In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.
One of the basic tenets of computer security is that if an attacker has physical access to the hardware, all bets are off.
I’d be interested to hear what those ‘other’ cases are, though.
Oh, wait, did I say interested? I meant ‘remain blissfully unaware of’ of course.
I’m attempting to figure out how something the size of a tiny bluetooth transceiver or cache DIMM (based on the description of such devices in the article) can transmit for miles with any real consistency, especially if placed inside of a computer case with metal shielding.
I have a tech/nocode ham radio license. Only once and in favorable weather conditions have I spoken across-town with a 5W 2m/144MHz ham radio. Admittedly, speech is more complicated than morse code, but meaningful communication over distance with a remote transceiver will be very slow if it’s limited to the size of a device as described, and will further be hampered by the problem of remaining clandestine. Longer wavelengths at lower frequencies exist, but generally require bigger antennas. Small, small antennas that could fit into a flash drive would be best suited to high frequency transceivers.
While it’s possible to provide preset macros or instructions and to trigger those complicated commands with simple triggers, retrieving data could be very hard over radio. If the compromised computers are being used for data collection from experiments, or for storage of sensitive documents, or for other kinds of storage, it could be essentially impossible to retrieve many large files.
I have a difficult time believing these claims. I don’t outright dismiss them, but at the same time I find it technically difficult to achieve what they’re talking about in the way they’re talking about it working.
NYT: Snowden docs reveal NSA possibly implants hardware into computer that can communicate with the outside world even when other radios are turned off.
Well, assuming that they’re not pre-compromised, there are a few things to make this less of a problem.
First, if the hard disk manufacturer and the computer BIOS manufacturer have devised a method to password-protect the hard disk drive through the BIOS as Dell has, then passwords put on the drive are essentially unbreakable in the short-term, again, assuming that the method isn’t pre-compromised. This should protect the hard disk drives from being removed and read.
Second, using filesystem encryption. Redundant to hard disk drive passwords, but in the event that the hardware drive password is compromised or somehow the kernel is crashed to allow a soft boot to another OS it would prevent a different kernel to get access to the data on the exposed drive.
Third, if I/O is secured (ie, no conventional high-speed or bi-directional hardware interfaces enabled) and if proper network security is practiced in the network interface, then there shouldn’t be methods by which to compromise the computer while it’s running. This may require selecting models that can still be used while secured (ie, PS/2 ports for keyboard and mouse, and no USB enabled, serial and parallel disabled) but if there are no physical interfaces that can be exploited then there are less vectors to get to the OS in a means other than by those requiring credentials.
Fourth, the OS kernel needs to be configured to not plug-and-play and newly-discovered hardware, whatever that type of hardware may be. As some motherboards can handle PCI cards being inserted without leading to an OS crash, it would be in the interests of the organization to keep the computer from recognizing or making use of any added components.
This all is contingent on the use of the computer preventing malware from being installed or on keeping an agent with credentials from getting access to it, but if users are not given too much access and if the IT department is diligent in their maintenance then it should be less of a problem. If a computer is important enough to not have a route to the public Internet or to have not have any network access what-so-ever, then it should be important enough to justify fairly considerable expense in its maintenance to ensure that it remains secure.
The transceiver can’t transmit for miles. But it only needs to transmit a few feet to the relay station ‘nightstand’ in a briefcase nearby.
What this means is we are going to have to build faraday cages round some of the open source crypto hardware that is being worked on. But we were probably going to do that anyway.
Its like getting a correspondence course in advanced malicious crypto.
Exactly. This kind of attack defeats air-gapping a network or machine, but it is actually a return to classic physical-access attacks first seen in the infancies of computer networking, when you’d install extra hardware in someone’s machine.
The engine controller on my '78 Chrysler Cordoba was a simple computer, with components soldered through a simple printed circuit board. It was called “Electronic Lean Burn Ignition”. After manufacturing the circuit boards and assembling, they coated the boards in a half-inch thick layer of some epoxy-like substance to prevent modification to the boards.
One may not need to use a Faraday cage to protect the crypto hardware. It may be enough to build it on to a very short-height PCI card, install it on to a motherboard, and to then coat the entire motherboard and all unnecessary interfaces in an inch of epoxy, then it may be unnecessary to use a Faraday cage as there would be no practical way to install radio hardware on to the motherboard.
That substance would be the rich Corinthian leather.
(Sorry, couldn’t resist)
Yes, there is a company Reynolds Advanced Materials that sells the stuff. I have used it. My dalek is made from epoxy GRP. But the protocol in question is for a particular purpose where we want to have verifiably tamper-evident, verifiably airgapped equipment for purposes such as generating curves for EC. So the last step is the verified physical destruction of the device. Currently looking at reducing it to powder with a belt sander then disposing of the residue by mixing with thermite.
Except: The NSA has a $250M/y budget some of which pays manufacturers to subvert machines being sent to target organisations before they leave the factory. Coating the devices with epoxy may not be going to help if the hack is built into the board itself by Dell and is enabled by populating the motherboard slightly differently during manufacturing, or according to the BIOS loaded, etc. - if you do use epoxy, remember to load the epoxy with copper powder so that it absorbs radio waves being emitted from the unit, as well as preventing physical access.
How much or what components are necessary to destroy, and isn’t this a bit excessive in the amount of destruction needed?
If it is needed, has using an off-the-shelf plasma cutter been considered? If you need to destroy a drive platter or a controller chip or a memory chip, it should be a lot faster than using a multistep process like a sander and thermite, and probably safer too…
I assume that natural sources of randomness have been considered. I’ve heard of using wind speed and direction from a localized outdoor weather station or sampling sound in a noisy place like near a waterfall or in a crowded public area. How has that type of thing gone?
How much computing power is needed in a secure environment? If equipment that’s three years old is powerful enough (and bear in mind that there’s a lot of really powerful stuff that’s three years old) and has been depreciated and surplussed by its original owners, then that equipment could be obtained through the original owners’ property disposal processes in a fairly anonymous manner.
Many companies only want computers that are under warranty, regardless of these computers being workstations, commercial servers, or industrial computers. I’ve quite happily operated with surplussed computers at home, I would think it’s practical to operate in a bigger sense if someone with some sense is involved in the procurement process.
The NYT article has an illustration with a transceiver inside a USB cable. That could work as a 1 to 3 metre long antenna, depending on the length of your cable.
Your figure is way off. The NSA has an annual budget of about $10 billion. Of course, this is actually still classified. It came out with the Snowden documents.
I hadn’t considered that aspect. My 2m HT has an antenna that’s about 20cm long, so I suppose that it wouldn’t be impossible to do it, only difficult, though it would require USB to be enabled on a port that is harder to see, and many manufacturers allow rear ports to be disabled. The real trick would be routing the antenna wire so that it’s not significantly interfered with by power and also not terribly obvious that it doesn’t connect to anything.
Epoxy might be OK for 1978 electronics, but computer motherboards produce a lot of heat that needs to be dissipated.
yeah we can’t afford health care or basic support for our elderly, poor, or disabled, nor quality education, or, or, or…now we know yet another reason why.
Typical. We waste our tax money on these USB bugs, and yet the NSA remains unable to penetrate the defences of a single enemy from Skaro.
Um. . . you can skip the belt sander and go straight to liberal application of thermite.