Replicating the NSA's Gadgets Using Open Source

An anonymous reader writes "Wireless security researcher Michael Ossmann asked himself: 'Could I make the gadgets that the agency uses to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, and more, by just using open source software and hardware?' In this podcast he shares his insights on what to use — and how — to duplicate hardware devices found in the ANT catalog."

No surprise here

In abstract: technology is repeatable

I also wouldn't be surprised if some of the trinkets and software he's looking at were initially made by plugging together a few open source projects just like he's doing. The beta and release models probably have anything with an oppressive license removed, but internal alphas tend to be kludged together from anything available.

Re:No surprise here

[ledow]

Indeed. My greatest use of Open Source, freeware, shareware and other kinds of "free" software is "what if"-type questions. They would be difficult to answer if all that existed were paid-for commercial solutions that you were then tied into.

Do we need Smoothwall in our large school? Hold on, let me bash out a squid + DansGuardian + iptables setup on an old office machine - look, it does roughly this. Great, should we buy the "commercial" product or is this more-than-enough for what we need (and I usually get both answers over time, depending on where I am)? Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.

Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.

I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.

We were going to buy a helpdesk system (don't quite know why). Stuck GLPI on, nobody's ever complained and I've been using GLPI for nearly 10 years in various places.

The beauty of open-source stuff is that you can prototype for free, find out whether there is some element that you will NEED to pay for (i.e. better customisability, more scalability, commercial support, etc.) and not worry about the licence interfering at any point. When you throw it all out, or push a working system into wider deployment, the licensing doesn't really affect you. The only point is does affect you is when you try to commercialise it yourself.

My first reaction upon being asked to do something is "Can I find a bit of free/open software that will do that?". If I can, then we can judge our real needs and requirement. If I can't, nothing lost - and it probably is something that takes a lot of commercial backing to make viable, but at least I know that.

Especially in schools, some bits of free/open software are ubiquitous precisely because they are "good enough" - GIMP, Irfanview, Audacity, Blender, etc.

And when prototyping anything, I tend to find someone's already beaten me to it, and usually by cobbling together open components.

Even the open-source projects, most of the time someone's just cobbled together a lot of other open-source projects and their functionality and just lumped them into one convenient package or written a front-end that relies on dozens of other projects in order to reduce the strain.

If the NSA *AREN'T* using open-source (or some agency-equivalent in a private secure codebase) in a modular manner to build both hardware and software for their "one-off" kinds of devices, then they really need to pull their finger out.

Re:No surprise here

Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.

Nearly a grand a year is barely nothing. Especially for firewall updates. Thats what, 10 hours of your time over the course of a year? Did you do 10 hours a *year* to support your solution? If so you don't value your time enough.

Cobbling together open-source stuff is great, but it has to be a cost benefit analysis. 1 grand a year is peanuts for a product, support and updates.

Re:No surprise here

[ledow]

£100 (GBP, notice, not USD) per hour in a school (note, UK schools are schools, for children, not universities or colleges)? You must be kidding.

And beside that, the box ran maintenance free for 5 years. The only changes we ever made were to block specific things we suddenly decided now needed to be blocked (and thus would have the same cost on the Smoothwall solution).

That was one of the points that stopped us buying - the fact that we'd not needed to maintain the "prototype" machine and it has just kept running. There was even a "what happens if the box dies" plan that never went into action because, well, it's still running now for all I know.

Please note also that Smoothwall will often charge a lot more - i.e. for a 19" rack mount box to install this junk on, and initial purchase price. The last quote I saw for a similar-size school this year was £9000 all-in for the first three years.

Given the 2 hours to build it (even compiling Squid from scratch to do transparent proxy properly), the other stuff it did, and the old office server it was running on, I work that out at £4500 an hour. If I was earning that, I wouldn't be working for Smoothwall or schools...

Re:No surprise here

[mythosaz]

Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office. The discussion's been had a thousand times. LO might work for you and your students, but don't pretend that it's an apples-for-apples replacement.

My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.

I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.

Maybe I'm missing something, but it seems they had an simple solution, and you made it complicated. Perhaps you should have simply had them export the PowerPoint to a series of images, since those would have cycled nicely from the LG TV on the stick.

The beauty of open-source stuff is that you can prototype for free, find out whether there is some element that you will NEED to pay for (i.e. better customisability, more scalability, commercial support, etc.) and not worry about the licence interfering at any point. When you throw it all out, or push a working system into wider deployment, the licensing doesn't really affect you. The only point is does affect you is when you try to commercialise it yourself.

My first reaction upon being asked to do something is "Can I find a bit of free/open software that will do that?". If I can, then we can judge our real needs and requirement.

This I agree with, up to here...

If I can't, nothing lost.

Time has value. Your solutions above seem to include a lot of it.

Re:No surprise here

Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office.

That may (or may not) be true, but the question was why they couldn't use it everywhere, not why everyone can't use it. I personally haven't used Microsoft Office in over a decade and never missed it. Does that make me dumb, too?

Re:No surprise here

[mythosaz]

That wasn't his assertion.

He said:

Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

It worked for his students, but nobody could think of a single reason why they couldn't use it everwhere. If that's true, they're dumb.

I personally haven't used Microsoft Office in over a decade and never missed it. Does that make me dumb, too?

This is the internet, and everyone's a special snowflake.

LibreOffice is only a substitute for Microsoft Office in a limited number of places. I'm happy that, for you, your needs are served by it.

Re:No surprise here

It worked for his students, but nobody could think of a single reason why they couldn't use it everwhere. If that's true, they're dumb.

...or it filled all of their needs and they didn't need Microsoft Office. In which case, you're a fool who's assuming far too much. That does seem rather likely, in this case.

Re:No surprise here

"...or it filled all of their needs and they didn't need Microsoft Office."

That's the thing isn't it. Laptops for school use. If everyone in the school is using the same product, then any funky compatibility/formatting irregularities won't really be an issue. It's unlikely they'll be doing anything more than plotting some points in a spreadsheet and maybe doing some slightly more complex nested if statements anyway.

Re:No surprise here

[TemporalBeing]

Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office. The discussion's been had a thousand times. LO might work for you and your students, but don't pretend that it's an apples-for-apples replacement.

And there's plenty of reasons why it is also superior to Microsoft Office, but don't let that get in your way.

The only real compelling reason to continue using Microsoft Office is if you are tied to a specific feature set, plugin, etc used and supported by Microsoft Office. Most everything can be ported over with minimal effort.

laws of physics Yes, laws of your state, No

Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.) It is even illegal to have a police scanner or radar detector in some (police) states.

Re:laws of physics Yes, laws of your state, No

[Chrisq]

Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.)

Not your own cellphone for proof of concept surely?

Re:laws of physics Yes, laws of your state, No

[mariox19]

surely?

You must be new around here. Let me be the first to welcome you to the United States of America.

Re:laws of physics Yes, laws of your state, No

Just buy one of those creditcard sized GPS modules with a cellphone included, for 20$ or so on aliexpress.
Add a prepaid sim to it an you can silently sms it and get the location back, with another sms you can listen in etc.

Re:laws of physics Yes, laws of your state, No

your Latin is off methinks

National Security

[mfh]

If the NSA does it, hey that's national security and they are allowed to do anything.

If you do it, you're going to be spending the rest of your life in a 10' cube for national security.

Re:National Security

You must be new here. If you do it, you and your house will be democratized via a fancy model plane.

Re:National Security

If it's on my property, including the immediate airspace over it, I can legally shoot it down.

Re:National Security

You go ahead and shoot that plane down and tell us all how that works out for ya.

lately thats not been possible.

[nimbius]

the NSA's gadgets, to date, have been secret courts and gag orders. Anyone with a crowbar and a laptop can certainly wiretap an entire neighborhood, but it takes real skill to engineer a series of legal and political precidents and procedures around the power to get away with it. so, lets take a stab at it slashdot!

what i propose is an open-source means of manufacturing consent at the senate and congressional levels of government. The license for ensuring the president and cabinet members acquiesce to everything from rendition to secret torture camps should probably be 3-clause BSD. Warrantless GPS surveillance can use GNU radio, but the technology to forcibly demand the tracking device be returned should be licensed GPLv3. Im still stumped as to how we're going to get a CC licensed version of a gag order from a secret court

Lets make problems worse.

[jellomizer]

Why bother trying to solve problems, lets just make them so much worse.

OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.

If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat argument, if we break in then they will have to fix it and make it more secure... But can they really always do that, Not all software and PC's are equal in security needs.
But that is like saying we should all drive armored cars, carry guns, and live like a military personal because there are some kids who just want to destroy things because they can and makes them feel like a big man.

Re:Lets make problems worse.

yeah, because using a decent authentication framework and encryption libraries
is just like driving and armored car with a 50 caliber mounted gun

if the NSA can make a thing, a teenager can make that thing, or a chinese spy,
or a retired polish postal worker. I don't understand how you people still
believe that ideas can only appear once and are somehow containable

Re:Lets make problems worse.

[drinkypoo]

instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public

False dichotomy. Some believe that the only way to do the first thing is to do the second thing, not just in the interests of disclosure but also simply education. How are you going to learn to defend against the attacks without the attacks to practice against?

Re:Lets make problems worse.

Yeah, if the NSA stuff become the stuff of script kiddies, then it is likely that defenses will HAVE to be erected.

Re:Lets make problems worse.

[TheCarp]

> If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat
> argument, if we break in then they will have to fix it and make it more secure..

I think you believe your own straw man.

What is being assaulted here is the relative bubble the NSA operates in. You see, if the NSA develops a tool, that is them. Its tradecraft, its keeping us safe, its under control. They have it, we have no proof anyone else does. No "real" problem...just an "academic" problem of us whiny people complaining about "rights".

However, when someone produces it and shows how easy it is, its no longer the NSA in a vacuume, its anybody with a few bucks. `The thing is....this isn't special. If you really, truely want these devices, you can, for the most part, build them yourself with time. That is true now, it was true a few years ago.

The only real difference is how plausible the deniability is when someone claims that its hard or it requires sophistication to some huge level. It isn't true, its not been true for a while, and it is high time to dispel that myth.

Fact is, the risk is already out there. We already see specialized hardware attacks on ATMs. We have already seen "evil maid" attacks on laptops of Poker players: http://securitywatch.pcmag.com...

I don't think informing people with concrete examples of the real threats and popping the bubble around the NSA is really a bad thing. The "bad guys" of whatever flavor you imagine, already have these tools and no qualms about using them.

Re:Lets make problems worse.

Making everything worse is like letting a alcoholic/drug user hit bottom.

Sure, 1% of the time they OD and don't come back, but telling someone addicted to something to try moderation simply does not work.

They need to see what happens when _everyone_ starts using their tools, methods and the rest to see why _they alone_ shouldn't be doing it.

Maybe we're the 1% who'll go down the rabbit hole, but I'd rather everyone be watching everyone and realize how wasteful it is than to try to pretend a cure is available for the ludicrous society whose idea of security becomes warped beyond all recognition.

Ok wait, hang on

[Sycraft-fu]

Is there any evidence of this "air gap malware" crap? Yes I remember there was a preliminary story on Slashdot... I don't remember any followup, any proof, just some wild ass speculation.

Is there any evidence that such a thing actually exists?

Re:Ok wait, hang on

Yes

there have also been multiple proofs of concept that don't rely on hardware implants, like this one.

Re:Ok wait, hang on

I have a bridge to sell you...

Re:Ok wait, hang on

[fulldecent]

It is audio exfiltration, not audio infection. Not very oh-my-god stuff here.

Re:Ok wait, hang on

Possibly.

I saw an air-gapped rapid prototype system built using two PCs communicating via the built-in speakers (baseband frequency outside of human hearing using software radio techniques).

So, I'd say it's possible but the conditions required for such as system would need to be optimal for a run of the mill computer (e.g. very short range, relatively high power). The actual bandwidth would be low, as well. As in ~bits per second bandwidth.

Does it exist in the wild, possibly. Would it be useful, don't know...

Re:Ok wait, hang on

[Sycraft-fu]

The claim made was reinfection via audio. However, as I said, I've seen no proof. Nor, for that matter, any proof on the audio exfiltration malware. Just the one sensationalist preliminary article and no followup.

Hence why I'm interested if there is actually any more information, or if this is just more Internet echo chamber where one unfounded report becomes an Absolute Truth(tm).

Re:Ok wait, hang on

If you used 1kHz at the top of the audio range it would basically be inaudible. Even using only 2-QAM that's a good kbps. You'd have to be doing something seriously wrong to only get bits per second, like morse code or something.

This is a good way to get a bidirectional link between a phone and a home-made peripheral, too. On a wired link with 64-QAM over the full 20kHz (plus stereo) you could get up to 240kbps each way, which is overkill for most Arduino-type projects.

Re:Ok wait, hang on

[nospam007]

"If you used 1kHz at the top of the audio range it would basically be inaudible. "

But it might annoy some teens, an added bonus.

Re:Ok wait, hang on

[phantomfive]

My understanding of the claim was that once the computer was infected, it used inaudible sound to communicate. Also, AFACT it was nothing more than an experimental project. Nothing particularly interesting.

Re:Ok wait, hang on

[rtb61]

Air gap espionage I thought that was the pet project of the CIA, with MK Ultra suspected as still running as an off balance sheet semi-privatised but fully politicised entity, undoubtedly doing some very strange things, with some very strange people. Not so much cooperating with the NSA but in competition with them. One wanders if the NSA will start shifting some research efforts into that whole mind control area, as that is one remaining area that have as yet failed to tap.

Re:Ok wait, hang on

> The claim made was reinfection via audio.

No, at least not from the guy who claimed it was happening to him. You do everyone a disservice by misrepresenting his claims. Maybe you are just genuinely ignorant or maybe you are doing it out of a sense of intellectual superiority, I don't know. But neither is a good reason.

Podcast Spam

[ilikenwf]

Really, this is just promotion of some podcast.

No, This is the First Step in Fixing the Problem

OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.

First, it can be argued that, to solve a problem, you must first understand it. Knowing how the NSA is violating our privacy at a technical level is the first step in preventing it.

Second, if having our Dear, Beloved Leaders violate our privacy and constitutional rights is not enough incentive to find solutions to these issues, then maybe having every script kiddie able to do the same might result in some resources being put into place to solve this problem, particularly with respect to corporations who have been actively facilitating this nonsense in the past (*cough* Microsoft, *cough* Cisco, etc.).

So while the short term pain might be a bit unpleasant, it seems to me the long term, much needed changes are probably well worth it.

Just use GNU Radio...

...it was funded in part through a CRC grant from the NSA.

(Yeah, I'd dig up the citation if I wasn't on my phone.)

parent post [score: 5, Frighteningly Accurate]

funny cuz its true

Spying, no matter what justification, results in t

As per subject line. Also just because non naturally understandable radio waves can pass through you, that gives you no right to use a device to understand the content of the transmission, if you are not the intended recipient of that transmission. If you do use equipment to understand the content not intended for you, then you are guilty, the punishment being death.

Spying subject line.

Spying, no matter what justification, results in the death of the Spyer.

Please be careful

[ctrl-alt-canc]

Duplicating the gadget can be very dangerous!

NSA has weakened national security

[IDtheTarget]

I'm wondering when somebody in congress will initiate legal action against the NSA for weakening national security.

It's generally acknowledged by now that the NSA has intentionally weakened various cryptographic algorithms, including AES. I'm responsible for various WAN links at my organization, and they use AES-256 IPSec tunnels to secure the traffic. That traffic is extremely sensitive in nature. The NSA may have intended to only allow themselves to crack this encryption, but how am I supposed to know that some other hacker hasn't figured out how to take advantage of the NSA's actions? How do I tell my director that our data is secure, and that we're meeting state and federal regulatory requirements?