17 August 2015

Now Everyone Can Have Their Own NSA Spyware

Sean Gallagher 
August 11, 2015 

The NSA Playset: Espionage tools for the rest of us 

When Der Spiegel and Jacob Appelbaum published leaked pages of the National Security Agency’s ANT Catalog—the collection of tools and software created for NSA’s Tailored Access Operations (TAO) division—it triggered shock, awe, and a range of other emotions around the world. Among some hardware hackers and security researchers, it triggered something else, too—a desire to replicate the capabilities of TAO’s toolbox to conduct research on how the same approaches might be used by other adversaries. 

In less than 18 months since the catalog’s leak, the NSA Playset project has done just that. The collection boasts over a dozen devices that put the power of the NSA’s TAO into the hands of researchers. Project creator Michael Ossmann—a security researcher, radio frequency hardware engineer, and founder of Great Scott Gadgets—detailed the tools at a presentation during the Black Hat conference in Las Vegas last week, and he talked with Ars more about it this past weekend at DEF CON 23. 

Many of the software components of the 50-page ANT catalog were things that had already been developed by security researchers. Some of the discovered capabilities appeared to stem from off-the-shelf hardware (or its equivalent) and software similar to existing tools; they were simply combined in a package suitable for spy work. But other pieces of hardware in the NSA’s catalog appeared to have no openly available equivalent—such as wireless bugs planted in computer cables or connectors. Some of those bugs were radio “retro-reflectors,” wiretaps that only broadcast data when hit by a directed radio signal. (It’s similar in concept to “The Thing”—the infamous bug Soviet spies planted inside the US Embassy in Moscow.) 

“We had suspected that these capabilities existed,” Ossmann told Ars. “But there hadn’t been any open research done on them.” So just over a year ago, Ossmann and others kicked off the project to create “a series of dead simple, easy to use tools to enable the next generation of security researchers,” as the project’s Wiki page describes it. So far, they’ve been able to produce capabilities like those in the ANT catalog at a fraction of what the NSA spent to develop them. 

“I wanted to talk about how we can build these tools—the same tools nation states use—in an open community, at least to serve as demo of threats people haven’t considered before,” Ossmann said at Black Hat. “I focused on the hardware tools in the catalog to get some ideas of how we can build these things. But I didn’t originally think I would go ahead and build any of them.” 

After doing a talk with Dean Pierce (who Ossmann said originally coined the term “NSA Playset”) about the ANT catalog in July 2015 at Toorcamp, Ossmann’s thinking on the project evolved. Pierce and a number of other contributors soon signed on to make contributions to the NSA Playset, adding a few projects started before the Playset was conceived. In total, Ossmann and the other collaborators have now created 15 tools that, in theory, just about anyone could use. 

Ossmann said he wasn’t sure if he’d be building any more devices for the NSA Playset, but the year-old project is, by its nature, open to others willing to contribute. The requirements for Playset projects, as detailed on the project’s Wiki, are simple: 
A silly name like those used for codenames in the ANT catalog. “If your project is similar to an existing NSA ANT project, you can come up with a clever play on that name. For example, if your project is similar to FOXACID, maybe you could call it COYOTEMETH.” 
A specific scope of capability that demonstrates a specific technique. For example, TURNIPSCHOOL—a project Ossmann previewed in January at Shmoocon in Washington, DC—provides wireless monitoring and injection of commands through a USB cable with an embedded wireless transmitter/receiver chip. 
A list of all the parts, including software, that anyone can assemble to get the desired effect. “This should contain part numbers, and links to where anything can be purchased or downloaded. Ideally, it would be very easy to roll all of these ingredients into a small box (including a USB stick with all software), which could be sold off at security conferences.” 
Detailed instructions for how to put it all together and use it to reproduce the results. 

One area that Ossmann told Ars he’d like to see more work in is with retroreflectors. While he built several himself, Ossmann believes that there needs to be more open research on the technology—and there may be ways to exploit computer hardware that acts as “unintentional” retroreflectors when high-power radio signals are directed at them from a distance, giving up data. 

No comments: