Threats and solutions
From Gender and Tech Resources
Theoretical defenses and detection methods for a selected group of leaked surveillance programs and services. Due to the age and limited scope of the leaked documents, the defenses covered in these tables should not be relied upon for protection and I make no guarantees to their accuracy. You need to do research in your own environment as to what new developments there are. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.
This is just a thought experiment covering theoretical defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.
Router
Hardware
Table was initially filled with threats listed on the SpiderBlog, then updated with the latest info. (June 2015)
Notes:
Unless you are targeted by a government intelligence agency, no need to worry about installing commodity hardware from reputable vendor. If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.
Ideally we discuss these exploits and countermoves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves, so the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them, maybe making us all a little safer than not discussing them at all.
| More information | Possible types of attacks | Detection | |
|---|---|---|---|
| GodSurge | Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on. | Getting Terminal Access to a Cisco Linksys E-1000 [1] & Oops, I pwned your router [2] | Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like [3] |
| GINSU and BULLDOZER | GINSU provides software application persistence on target systems with the PCI bus hardware implant, BULLDOZER. | GINSU: NSA Exploit of the Day [4] | Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is. |
| COTTONMOUTH-I II and III | These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet. | USB host attack | Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start. |
References
- ↑ Getting Terminal Access to a Cisco Linksys E-1000 http://blog.spiderlabs.com/2012/12/getting-terminal-access-to-a-cisco-linksys-e-1000.html
- ↑ Oops, I pwned your router http://blog.spiderlabs.com/2012/06/oops-i-pwned-your-router.html
- ↑ Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group
- ↑ GINSU: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html