Difference between revisions of "Digital threats, detection, protection and (counter) moves"

From Gender and Tech Resources

m (Radio frequency exfiltration)
m (Radio frequency exfiltration)
Line 33: Line 33:
 
== Radio frequency exfiltration ==
 
== Radio frequency exfiltration ==
 
'''Notes:'''
 
'''Notes:'''
* The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol.
+
* First check for evidence of a device which has been wired in to an existing device such as a keyboard or other peripheral.
* If you had a device that could pick up the RF signals from the devices, you would be able to pick up transmissions from these bugs ( the frequencies are not known and based on the information leaked the devices may only power on when data is being extracted) <ref>HackRF One http://greatscottgadgets.com/hackrf/</ref> The SpiderBlog describes the following possibility:  if there are RF transmitters in a device by monitoring the spectrum while the device is off (to get a baseline for ambient RF background noise) and then monitoring it again after the suspect device is turned on and transmitting data via radio frequency. The detection device would pick up the signal and alert the user. <ref>Detecting A Surveillance State - Part 2 Radio Frequency Exfiltration https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-A-Surveillance-State---Part-2-Radio-Frequency-Exfiltration/
+
The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol. The frequencies are not known and based on the information leaked the devices are passive (only power on when data is being extracted) <ref>HackRF One http://greatscottgadgets.com/hackrf/</ref> making identification of (type of) signal (and intelligence) hard.
 +
The SpiderBlog describes the following possibility:  if there are RF transmitters in a device by monitoring the spectrum while the device is off (to get a baseline for ambient RF background noise) and then monitoring it again after the suspect device is turned on and transmitting data via radio frequency. The detection device would pick up the signal and alert the user. <ref>Detecting A Surveillance State - Part 2 Radio Frequency Exfiltration https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-A-Surveillance-State---Part-2-Radio-Frequency-Exfiltration/
 
</ref>
 
</ref>
* When using bug detectors: Many different types of "spurious RF" signals can be hunted for using any type of "bug detector" and can give "false positives" on "RF bug".
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-

Revision as of 21:26, 6 June 2015

This page lists theoretical defenses and detection methods for selected groups of leaked surveillance programs and services. This is just a thought experiment covering (theoretical) defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.

Due to the age and limited scope of the leaked documents and what we are up against [1], the defenses mentioned in these tables should not be relied upon for protection and I make no guarantees to their accuracy. You need to do research in your own environment as to what new developments are and make informed decisions knowing it is impossible to be completely safe. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.

Hardware implants (backdoors)

Notes:

  • Unless you are targeted by a government intelligence agency, there seems to be no need to worry about installing commodity hardware from reputable vendors.
  • If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.
  • Ideally we discuss these exploits and counter moves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves to some extent, so the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them, maybe making us all a little safer, than not discussing them at all.
  • Table was initially filled with threats listed on the SpiderBlog and TAO catalog (not all), then updated with the latest info. (June 2015)
More information Possible types of attacks Detection
Godsurge Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on.
  • Getting Terminal Access to a Cisco Linksys E-1000 [2]
  • Oops, I pwned your router [3]
Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like [4]
Ginsu and Bulldozer Ginsu provides software application persistence on target systems with the PCI bus hardware implant, Bulldozer.
  • Exploit persistence from a PCI card ROM
  • GINSU: NSA Exploit of the Day [5]
 Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is.
Cottonmouth I II and III These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet.
  • USB host attack
  • Hackers create spy plug inspired by the NSA's surveillance kit [6]
 Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start.

Radio frequency exfiltration

Notes:

  • First check for evidence of a device which has been wired in to an existing device such as a keyboard or other peripheral.
  • The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol. The frequencies are not known and based on the information leaked the devices are passive (only power on when data is being extracted) [7] making identification of (type of) signal (and intelligence) hard.
  • The SpiderBlog describes the following possibility: if there are RF transmitters in a device by monitoring the spectrum while the device is off (to get a baseline for ambient RF background noise) and then monitoring it again after the suspect device is turned on and transmitting data via radio frequency. The detection device would pick up the signal and alert the user. [8]
More information Possible types of attack Detection
Howlermonkey Short to medium range Radio Transceiver [9]
  • HOWLERMONKEY: NSA Exploit of the Day [10]
Bug detector
Ragemaster Hardware implant in a VGA cable that sends video data over RF
  • RAGEMASTER: NSA Exploit of the Day [11]
 Bug detector
Loudauto Hardware device that sends amplified audio over RF
  • LOUDAUTO: NSA Exploit of the Day [12]
 Bug detector
Surleyspawn Hardware implant in a keyboard that emits keystrokes over RF
  • SURLYSPAWN: NSA Exploit of the Day [13]
 Bug detector

Infected firmware

Related

References

  1. Cryptome: Communications privacy folly http://cryptome.org/2012/06/comms-folly.htm
  2. Getting Terminal Access to a Cisco Linksys E-1000 http://blog.spiderlabs.com/2012/12/getting-terminal-access-to-a-cisco-linksys-e-1000.html
  3. Oops, I pwned your router http://blog.spiderlabs.com/2012/06/oops-i-pwned-your-router.html
  4. Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group
  5. GINSU: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html
  6. Hackers create spy plug inspired by the NSA's surveillance kit - and it costs just £13 to make http://www.dailymail.co.uk/sciencetech/article-2920419/When-USBs-attack-Hackers-create-covert-spy-plug-inspired-NSA-s-Cottonmouth-surveillance-kit.html
  7. HackRF One http://greatscottgadgets.com/hackrf/
  8. Detecting A Surveillance State - Part 2 Radio Frequency Exfiltration https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-A-Surveillance-State---Part-2-Radio-Frequency-Exfiltration/
  9. Page with graphics https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg
  10. HOWLERMONKEY: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html
  11. RAGEMASTER: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/03/ragemaster_nsa.html
  12. LOUDAUTO: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/loudauto_nsa_ex.html
  13. SURLYSPAWN: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/02/surlyspawn_nsa.html
Retrieved from "https://gendersec.tacticaltech.org/wiki/index.php?title=Digital_threats,_detection,_protection_and_(counter)_moves&oldid=1995"