compleatly unusable for IRBMs and ICBMs or any other strategic, military or industrial use.
In Britain there was no “excess capacity” of any kind. British rocket development was for military and industrial use only as it had to pay it’s way.
The US knew this and thus political preasure was brought to bear via the war debt, when this stick did not work the carrot of virtually free launches on NASA rockets was given. Unfortunately the UK Gov under MacMillan fell for it and started to close down the Black and Blue rocket developments. The only reason the Prospero satellite was launched, was that it had all not only been built it was in transport. Unsupprisingly, after MacMillan had shut down British rocket development the US “virtualy free” use of NASA rockets never materialised. This left the UK in a bind over it’s IRBM and ICBM needs. The US then alowed the British to use it’s submarine IRBM design but at a significant cost. Not just financialy but in technology hand back where the UK had to give for free any improvments it made to the design back to the US, and the real sting in the tail, the fact the UK had to obtain US approval for every launch…
If you want to dig into primary sources of ibformation the first place to start is a secondary source,
From which you can get pointers to primary source records in the UK NRO at Kew Richmond South West London.
For the Russian side of things you could ask Russian Premier Khrushchev’s son. Prof Sergei Khrusnchev is a US citicen at Brown University, but he trained as first an engineer and then a rocket scientist, and due to his fathers position, is possibly the last eye witness to what went on in that very secret world.
Wael • February 3, 2016 10:04 AM
You need to view things in the setting of the run up to Oct1957 through to the early 1960’s…
@Clive “the encyclopedia” Robinson takes people to school 🙂 [1]
[1] Clivepedia 🙂
ianf • February 3, 2016 6:10 PM
@ Clive Robinson “It’s surprising how few people actually understand the issues with encrypting analog signals that have to go over existing “psudo analog channels”.”
Corroborating evidence, vintage edition, right up Clive’s timeframe lane:
[The Telegraph’s correspondent David Pryce-Jones memory vignette of Golan Heights during Six Day War, 1967]
[…] “At one point, I took shelter in a [Israeli] signals truck. The Major inside had been in the Red Army and was taking down the fire orders spoken in clear and in Russian on the other side. The coordinates gave away the position of the guns, and aircraft then took them out.”
[… excerpted from his memoir “Fault Lines” (long)]
Figureitout • February 3, 2016 10:35 PM
Wael
Clive “the encyclopedia” Robinson takes people to school 🙂
–Yeah if only he was as forth coming w/ some of his “secure” code he likes to brag about quite a bit…uploading it to a github site would be nice and trivial as well.
Wael • February 4, 2016 12:17 AM
@Figureitout,
Yeah if only he was as forth coming w/ some of his “secure” code he likes to brag about quite a bit…uploading it to a github site would be nice and trivial as well
Perhaps he has his reasons. Some cannot share detailed designs like source code or schematics because of legal obligations, NDAs, or such. It’s “safe” to talk about high level concepts and principles. Then again, given the disdain he shows for “code cutters”, I doubt he’d encourage the practice by allowing others to “cut his code” 🙂
One of these days you’ll end up in a job that dictates what you can and cannot say or share in public, especially if you use your real name.
Figureitout • February 4, 2016 12:32 AM
Wael
Perhaps he has his reasons.
–Perhaps it’s bullsh*t and his code is not as secure as he says it is? He can put in a legal agreement for no one to cut his code (even build it, if he’s that much of a control freak), but study it if it is actually “novel” and “secure”.
One of these days
–Yeah, that’d be nice. If the pay is right you won’t hear a peep out of me; otherwise I’ll try to release secrets thru my personal projects (which I am).
Wael • February 4, 2016 12:43 AM
@Figureitout,
Perhaps it’s bullsh*t and his code is not as secure as he says it is
Would you need a full source code to understand a high level guideline such as: Initialize the return code of methods or functions (routines, modules, whatever) to “fail” rather than “success”? It’s an implementation of “fail safe” and “default deny” principles.
Figureitout • February 4, 2016 12:55 AM
Wael
Would you need a full source code
–I mean, for some of his described things, yeah. I want to see exactly how he implements that.
For instance, do you do:
if (fail)
goto fail;
else
goto success;
Or does it matter vice-versa? How else do you implement that?
That’s not even really my question. It’s all the other edge cases he handles w/ 1980’s C-code. I’m just not buying it. You would need an attack on the Microchip toolchain and WinXP, which is likely what he’s using to develop his main homebrew.
Wael • February 4, 2016 1:32 AM
@Figureitout,
Getting too sleepy after an all nighter which is unusual for me this early! . The security of a piece of code can be attributed to one of the following:
1- An implementation of a “secure” algorithm — a description of the algorithm is sufficient.
2- A list of guidelines — you can find most of these if you search or look at the output of tools like Coverity or Klocwork, or other static analysis tools.
3- Protection against “side channel” information leaks, for example keep your throughput constant to resist timing attacks.
4- …
Most of these “rules of thumb” were discussed to various details here.
For instance, do you do:
if (fail) goto fail;
else goto success;
Or does it matter vice-versa? How else do you implement that?
Suppose you have the following, which is a simplified example for illustration of a “concept”. Other mechanisms would need to be in place as well.
int Func1 (p1, p2) {
int returnCode = true;
/* do some stuff
If ( process fails ) {
returnCode = fail;
}
…*/
return returnCode;
}
This won’t be as robust as the following:
int Func2 (p1, p2) {
int returnCode = fail;
/* do some stuff
If ( process fails ) {
returnCode = fail;
else {
returnCode = success;
}
}
…*/
return returnCode;
}
The reason is if Func1() is interrupted before it sets returnCode to fail, then there is a better chance some security mechanisms can be bypassed. Func2() has a smaller “window of attack”.
It’s the reason I talk about “security principles” and how they are implemented in “architecture”, “code implementation”, and “OPSEC”. If you look at the principle of “Least Privilege”, for example, you’ll see it can be applied in team formations, role assignments, access controls, conceptual approaches, security architecture, and coding best practices. A violation of this principle — even if an immediate weakness cannot be uncovered by pen testing — is sufficient to label the design as “weak”. It’s one of the reasons I say: an architect shouldn’t wear an “attacker’s hat” when designing a system. The same can be said about other “principles”…
The majority of C-v-P discussion was about encapsulating “security principles” in construct building blocks. Things like “attack trees”, in my humble opinion, aren’t suitable for architecture design; they are excellent tools for pen testing, which in turn can uncover weaknesses either in implementation of architecture that can be remedied in subsequent designs…
Wael • February 4, 2016 1:37 AM
@Figureitout,
See! Too sleepy. Take the if condition out of the comment block. Take the rest of my post with a grain of salt, some vodka, and a slice of lime. My neuron(s) aren’t coherent now. Lol 🙂
ianf • February 4, 2016 1:57 AM
@ Wael “Too sleepy. Take the if condition out of the comment block.”
You’d better, or I’d have posted JUST WHOSE EYES IS HE TRYING TO PULL (WHOSE?) WOOL OVER—which I now won’t have to. Then again, in principle you could have hacked the compiler to examine comments for executable code snippets to secret-encode, compile in, & confuse the opposition ;-))
Wael • February 4, 2016 2:09 AM
@ianf,
From my bed: I gotta check my comments after submitting them. This blog has too many eagle-eyed merciless reviewers 😉
I wanted to talk about the cardinality of the set of prime numbers, but I’m too tired. I have a feeling someone is going to be torn apart by the morning. Can’t wait to see that 😉
Wael • February 4, 2016 2:17 AM
@ianf,
Then again, in principle you could have hacked the compiler to examine comments for executable code snippets to secret-encode, compile in, & confuse the opposition ;-))
That’s a nasty backdoor vector. Check a previous link I posted by Ken Thompson. Too tired to look for it. Now leave me alone to count the fricken sheep: 2, 3, 5, 7, 11, 13, … (These sheep will make prime cut lamb.) See how silly I get when I’m sleepy?
Wael • February 4, 2016 11:27 AM
@ianf, @Figureitout,
Too tired to look for it
Not tired anymore… Here is the link to Ken Thompson’s paper. The link is now broken, but this one works: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf … I have a typo in there, might as well fix it: replace “gain” with “chain” in If the tool gain.
@Moderator,
You may want to fix this link as well We know from Ken Thompson’s famous talk on “trusting trust”, as it’s now broken.
Nick P • February 4, 2016 1:30 PM
@ Wael
Nah, his counter was bad in a way that’s incredibly common even among INFOSEC pro’s: defaulting on Thompson paper to justify compiler concern is a problem. It’s literally the least likely subversion a reader will encounter while also being the most cited example of tooling subversion. Most problems happen elsewhere in the lifecycle or stack with compiler-related breaches more often due to optimizations. The latter are such a big problem that source-to-object code traceability and equivalence is required in high-assurance systems (esp DO-178B) w/ certified compilers as an alternative in progress. So, I threw together a fire-and-forget post to drop on this topic here with links on aspects of situation. Myers or Anderson should probably be the default citations for subversion, including tooling.
Note: Btw, check out the first link that presents high assurance. I couldn’t find a single paper or link that adequately explained the mindset to newcomers with right examples and stuff. That’s the best one I’ve seen for concept level, esp w/ aviation comparisons. Needs improvement but think it’s a good start?
Note 2: Being extremely unlikely & always cited as a demo of subversion instead of work like Myers may also increase odds someone learning INFOSEC will ignore the subversion risk as impractical. They might think, “So, that’s the best people came up with? And it basically never happens? Let’s just diverse, double compile everything and we’ll be fine.” No they won’t. 😉
Wael • February 4, 2016 4:42 PM
@Nick P,
It’s literally the least likely subversion a reader will encounter while also being the most cited example of tooling subversion.
Least likely, yes. Most damaging, maybe. You need to multiply likelihood by impact to get severity, or something like that 🙂
I’ll get back to you on the first link. Took a quick glance, and guess what caught my nostalgic eye? “Son of Orange Book”! Not surprising, coming from you. You probably found that link by searching for you favorite color. Mua ha haha 🙂
Nick P • February 4, 2016 6:06 PM
@ Wael
“Most damaging, maybe. You need to multiply likelihood by impact to get severity, or something like that :)”
Lol yeah risks digest or something rather. Nah, the greatest risk/damage combo is stealth subversion of your PC or a recovery mechanism it depends on. Next greatest is subversion of theirs that do distribution of binaries and shows signature to users. Next is malicious developers inserting clever backdoors. Next is intelligence agency in Five Eyes pushing implementations having covert or side channels. Next is malicious developer letting optimizations of a specific compiler eliminate security.
That’s my attempt at priority off top of head based on damage done.
“Son of Orange Book”! Not surprising, coming from you. You probably found that link by searching for you favorite color. Mua ha haha :)”
Haha. Nah, our pedigree is just full of so many great people and problem solving that I accidentally stumble on goood works from that legacy all the time. This time, it was the only one I could find in 20+ minutes that wasnt lacking in understanding or overdoing certification stuff nobody cares about. That’s saying something about the rest of the security literature. Just not sure what… 😉
Wael • February 4, 2016 11:25 PM
@Nick P,
I’ll get back to you on the first link
Looks like a high level overview presentation with some history of evolution. Good luck with the test 🙂
Figureitout • February 5, 2016 12:39 AM
Wael
–Gonna keep this short.
security of a piece of code can be attributed to one of the following:
–And quite a bit more, like your physical environment; if you can defend against catastrophic failure (safe fail, it’s hard to even imagine (I can’t…), let alone implement) I’d feel fine against most viruses if physical destruction is electrically impossible. Means I should be able to securely regain control of my own PC.
I’m done w/ the talking though and “principles”, that’s ingrained in our brains and meaningless w/o some real examples, I want to see raw code. Stop teasing goddamnit lol…Clive talks as if he’s got code that doesn’t exist publicly…This is why I can respect open-source coders, b/c they put their code out for anyone to judge all they want and make things everyone uses anyway…
RE: sleep
–Looks like I’m going to be up late too for awhile and get used to 4-5hours sleep daily…thanks anxiety…:/
RE: K.Thompson’s paper
–It was sick, legendary hack. Can literally destroy electronics if all compilers become infected and can’t rebuild w/ a clean one….I’d want the real source file as his C-code in the article was obviously not compilable…
But design in my mind involves code and hardware, too much knowledge to be in one mind. You simply need a team, any technical project, sometimes it’s a “one-man team”, but if it’s a real team the projects get pretty sick…
You can have last word lol…back to my slavery :p
Figureitout • February 5, 2016 12:51 AM
Wael
–Bah, one more thing. Just thought I’d say, how cool would it be, a serious-level (maybe Google, whoever) investigation into regaining control of micro-code infected PC’s…Imagine how valuable a product that could recover any PC to factory default (that could still contain a backdoor) would be worldwide…Bet it’d be worth Apple and Google together.
Figureitout • February 5, 2016 12:59 AM
Wael
–Oh, one more thing. I’m posting now, I’ll be dead until summertime lol. Posted a project to schneier.com and begged for someone to rip it to shreds. No one can name a single attack that I can reproduce. I’ll treat that as an advertising point lol. Some of the latest $30,000+ tools could probably easily capture RF comms (not older spectrum analyzers, too fast for them) but probably not the protocol.
If you make one, be sure to post here.
Wael • February 5, 2016 2:38 AM
@Figureitout,
begged for someone to rip it to shreds
You haven’t understood a word I said :] Happy hibernation! I’ll look at it sometime, though.
ianf • February 5, 2016 4:40 AM
@ Wael
your intention to—I think—talk about carnality of sheep (and then of the juvenile, prime lamb cut variety) in your sleep noted; filed away for a rainy day.
That out of the way, I thank you for your link diligence even though, this compiler stuff, you’re 25 or so years too late… that’s when I decided give-me-interpreted-or-give-me-death. Still here.
Nick P • February 5, 2016 9:53 AM
@ Figureitout
Altran-Praxis’s Tokeneer demonstrated Correct-by-Construction software. It came with code. The formal methodists doing grand challenge with various tools are posting code. That includes a C stdlib from Frama-C people w/ specs and code. Cambridge CHERI team is releasing HW and SW code. Ironsides DNS has code. Bernstein’s method comes with code. Oberon system in safer language has full docs and code. Now a CPU, too. GenodeOS, MirageOS, and JX have code. Coq, Ocaml, and Haskell communities are full of code implementing robust software and compilers (eg CompCert). And on and on.
So, there’s certainly plenty of code to draw on from various groups producing software or hardware with higher correctness and security. They release it then the majority ignore it and go back to untrustworthy stuff. (shrugs) Does it surprise you that most smart people stop releasing code for free under such circumstances? They license it to recover cost or obfuscate by not sharing it.
Feel free to use and build on stuff I referenced, though. Just don’t act like nobody doing high security or correctness is releasing code. You’d be more correct saying a percentage of them do and their repo’s are nearly silent as nobody contributes anything. Consumers and FOSS users demand a minimum number of zero days with features X, Y, and Z over secure stuff every time. 😉
X-Ray • February 5, 2016 10:04 AM
@Figureitout
Re: Anxiety, sleep, & insomnia.
Anxiety and insomnia do not go well together. Whatever it is you are doing, you should take a break from. Relax, watch tv, read a book, take walks at the park. Too often people try and work anxiety off. Or self-medicate. Either solution is counter-productive.
You have to deal with your anxiety when you ‘do nothing’. Instead of dealing with it when you finally stop everything and try and go to sleep.
Figureitout • February 5, 2016 9:23 PM
Wael
–Ok, guess I’m not giving last word. :p Yay one night to relax from upcoming test… I read what you said, seems you’re not reading what I’m saying and continue to insist on incomplete “guidelines” while you’re “counting sheep”. I want technical details/files, not guidelines anymore, that’s common sense now (where it can be implemented w/o breaking things for further technical reasons). So from your list: 1) I’m leaning towards custom “algorithm” that I believe to be fairly robust (call out my BS, by all means) so no existing script kiddy tool could conduct recon on it, only real hackers could get at it, and I can’t keep those guys out anyway besides beating them w/ heavy encryption and annoying traps set, so…I’m waiting to have another go at implementing AES (failed first time), if things pan out how I see them, should be nice sending IV encrypted w/ XTEA and encrypting data w/ good ol’ AES-128. I’m going to keep CRC to 16bit (max supported). And I’m going to try to have checks on a secret ID num and addresses, so most attempts to make contact w/ receiver get ignored.
2) Pretty cool products but am skeptical of massive static analysis tools. May lead to laziness “I ran the tool and my code’s good”. To get those “signatures” they must’ve just documented machine code of these exploits? Wonder how they deal w/ false positives and code that uses obscure instructions or completely different ways to do the same thing.
3) This part is interesting as I’ve found opposite in my research for this particular chip/protocol. Based on the few pentesting blogposts I’ve read, having a dynamic packet length actually made sniffing very frustrating as the packet could smear into CRC section or address section or size section etc…. If you’re just trying to capture data this could get mucked up w/ the dynamic packet size feature. And also being “efficient” and using max speed of 2Mbps throughput is harder to capture (in RF realm, these speeds are slow as hell on the wire). To see this, people can buy a high speed low power radio chip and use a $20,000 spectrum analyzer (older one), and try to see the signal sent on the band, likely won’t even break the noise floor b/c it samples too slowly.
And I get your other points on designing, I don’t agree on the attacking stance though. This is all opinions so…take a lick of that salt and a shot of tequila and twerk dat pumpkin a$$. :p As a designer, you need to know what is irritating as hell if you’re trying to breach some system, and put that in. And of course no one will design something that’s just perfect in version 1.0, as everyone knows, the first proto is very different from the final product. It’s always a work in progress. It’s almost comforting knowing there’s improvements instead of “I don’t know how to improve” and someone can remotely hack it then…
Nick P
–Looks like Tokeneer is available only on Windows. What happens if your Windows OS is infected as you start to work on Tokeneer? You go thru the code on it too? Files scattered all over the place, christ. Seriously terrible. Much harder to reconstruct the logic and catch bugs. Why do you need a file for seriously like 2 lines of code? Lots of that toolchain auto-generated garbage in the downloads…
Haven’t looked in depth at all those other projects as they all don’t really speak to me much (have skimmed thru CHERI, MirageOS) but they have builds generally for x86 systems eh? Most binaries today and chips flashed are built anyway on x86 or systems will get touched by internet or a USB stick, any of the other undocumented chips on the motherboard could, in an epic attack, inject malware into the binary. How to prevent that running these tools on x86 machines? What happens if I supply just below power specs to the chips, how do these tools detect that (brown-out detection?) and fail safely? Don’t think any of these projects achieve that level of discipline/OPSEC b/c it’s mostly impossible, but still unmitigated risk that’s only going to get worse based on direction of consumer electronics. Can I build and run it on an MCU? FPGA’s need massive toolchains (well, more massive than GCC, which is already massive) that can only run on full PC’s. Transferring over to different machines, it’s possible for malware to transfer over as well and follow along w/ development.
Keep developing product though, if it actually works and you can actually do something useful w/ it, it should sell nicely or…you know…actually get used in real world.
X-Ray
–I can deal w/ it but thx for suggestions.
Nick P • February 5, 2016 10:31 PM
@ Figureitout
“Looks like Tokeneer is available only on Windows. What happens if your Windows OS is infected as you start to work on Tokeneer?”
The system is a demo to show how they write robust specs and code. So, use the method on another OS or platform.
” but they have builds generally for x86 systems eh? Most binaries today and chips flashed are built anyway on x86 or systems will get touched by internet or a USB stick, any of the other undocumented chips on the motherboard could, in an epic attack, inject malware into the binary.”
There were projects that used all kinds of non-x86 architectures. Almost nobody used them because they wanted x86 for price/performance. Or legacy systems. So, people built those on x86. MirageOS is getting uptake thanks to that. In any case, you wanted code you could use or customize. There it is. Feel free to put it on CPU of your choosing.
“What happens if I supply just below power specs to the chips, how do these tools detect that (brown-out detection?) and fail safely?”
Try it and find out. I expect bad results given the design isn’t fault-tolerant at hardware level. You can always port it to a custom setup that handles stuff like that. I wouldn’t expect them to given market ignores them this much.
“Don’t think any of these projects achieve that level of discipline/OPSEC b/c it’s mostly impossible”
Tinfoil chat with optical connections and batteries should. Only CPU connected to WAN can be attacked electrically there. 😛
” Can I build and run it on an MCU? ”
I thought you wanted code. Now you’re asking for code and running it on an arbitrary MCU. Not strange that you expect them to write code of every CPU/MCU you might have but you won’t port it yourself?
“FPGA’s need massive toolchains (well, more massive than GCC, which is already massive) that can only run on full PC’s.”
They do right now and for arbitrary designs. My research suggests that piecemeal designs close to the metal (eg RTL) don’t need that much tooling. You just have to get them optimized the first time like ARM people did way back when. Then, you just basically need a router performing heuristic, geometrical search for mapping it to FPGA blocks. Turning that into a bitstream is straightforward. It could be coded for older hardware smaller than modern toolchains for sure. Many techniques for that are described in detail and in OSS code like Qflow, Yosys, VTR, and IceStorm. So, feel free to improve on what’s out there since they delivered code you wanted.
“Keep developing product though, if it actually works and you can actually do something useful w/ it, it should sell nicely or…you know…actually get used in real world.”
I plan to eventually when shit’s straight. Meanwhile, you have plenty of code to work with. I’m at least trying to contribute reviews or ideas to some projects. Also, submitted suggestions on Rust team to improve their docs for adoption. Doing a little here and there.
Wael • February 5, 2016 11:40 PM
@Figureitout,
I want technical details/files, not guidelines anymore…
Experience is the best teacher. You don’t want a complete design with all its technical details. You’ll have to do it on your own! What you’re doing is good, keep doing it.
Wael • February 5, 2016 11:43 PM
@Figureitout,
Just make sure you decide whether you need a ladder or a tire
Nick P • February 5, 2016 11:53 PM
@ Wael
“Experience is the best teacher. You don’t want a complete design with all its technical details. You’ll have to do it on your own! What you’re doing is good, keep doing it.”
I agree. That combined with good write-ups by pro’s who are speaking from hard experience. Maybe also avoid StackOverflow rather than use it. The combo might help one get deeper understanding.
Figureitout • February 6, 2016 9:00 AM
Nick P
So, use the method on another OS or platform.
–I can’t even make sense of their method b/c it’s so scattered all over the place like they don’t know how to organize. It would take like 6month-1year to get accustomed to their code base.
Feel free to put it on CPU of your choosing.
–Won’t a lot of these projects have too much memory constraints? Overflow 32KB ROM and probably too much variables so overflow SRAM too…
Tinfoil chat with optical connections and batteries should
–Still have to download an image w/ a PC connected to internet, unverified binary blobs in the RasPi, unverified drivers if using other PC’s and the Nxm is vulnerable so subject to attack (I would run Nxm live or in a VM). Changing out batteries is annoying, but yeah that’s hardest setup so far but you need 5 (if you want to test entire system) or 3 PC’s dedicated to it.
Now you’re asking for code and running it on an arbitrary MCU
–That’s what you do w/ code. If I can only run a program in a browser or x86 machine it’s less useful. And last time I tried to port a custom I2C driver I failed b/w, well, fairly different chips but same manufacturer. Their memory maps were different. The “porting” was more like a “complete re-write” b/c the chip handled I2C differently. So yeah I’d likely have to rewrite a lot of code and it’ll probably be too memory-heavy it won’t even build.
Paul Rain • February 6, 2016 10:03 PM
A reminder for those who have forgotten: Most of Israel’s aerospace technology has been given to them, by the US government. They have then proceeded to sell this on to apartheid South Africa, China, and various other governments that are opponents of the West or not politically correct.
While this would be a good achievement for the NSA regardless of any non-Israeli implications, this should also provide an indication as to how capable the NSA are of attacking other enemies, such as Red China.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
b • February 1, 2016 2:54 PM
I am not the first person to make this observation, but: is this not what the NSA IS SUPPOSED TO DO? I mean, otherwise what is the point? And before anyone says “ally!”, please tell me with a straight face that you would shocked (shocked!) to find out that Israel does the same. There is no world Israel does not attempt the same intelligence gathering against friend and foe. Again, that’s the whole point of military intelligence!