NSA hardware intrusions out of control, Dell, HP, Apple, Huawei, Cisco all implicated

Last night I watched one of the craziest videos I’ve seen all year. Independent journalist and security expert Jacob “@ioerror” Applebaum spoke at the Chaos Communications Congress this weekend...


Last night I watched one of the craziest videos I’ve seen all year. Independent journalist and security expert Jacob “@ioerror” Applebaum spoke at the Chaos Communications Congress this weekend and delivered To protect and infect, Part 2. This 1 hour talk discussed new revelations in the NSA saga, the details of which were first published to Der Spiegel.

Applebaum begins the talk by denouncing the upcoming content is ‘wrist slitting depressing’. The content shown contains further slides from leaked NSA documentation similar to that of which we seen earlier in the year from Edward Snowden. As per the law in the US, names of people involved in the information redacted, as well as the names of citizens that were being targeted by some of this technology.

If TURMOIL is deep packet inspection, then TURBINE is deep packet injection.


The NSA’s data collection strategy is known as TURMOIL, but we knew about that already, what’s new is information about deep packet injection process called TURBINE. This is where things get scary. The collective set of technologies is known as the QFIRE platform. Using this technology, the NSA can programmatically monitor internet traffic with TURMOIL, then by using TURBINE, they are able to inject packets to initiate attacks. Applebaum claims they have the even gone as far as compromising people’s routers.

Applebaum explains that if the NSA detects network traffic they deem suspicious. They then focus in on that flow of data, by using a passive sensor nearby the source, they can capture a packet, encapsulate the packet, send it to the Diode, which may be your home router, your router would the de-encapsulates the packet and send it out on the internet. Due to the proximity of the injection, Applebaum says the injected packet would beat the initial packed and deliver the payload to the destination essentially beating the initial packet which I assume gets dropped.

It’s a crazy concept to think that our home network infrastructure could be used for attacks. We often think of security as keeping out the bad guys, but rarely think about protecting against government agencies. In theory security agencies like the NSA should only target people of interest, but this technology is non-discriminatory and without adequate oversight could be used on anyone.

During the speech, he calls out a number of US-based companies that appear to have knowingly left vulnerabilities in their hardware to allow the NSA to do their work. It’s probably a good idea to keep an eye on the share prices of Dell, HP, Juniper, Huawei, Cisco and even Apple. Remember that if these backdoors or intentional vulnerabilities are left in hardware, it’s only a matter of time before people other than the NSA discover them as well.



The slide below is from the leaked top secret NSA documents and shows a laptop running free software that is capable of injecting packets that are undetectable from as far as 8 miles away from a target. Applebaum suggests that this works by exploiting a kernel vulnerability of some kind and parse the wireless frames at the lowest level of the OS. While there’s no documentation to prove it, he says sources have suggested there’s a mobile version of NIGHTSTAND that is applied to drones which can be flown into almost any location.


Data retention now 15 years

We keep out tax records for 7 years, but it’s been revealed that the NSA stores the data from their dragnet of data (aka PRISM) for 15 years. Applebaum says there’s been no public debate or vote on this policy, it was just created. Some people are not concerned by the security implications of the data collection as they believe it’s just metadata, however that’s not the case, content is included in the 15 year storage. If you haven’t seen the massive data centers the NSA are building, go look it up, the building are huge and growing fast. This 15 year data retention policy is clearly the reason why the needs are growing and fast.

Don’t just think of the data collection as what happens on PCs and laptops, but rather any internet connected device and especially mobile phones. In a slide labeled MARINA, two screen shots show this reverse targeting technology which uses contact chaining to associate people who interact with a particular target. If you make a phone call to a friends, this would index their friends and look at any similar connections, think 6 degrees of separation connected by the NSA. The screen had names and email addresses redacted to protect the identity of the users, but shows Logins: 22, Passwords: 0, which means the NSA got in 22 times and needed the password exactly zero times.

No courts

One of the biggest issues in this NSA case is the side-routing of the legal system and then of course who’s legal system. While the National Security Agency lives on US soil, their decisions and actions have global implications. The point is that if police want to tap somebody’s phone, they supposedly need just cause, approved by a judge. When things go online apparently none of that counts. While there was no proof provided, Applebaum suggests that just with the IEMI number of his phone, the NSA could hack into it, enable the microphone and start listening all without a court.

Security vendors and business that rely on consumer trust have a big issue here. Essentially the secure services they’ve been selling are treated as an opponent to the NSA’s objectives. It also introduces the question of whether they can actually deliver on the promises they make in terms of keeping important data private. Private from the public may be, but not from the thousands of employees at the NSA.

If you use a cell phone, forget it.

Mobiles not secure

This nifty little box known as Typhon Hx BSR, acts as a cell phone base station and captures user traffic on GSM, PCS, DCM and other mobile networks. This cost for this interception device is listed as US$175,800 and essentially means your mobile traffic, calls, txt and data flows through this device and captures it without you ever knowing. Before you rush to a rich uncle for the cash to buy one, this isn’t for sale to regular people but these are in operation by the NSA.


SOMBERKNAVE – Unused 802.11 network devices are being used

The next graphic outlines the SOMBERKNAVE program which will make you think twice about what’s really on or off. This classified document shows that the NSA can actually use the Wi-Fi card in your computer and repurpose it to use it for their own purposes. This is enabled thanks to some companies that have either collaborated or left users vulnerable, Applebaum has no problems in calling them out in one of the most passionate parts of the talk (around the 40 minute mark). He names these companies so they are forced to go public about whether the company collaborated, turned a blind eye, or a just plain incompetent.


DROPOUTJEEP – Apple Backdoor

The NSA documentation suggests they have a 100% success rate at exploiting Apple iPhones. Either they have a huge collection of Apple exploits, or Apple worked with the NSA to make this available. The other option is that they are just bad at writing software and this was a genuine mistake. DROPOUTJEEP gives the NSA the ability to remotely push/pull files from the device, SMS, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location etc (etc means that’s not the end of it). Applebaum says Apple needs come clean on this and given they didn’t join the PRISM program until Steve Jobs died, that maybe their intentions aren’t purposefully bad.


IRATEMONK – Hard drive firmware exploited

If we know that transmitting sensitive data online is probably being captured and stored by the NSA, then maybe we should store things locally. That would be fine if hard drive manufacturers weren’t also providing a backdoor to the NSA. Called IRATEMONK, this program involves changing the firmware of the hard drive which means even if your format the drive the NSA still have access. This is effective on FAT, NTFS, EXT3 and UFS file systems, guessing this means Macs are safe from this one. As you can see from the slide below, the cost of getting access to the drive firmware.. $0.

This means the NSA have “negotiated” (remember we don’t know if these companies had any option), with HDD manufacturers and lists Western Digital, Seagate, Maxtor and Samsung. It is also worth noting that it lists non-RAID hardware, so our home servers or NAS boxes running RAID may be exempted. This is really scary stuff, especially considering the Status: Released and Deployed, that means its out there.


Watch the video

There’s seriously a lot in this talk and when I first seen it last night, I found it hard to stop watching. I’ve since re-watched it at least 5 times and I highly recommend you spend an hour watching it. If you’re an American citizen, then this directly applies, but if you’re a citizen of the internet, this also applies just as much to you. Word of warning Applebaum is clearly pissed off by these revelations and there is swearing in the video, it is used wisely though.


This post is authored by techAU staffers. Used rarely and sparingly when the source decided to keep their identity secret, or a guest author who isn't seeking credit.