Jacob Applebaum’s puzzling revelation on NSA spying toolkits

January 3, 2014

In a keynote speech at the 30th Chaos Computer Club conference in Hamburg, Germany, German weekly newspaper’s Der Spiegel journalist Jacob Applebaum has chronicled a dozens of zero day exploits used to spy by NSA on both United States citizens and foreigners. Applebaum reveals in a video posted online about numerous NSA branded slides detailing the agency’s unmatched capabilities of exploits with plenty of it yet to be published by any publication. Der Spiegel recently published documents about NSA ability to use zero-day exploits to spy on communications passing through the switches and routers of some of the world’s largest networking vendors like Juniper Networks, Cisco and Huawei. Applebaum detailed previously unreported exploits targeting the most popular lines of servers manufactured by Dell and HP, as well as smartphones of Apple and Samsung and made no apologies for naming the companies in his presentation. “In order to have truth and reconciliation, we need a little truth,” Applebaum says in the video. In the video posted online and viewed by close to half a million including myself of how the NSA had compromised many of these server hardware systems at the Basic Input Output System (BIOS) level that provides the most basic instructions to systems on how to operate the hardware, Applebaum acknowledges that NSA achievements have perplexed the world of security researchers, as they “don’t have the forensics tools” to locate the malware, even when they can see its result. Applebaum also shows in his presentation that NSA’s documents boast that these exploits work across servers running the Microsoft Windows, Linux, FreeBSD and even Sun Solaris operating systems.

NSA’s extensive list of exploits included Iratemonkey, which replaces the firmware on hard drives produced by Western Digital, Seagate, Maxtor and Samsung to retrieve data from laptops and desktop computers. Others mentioned are, Somberknave,Validator and Olympus exploits that can be used to extract data from Windows XP PCs that are “air-gapped”, i.e. not connected to any public networks. After taking control of a nearby wireless access point, Somberknave is able to connect to a machine even if its embedded 802.11 device has been disabled. There was also a revelation of how NSA has developed USB cables called Cottonmouth that feature embedded bugs to tap wireless network traffic and gain access to a user’s machine. Once a target is mobile and connecting to cellular or WiFi networks, the NSA agents take control of the gadget. NSA has developed its own base station routers as well as tools that mimic base stations with the latter being a ‘GSM Telephone Tripwire’ imaginatively named ‘Candywire’. Applebaum also briefly touched on Monkeycalendar, a software implant the NSA has developed for injection into the SIM cards of GSM mobile phones. This software, injected either over the network or physically via a USB smart card reader, keeps the NSA continually abreast of its location by sending geographical location data to the NSA via encrypted SMS. The NSA slide suggests this exploit may require the cooperation of the target’s mobile network provider. NSA has also developed exploits for tapping Apple’s iPhone DropoutJeep and Microsoft’s Windows Phone’s Toteghostly, revealing the device’s location, reading its SMS, voicemail and contact list and providing remote control of its camera or microphone, but at the time the NSA slides were leaked, the agency still required physical access to the phones to install its software bugs. That said, the NSA’s ANT team claimed to be pursuing a remote installation capability.

“How many people in Al Qaida are using Solaris?” Applebaum asks the crowd, referring to an operating system now owned by Oracle and most often used by western telcos, large banks and other corporations.“The NSA are interested in compromising systems, not just people,” Applebaum said. “They want to colonize systems with these tools.”One NSA-created slide specifically pointed out that Dell’s PowerEdge servers feature a vulnerability that allows the NSA to post spyware iton the BIOS using either remote access or via the inserting of a USB drive. A related NSA exploit – named Godsurge uses a JTAG debugging interface in the Dell PowerEdge 1950 and 2950. A JTAG debugging interface used to test the BIOS/firmware for bugs, but it can also be used to reflash the BIOS from scratch. “Why did they release these servers with that software?” Applebaum asked the audience. “Is that a bug or a backdoor? This is an Advanced Persistent Threat.” HP’s Proliant 380DL G5 server was mentioned in an NSA slide as being a target for another tool, Ironchef, which extracted data from the server using two-way RF communication. However, the exploit required what the NSA terms ‘interdiction’ physical access to a target’s server for the installation of a hardware-based implant. In this case, physical access demands an NSA operative to access a premises, hold a suspect and confiscate his or her computers and smartphones, or NSA agents to intercept newly purchased computing devices before they are shipped to a target. Applebaum told the 30c3 audience that he expects the InfoSec community to now search systems for evidence of the NSA malware in use. According to him, a lot of malware researchers will have a lot to say about this in the future and if you work for the NSA, I’d like to encourage you to leak more documents and I’ll be available until I am assassinated to answer questions.If you’ve time, watch the video of Jacob Applebaum presentation in Hamburg, Germany.

Contador Harrison