[Cryptography] TAO, NSA crypto backdoor program

Lodewijk andré de la porte l at odewijk.nl
Mon Dec 30 23:22:20 EST 2013

This actually took about 5 hours. I hope it will be useful to anyone. I
sure feel up to date with the NSA 5 years ago. Some things are impressive.
Their prices too though. Their level of determination and systematic
approaches too. Miniaturization skill is good too, but not quite james
bond. Particularly the use of RAGEMASTER and the other radar thingies. The
exploitation of routers is just the tip of the iceberg of exploits. GSM
exploits should really be commonly accepted to exist by now.

Feel free to ask me questions, forward this mail to others, reformat it
into wiki format or something, correct me if I'm wrong, ask me for my
Bitcoin address because I'm your personal hero. Anything. I'm going to bed.

2013/12/30 Raphael Jacquot <sxpert at sxpert.org>

> On 30 Dec 2013, at 15:59, Phillip Hallam-Baker <hallam at gmail.com> wrote:
> A while back Bruce told me that the Snowden docs show NSA uses every
> attack imaginable.
> Here is the latest installment. The phrase that comes to mind is 'have
> they no decency?'
> I was speechless about their acting physically. I realized shortly after
that until now I've seen the NSA as an overfunded academic project to find
exploits everywhere, but that all they want is all the information in any
possible way. The return on investment of those projects presented is
occasionally very low. That's the scariest part. They might even have
exploited this and that rare thing.

Then I realized I never trusted hardware one bit, that PCB-track radio is
real and fun and exploitable, and that I have always been confused by the
lack of in-system paranoia. I think the whole thing is quite funny because
against consumers it seems an ineffective budget spend. It's probably
focused on companies though. Anyway, it's all kind of fun to me at the
moment. Guess it'd be different if I actually used these products.

Anyone see the irony of America banning Chinese router stuff and meanwhile
exploiting all of its own products?

the full gadget catalogue is here
> http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

I'm impressed. I also considered physical to be uselessly aggressive
compared to the wealth of software hacks. Curious.

This does seriously harm the NSA's interests. This gives us clear insight
into their recent capabilities. I think this is not data from our good old
source. This is probably someone else. Luckily I'm not American and I
believe that justifies fully all that I'm doing now.

ANT = Advanced or Access Network Technology

Allow me to recap the available tools:

DEITYBOUNCE - Dell PowerEdge BIOS exploit to get software onto target.
Re-implants the exploit when the OS loads using the BIOS exploit. Unclear
if it can be installed just by plugging a USB in, or whether the Non-tech
agent needs to boot into it. Uses ARKSTREAM for implanting itself on the
BIOS. (2007)

IRONCHEF - Similar to DEITYBOUNCE. Additionally communicates over a
bidirectional radio that's also to be implanted into the system. For the HP
Proliant 380DL G5 it uses an I2c connected radio called WAGONBED. IRONCHEF
can be remote controlled to read/write to the target system. Especially to
replace the spy-software placed on it if it's cleared.  (2007)

FEEDTHROUGH - is something to persist ZESTYLEAK and BANANAGLEE in Juniper
Netscreen firewalls. Across reboots and software upgrades. Also a BIOS
level attack (see image). There exists something called a "DNT Implant
Communications Protocol" for remote access and control. It employs a hiding
method on the target platforms. (2008)

GOURMETTROUGH* - persists BANANAGLEE on Juniper firewalls. Some platforms
it can "beacon" regardless of OS. ANT has to configure on non-automated
platforms. Can also place a "Persistent BackDoor" (PBD) if configured by an
expert. (2008)

HALLUXWATER - persistent remote control for Huawei Eudemon firewalls. Has
to be installed as a boot ROM (BIOS) upgrade. Uses PIT (TURBOPANDA
Insertion Tool) to read/write memory, execute local or delivered code.
Survives automatic bootROM (BIOS) upgrades. (2008)

JETPLOW - persists BANANAGLEE on Cisco PIX and Cisco ASA firewalls. Can
also install BANANAGLEE protocol compatible PBDs. Boot time modifies the
OS. Can remotely self-upgrade. Can be added to an existing BANANAGLEE
thingy. (2008)

SOUFFLETROUGH - persists BANANAGLEE for Juniper SSG 500 and SSG 300 series
firewalls. "Advanced" PBD capability. Boot time modifies the OS. Can
fallback to BANANAGLEE compatible PBD. *TAKES ADVANTAGE OF Intel's System
Management Mode* for enhanced reliability and covertness. Can remotely
self-upgrade. Can be added to an existing BANANAGLEE thingy. (2008)

HEADWATER - PBD for some Huawei routers. Goes into the boot ROM via an
upgrade (makes no sense, "Read Only Memory"), works after reboot. Uses
DNT's HAMMERMILL Insertion Tool (HIT) for controll of the PBD. Can
capture/analyze all passing IP packets. *Cover name for NSA/CIA Huawei
exploiting is TURBOPANDA*. (2008)

SCHOOLMONTANA - persists VALIDATOR for Juniper J-Series routers. The
routers run JUNOS a *custom FreeBSD* by Juniper. BIOS mod that modifies the
OS in memory to run VALIDATOR and "provide persistent kernel modifications
to support implant execution"***. Injects at the end of the "System
Management Mode". Cover term for DNT implants for Juniper J-Series
routers. (2008)

SIERRAMONTANA - SCHOOLMONTANA for Juniper M-Series routers. (2008)

STUCCOMONTANA - SCHOOLMONTANA for Juniper T-Series routers. (2008)

CTX4000 - Continuous Wave (CW) radar unit. (ab)Used to collect VAGRANT and
DROPMIRE data. Reads 1 to 2 GHz at up to 45 MHz per second. Can go from 2
to 1000 Watts. Can be remotely controlled. They use a bloody radar to pick
up signal intel. This is so cool. An aluminum hat probably won't save your
PC when it's getting blasted with this baby. (Last 3 sentences are pure
speculation) (2008)

LOUDAUTO - Audio based RF retro-reflector. A little microphone's analog
output is PPM'ed (Pulse Position Modulation) a square wave (standard in RC
control too!). Those pulses are pulsed towards a FET (Field Effect
Transistor). So when a pulse is sent the FET turns on for a moment. The FET
can be seen on a CW radar well enough to reconstruct the pulses going into
it, and thus the audio in the room. NSA prides the use of COTS hardware, no
trace back to the NSA. Additionally these units consume next to no power!
(~0.000045 watts!). "Part of the ANGRYNEIGHBOR family of radar
retro-reflectors." (2008)

NIGHTSTAND - Wifi interceptor. Runs Fedora Core 3.  Undetectable! N
targets. Works on all WIN-old. *Up to eight miles (12km!) of
effectivity.* Anti-encryption
capabilities undisclosed. (2008)

NIGHTWATCH - VAGRANT receiver. Fancied up rugged laptop loaded with some
signal processing units. Hook it up to CTX4000 or PHOTOANGLO or a general
purpose receiver. Manual signal finding and frame averaging for visibility.
Has built-in forward to NSAW****, which has "analysists". To be replaced by

PHOTOANGLO - NSA/GCHQ project to replace CTX4000 with a nicer radar.
Frequencies ('later' aka 'now') up to 4 GHz (x2). Bandwidth up to 450Mhz
(x10). Slim form factor. <10lbs/4.5kg. Otherwise the same as CTX4000.
Connects to NIGHTWATCH, LFS-2 or VIEWPLATE. 40kdollar cost. (2008, planned
for Q1 2009)

SPARROW II - Embedded computer running BLINDDATE tools. WLAN B/G, CF card,
USB, 4x Mini PCI for GPS and multiple WLAN cards. IBM Power PC 405GPR. 16MB
flash, 64MB SDRAM. Linux 2.4. 2 Hrs of battery life. 6kdollar. Can be
traced to the NSA somehow, so "operational restrictions exist for equipment
deployment". Possibly due to PowerPC usage, those things are kinda rare.

TAWDRYYARD - Beacon RF retro-reflector. Toggles a FET to provide a good
Radar profile. Used to find RAGEMASTER units. Part of the ANGRYNEIGHBOR
family of radar retro-reflectors. Extremely low power consumption. (2008)

GINSU - an addition to BULLDOZER that provides persistence to KONGUR.
BULLDOZER is a physical PCI device. KONGUR is a software exploit for
windows 9x to Vista (and thus 7, maybe 8). Reinstalls on reboot, if KONGUR
was removed by upgrades or reinstall.

HOWLERMONKEY - short to medium range radio transceivers. To be used in
other products. Works in CONJECTURE or SPECULATION networks. Compatible
with STRIKEZONE devices that run a "HOWLERMONKEY personality" (assuming it
means wireless protocol). PCBs are layed out according to needs. 16mm by
16mm is totally possible. Run around 800 USD/each (call for quote I guess).

IRATEMONK - Provides persistence by modifying the Hard Drive firmware to
substitute the MBR (the partition table). I suppose it boots itself first,
then continues with the real OS. Image contains extremely complicated
diagram of operations, showing the following systems: SERUM, RETURNSPRING,
Diode (high/low?), UNITEDRAKE. ROC. SERUM looks lke a processing cluster,
OIM/JSMQ looks like a database, TUNING FORK might be something that
prioritizes data, SSG's pipe is called "scaling" and is also a database.
CDR Diode might operationally split the NSA's systems and the outside
world, a defense unit. UNITEDRAKE must then be a supranational database,
the united part supports that idea. Somehow UNITEDRAKE or STRAITBAZZARE are
used with SLICKERVICAR "to upload the hard drive firmware onto the target
machine to implant IRATEMONK and its payload". Works on FAT, NTFS, EXT3,
UFS with many WD, Seagate, Maxtor and Samsung drives (which controller?).

I've actually read an post about "hey guys, look, isn't this the most
preposterous ridiculous hack?". I believe it was about harddrives. Seems
the NSA took note!

JUNIORMINT - Is a SoC. ARM9 + FPGA (Xilinx XC4VLX25), add 128MB ddr2 , 64MB
SDRAM and 32MB flash. "Uses the TAO standard implant architecture".
"Dramatic performance improvement over HC12 microcontroller designs."
"Ultra-miniature Flip Chip Module (FCM) will be available for challenging
concealments". FCM <https://en.wikipedia.org/wiki/Flip_chip> is highly
unusual! These things might be extremely small! (call for quote) (2008, PCB
by 2009, FCM by 2010)

(the http://papilio.cc/ that I have is only close ;) )

MAESTRO-II - like JUNIORMINT but slower. Says it is a "Multi-Chip-Module",
meaning everything is connected tightly. ($3-4k each) (2008)

SOMBERKNAVE - When an XP machine is not using wifi (it's not connected)
attempts to connect to an access point and allow OLYMPUS or VALIDATOR to
call home. VALIDATOR will also download OLYMPUS if it can. (costs $50k for
some reason) (2008)

SWAP - BIOS and hard drive's Host Protected Area exploits allow periodic
execution before the OS loads. Works on Windows, Linux, FreeBSD, Solaris
(everything except Mac?) with FAT32, NTFS, EXT2, EXT3 or UFS 1.0. ARKSTREAM
flashes the BIOS and TWISTEDKILT writes SWAP into the Host Protected Area
on the harddrive.

TRINITY - like MAESTRO-II but more powerfull. (100 @ $625k)

WISTFULTOLL - plugin for UNITEDRAKE and STRAITBIZZARE for getting Windows
Management Instrumentation (WMI) and Registry stuff. Can work standalone
from a USB drive and get data out that way, or through

SURLYSPAWN -  Data RF retro-reflector. Depending on the level of the
data-line signal it shifts the square wave it produces. Thus becomes
frequency shift keyed (FSK). Presumably the square wave is fed into a FET
again, but the document doesn't mention it. That FET is visibile on radar
and that allows the data to be transferred. Power consumption isn't
mentioned and it's dated "2007, declassify on 2032" but it's date says
2009. Peculiar. Another ANGRYNEIGHBOR type radar reflector.

therefore supported in the TURBULENCE architecture. Communicates over SMS
or GPRS data connections in a covert and encrypted way. Close access
methods are first deployment methods, later the remote installation will be
made. Can do anything with the phone. Anything. (Maybe even activate the
vibrator on funny moments) (In development in 2008, no date seems to be

GOPHERSET - SIM card rootkit. This is crazy. Phase 2+ simcards can make
requests (like sent sms) and are actually minicomputers. This is called the
SIM Toolkit (STK). It can also request Phonebooks, SMS and call logs. It
can be installed through *over the air provisioning* or a USB smartcard
reader. A straw of hope is given when sometimes security keys are required.
How does a company refuse to work with the NSA again? (was finished but
unused in 2007)

MONKEYCALENDAR - As GOPHERSET but gets location data that it politely
requests from the handset.

PICASSO - a modified phone that just leaks everything over SMS. Even room
audio. Seems to be targeted for infiltrators. If someone has had an Eastcom
760c+, Samsung E600, X450, C140 (Arabic or not), suspect him strongly.
(This is why this hurts the NSA)

TOTECHASER - Sattelite phone (Thuraya 2520) exploit. They were still
working on it. Looking for a good deployment tactic, remote too. Mostly
location, contact list and call history at that moment.

Compliant with the FREEFLOW project, supported in the TURBULENCE
architecture. A FRIEZERAMP interface using HTTPSlink2 transport module
handles encrypted communications.

CANDYGRAM - A GSM tower "repeater" that texts up to 200 agents when a
target enters the vicinity of it. "GSM Telephone Tripwire". Wonder what
they ever used this for, SMS isn't very synchronized so operations
shouldn't depend upon it. Maybe it's synchronized if the NSA wants it to be?

CROSSBEAM - Connects a modified (WASABI, it looks like from the picture)
GSM product to a WAGONBED controller board (old version of JUNIORMINT?).
Used to intercept GSM voice and data. CHIMNEYPOOL compliant. Can also
contain a DSP (ROCKYKNOB) that's usefull in some cases. I think it just
listens to nearby conversation and then sends it home. It's a bit unclear
if it's implanted into a tower or carried around or something. Confusing.

CYCLONE Hx9 - GSM(900MHz) Network in a box. TYPHON feature base and
applications, whichever those might be. Hella strong (>32km range). Can
even voip with it. NSA can rent it for 70k / 2 months.

EBSR - Active GSM base station and phone. Also a find-a-phone active unit.
Smallish and portableish (1W). Has LANDSHARK/CANDYGRAM capabilities.
Operational Restrictions exist for equipment deployment.

ENTOURAGE - Software defined radio used to find the directional origin of a
radio message. Actually pretty hard to deploy.  Uses the HOLLOWPOINT
platform. Has "ARTEMIS-like" capability for certain waveforms. Works with
NEBULA for find-a-phone in the GALAXY program. Complicated radio stuff.
($70k) (2009)

GENESIS - regular feature phone except it contains a Software Defined Radio
and additional system memory. Connects over Ethernet cable to a laptop for
downloading collected Radio info. Could be used to find-a-phone like
WATERWITCH, 16GB of internal storage and does well with the ladies. They
want to extend it to be WATERWITCH without depending on TYPHON (or similar

NEBULA - Many protocol Network in a Box. Applications unclear. Operational
restrictions exist for equipment deployment. (apparently it's not so sneaky)

TYPHON HX - Tricked out GSM Base Station Router. Network in a box. Can
geolocate users. You'd say it does more (listening in on conversations at
least) but it doesn't seem clear.

WATERWITCH - E-ink find-my-TYPHON-connected phone device. Last mile stuff.
Like parking backwards but towards a phone. Depends upon the TYPHON.

COTTONMOUTH-I - USB connector with HOWLERMONKEY transceiver, TRINITY and a
USB 1.1 hub. It can be remotely upgraded. It can pretend to be any USB
device, and thus use USB exploits to exploit the OS (persistently). It can
also communicate through a wireless mesh using the SPECULATION protocol. It
communicates with DNT's STRAITBIZARRE covertly.
It can break air-gapped networks.
it "will be a GENIE-compliant implant based on CHIMNEYPOOL."
It fits INSIDE of a NORMAL USB-A connector! Can be made to be in a keyboard
too, then it's called MOCCASIN. (1000k per 50 units) (available 2009)

COTTONMOUTH-II - Functionality as COTTONMOUTH-I except a 2.0 USB hub.
Sneaked into a double USB port connector common on motherboards today. Must
be wire-connected to a wireless transmitter elsewhere in the case.

COTTONMOUTH-III - As COTTONMOUTH-II but with a build in transmitter. Is on
the back of the double USB port instead of worked into it. Can be connected
to a long range transmitter elsewhere in the case, but it definitely part
of the local mesh network.

FIREWALK - Connects to the back of the Ethernet + USB stack that's common
on motherboards. Intercepts IP packets on up to Gigabit Ethernet ports or
even creates them. Connects through HOWLERMONKEY transceivers. Can create
an Ethernet tunnel to the ROC or an "intermediate redirector node such as

RAGEMASTER - Taps the *red channel* on a monitor and becomes as visible to
radar as the signal is strong, IOW: makes the monitor's contents radar
visible. *Is not essential for VAGRANT*, just makes it easier. Advice: when
displaying sensitive data, do it in many colors! Add colorful noise to the
letters, making sure that humans pick it up through the noise. Think of the
colorblind too though. This all will make reconstruction harder. Radar
connects to LFS-2 and a monitor, NIGHTWATCH, GOTHAM or VIEWPLATE. (30$)

Language oddities / intel spills :
"Through interdiction" [x can be implanted], what does this mean, really?
It *should* mean legally approved physical action *I think. *(from IRONCHEF
and others)

"the customer" seems like the NSA is selling this to customers. Who are the
customers? Do they consider other 3letters customers? Are they their own
customers? Naive? Maybe they sell it to companies? (from FEEDTHROUHG)
(note: seems like it's NSA divisions other than ANT, never know though
especially TAO**)

"DNT's BANANAGLEE and CES's ZESTYLEAK" - there seem to be at least two
companies, DNT and CES, with which the NSA works intimately.

CNO means Computer Network Operations
CNA means Computer Network Attacks
PBD means Persistent BackDoor
DNT means Data Network Technologies

* GOURMET is a French word for appreciating delicious stuff (or something
like that) and a Dutch style of eating that has you cooking mini-foods on a
baking plate and eating it right away. I'm not sure this is an
international phenomena, so I thought I'd clarify. (Dutch people in the
NSA? Wouldn't surprise me)

** From another
"Tailored Access Operations, or TAO. This is the NSA’s top operative unit".
This is counter to the believe that "The NSA has no field agents". I doubt
it's the "top operative unit", since it's publicly known. Maybe there's a
little TAO elite circle? Someone make a movie about a TAO unit or two! ~280
operations per year for 2000 agents. Agent count going up (afai can tell).
"NSA works together with other intelligence agencies such as the CIA and
FBI, which in turn maintain informants on location who are available to
help with sensitive missions."; expendable agents! Nice! *Has military
agents*, useful for what again?

*** May I recommend the paranoid and heroic people of *BSD to consider a
method of sanity checking the OS itself while it's running? How to beat the
BIOS, will be the paper's name.

**** all I can find is Naval blahblahblah. The Navy shouldn't be leading in
this operation. I'm not sure who's meant with NSAW.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131231/dcec23ac/attachment.html>

More information about the cryptography mailing list