NSA has a 50-page catalog of exploits for software, hardware, and firmware


#1

[Permalink]


#2

I don't get it. Is it an outrage that spooks have tools? Or that they put them into a catalog? After the huge things Snowden has already revealed, it's kind of bathetic.

EDIT:


#3

Did you mean pathetic or do you think the spies are sentimental about the tools? If the latter, that is obscene.

So I have a new word, thanks.


#4

It was pretty obvious that something along those lines existed, but it is nice to have specific names. At least now there is hope that some of those who supported the American security apparatus or made only lackluster efforts to resist it will pay for that.


#5

I wonder if the Chinese government bakes any exploits into the electronic products that are assembled in China and shipped to the rest of the world, like laptops and hard drives. Or maybe the NSA is just making me paranoid.


#6

Actually, that's been suspected, one of the major manufacturers, Huawei, is entirely owned by the People's Liberation Army.

Heck, they've even BRAGGED about it. . .

http://chipsecurity.org/2012/06/china-tech-company-brags-we-hack-u-s-telecoms/


#7

Dang, they found my secret ANT group. Yes, I am a NSAgent. All your data is belong to me. [grin] stuck_out_tongue


#8

And in other news, the sun comes up in the East.


#9

Interestingly the San Antonio NSA facility they show an image of in the article gallery is located at Sony Place which was a full CMOS fabrication facility for Sony consumer devices. Obviously those lines were liquidated before the building was put up for lease, but the article is talking about exploiting firmware and bios -- and that building is designed for production of the sort of "chips" (bipolar CMOS manufacturing) that could be supplied to (and im just using this as an example from the article) Western Digital as an NSA-compromised drive controller chip of some kind.


#10

Does re-flashing a bios wipe out the infection?

Does the catalog mean that they mostly employ script-kiddies to conduct exploits?


#11

It certainly doesn't match the magnitude of the information concerning what they use those tools for; but it's an area of concern(and interest, if one is even peripherally involved or interested in the business or implementation of computer security) because this isn't the old days where 'military' or 'foreign' systems are some special category of bespoke hardware, almost totally separate from stuff everybody else uses and built to order:

Thanks to globalization and economies of scale, if you want to crack a switch, or a server, or some other widget, odds are very good that the toolkit you'd use (and the device you'd use it against) in the far corners of the earth will be virtually identical to the ones in homes, offices, and equipment racks right here.

BIOS/UEFI malware? Cross-platform compatibility in that sector is pretty dreadful, even between assorted x86 boards; but the entire world is basically covered by AMI, Phoenix, Insyde, and Intel, with AMD and various OEM-specific BIOS customizations licensed from the big players making up the difference.

HDD firmware attacks? There are basically three extant manufacturers, worldwide, with some oddities left over from comparatively recent deaths and mergers.

OS and application attacks aren't likely to be all that much more diverse.

Punchline is, if the NSA has something neat in the toolbox, it almost certainly works equally well on you, our good buddies, our less good buddies, and people we are currently shooting at. There is effectively zero diversity or political/cultural targeting with many core IT components.

Further, if the NSA has something neat in the toolbox, that means that one or more vulnerabilities that make that attack work are being deliberately hidden, possibly even deliberately encouraged, by the entity ostensibly responsible for American electronic security. Even if Uncle Sam doesn't come for you, pretty much every attack in the box represents one or more vulnerabilities that you and yours continue to suffer from because the NSA wants them to work more than it wants US vendors and users to be secure against any attacker who figures them out.

Even if you are 100% confident in the NSA's Good, Upstanding, Totally Patriotic, choice of targets, that's a pretty serious issue: the NSA is smarter than average; but the world is rife with other intelligence outfits(and merely economic malware and bot-herders), about whom you definitely should not be comfortable. Are you confident that the NSA's ability to read everybody's email is doing you enough good to counterbalance the fact that they are (deliberately) ignoring vulnerabilities in the products you use that they could be helping to fix?

It's that bit that is really where the second issue opens up.

Most of the Snowden leaks, as documented in the press so far, have been about 'Apparently the NSA considers the 4th amendment to cover thoughts that you don't think too loudly, and not much else.' and 'We in the US keep our enemies close and our friends closer still'.

These reports concerning technical capabilities and approaches emphasize that (far from being a general friend of security, as it turns out to have been in the 3DES days), the NSA is now actively unhelpful to the cause of system security worldwide, in the service of being able to crack more stuff. Even if you 100% trust their motives, and the goodness of their direct actions, that's still a pretty risky stance for them to be taking. Even if I think that what they do is great, and that privacy and diplomacy-related criticisms are nonsense, am I comfortable with the thesis that their ability to crack additional targets benefits me more than their assistance in making my systems less crackable would? Is America enough better off for being able to read foreign email to make up for being seen as a purveyor of deliberately toxic products?


#12

Depends: a BIOS is a physical block of flash ROM somewhere, and it isn't magic, if you wipe that block and replace it with a clean image, it's good.

However most hardware sold to consumers, or businesses, or outside of electrical engineers and hobbyists, tends to handle the flashing process for you. You basically get to watch the little progress bar advance across the screen, and the version number change on next boot. You certainly wouldn't doubt that your possibly-compromised system quietly compromised and/or ignored your instructions to flash a clean ROM while agreeably announcing a successful reflash, would you? That seems sort of paranoid, doesn't it? Your tinfoil a little too tight? (Yes, yes you should be concerned about this).

Flash ROMs are moderately well standardized(in terms of form factors and interface protocols), so any device that allows you to get access to the raw flash chip and pop it into your own reader/writer can be rendered more trustworthy at the cost of some inconvenience; but flash embedded in the same package as other components is messier to get access to.

There are, presumably, a variaty of 'anti-virus' like indirect attacks (whatever function the code on the flash chip serves, there will be at least a few ways of poking at it and getting responses, the paranoid user would be motivated to take a 'good' sample(for each available firmware version), probe it as exhaustively as possible, and develop a 'fingerprint' of the code's behavior. Then, when faced with a 'doubtful' device, you could force the potential malware to not only function; but to exactly match the 'fingerprint' of the un-bugged firmware (not necessarily impossible; but more challenging, possibly substantially so) and force any 'fake-update' persistence mechanisms to deal with the fact that firmware updates are made in order to fix some issue or other, so the 'fingerprint' of one version should differ from that of another. Not 100% foolproof; but it would raise the bar against the attacker.

(If you were attracting special attention, of course, you should probably make friends with someone like Chipworks, who can do X-ray analysis, decapping, die-level analysis, and other messy teardown stuff. Because some of the common flash ROM package types, are somewhat historical, and very much oversized for today's silicon, it would be doable to cram substantially more into, say, a PLCC32 package than just a few MB of flash. It wouldn't be a cheap part, especially on a short run; but building something that looks and acts exactly like a normal PLCC32 BIOS/UEFI flash chip but actually contains enough flash to store a bunch of BIOSes, plus a microcontroller doing who-knows-what , would be very doable indeed. Put one of those puppies in a motherboard in place of the expected BIOS ROM chip, and nothing short of some X ray imaging and a physical teardown will reveal what you are up to...)

(Oh, look what just came up... SD cards are more sophisticated beasts than the flash ROMs usually used on motherboards; but just look at what you can do: full, persistent, subversion of the card's behavior without any physical modification. Definitely nothing wicked to be done with that...)


#13

And here's a nice source of insomnia, even for the most knee-jerk DOJ apologists: have our weapons ever been turned against us? How's it going to work out when it's Mastercard v. the Russian Mafia, and the Russians have all the NSA toys? I know, I know, Bruce Sterling already wrote it, probably back in the 70s.


#14

You boil it down a lot better than I did; but that's basically my "Why stories about the toolbox are legitimate alongside stories about what they do with it" point in a nutshell. If the NSA wants sweet offensive toys, they are knowingly leaving all sorts of nasty vulnerabilities on the table(as well as deploying cool weaponized exploits, some of which will eventually be found and passed on).


#15

A government department has come up with a computer project that does not waste tens of billions of dollars delivering something that does not work ten years late, when three people in a garage could have done better? Having done the development, they then share the results and the costs with other departments in an intelligent manner?

Is it just me, or has the world gone particularly topsy-turvy lately?


#16

gimmicked monitor cables that leak video-signals

So that's why HDMI cables and connectors are so bulky and unwieldy.


#17

Well said, ff, well said.

And that quandary has now placed us in the unenviable position of having business, the military, politicians, and foreign governments, and the general public all at one another's throats. In this country? Capitalism ordinarily triumphs, so the odds favor business getting its way as usual. But which side will it be? Those raking it in from government contracts, with all the political pals they have courted and won along the way? Or those objecting to its effects on the broader business picture and the bigger bucks they represent? This isn't Kansas - perhaps principled citizens play clean, but business is typically much less concerned with that and will fight dirty if necessary.

I also have to wonder about what happens when those current employees with access to all those tools leave the NSA? That's a gold mine, to some. Whether they use it to steal and/or sell information, is less a question of whether and more just a question of when and how much.

The Fourth Amendment says, " The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

I note that the amendment does not capitalize, as in 'The People' to designate the collective. It uses small case 'the people' - which any ordinary parse would render as referring to individuals. Meaning you and I should each be secure in a our persons, etc. - rather than that anything and everything promising to keep the whole country 'secure' gets a pass.


#18

This topic was automatically closed after 5 days. New replies are no longer allowed.