TURNIPSCHOOL – DIY NSA spying technology from the NSA Tao catalog

Pierluigi Paganini January 21, 2015

Researchers have presented the TURNIPSCHOOL project and other activities that replicate NSA surveillance implants with cheaper and off the shelf components.

In December 2013, the popular cyber security expert Jacob Appelbaum, with the support of Der Spiegel news agency, disclosed the NSA’s catalog of surveillance.

“Germany’s Der Spiegel has published another disturbing article on the NSA surveillance activities, the media agency has published an internal NSA catalog that offers spies backdoors into a wide range of equipment from major vendors. The catalog includes backdoor for hard drives from Western Digital, Seagate, Maxtor and Samsung, for Juniper Networks firewalls, networking appliances from Cisco and Huawei, and unspecified equipment from Dell. The backdoors appear to be the result of a high sophisticated hacking and cracking operations conducted by NSA,  all the product offered are designed by the Advanced/Access Network Technology (ANT) division of the NSA’s Tailored Access Operations (TAO) elite hacker unit.” I wrote in a article that was published the day of the publisc disclosure.

The National Security Agency’s ANT catalog provide a detailed list of technologies that could be exploited the agent of the agency to compromise any kind of electronic equipment and run cyberespionage operation. I personally examined the document related to Radar Wave Devices to compromise computers, giving a look to the Implants in the Arsenal of the NSA and to specific exploits used by the cyber spies, like RADON and DEWSWEEPER Work.

Sifting in the interesting catalog readers can find the description of a USB cable with embedded hardware called Cottonmouth-I, the device could be used by NSA agent to exploit the USB connections for remote wiretapping or even to gain the remote control over the target.

Cottonmouth-I is a simple as powerful implant that could allow attackers to wiretapping communications with peripheral devices (i.e. keyboards, printers) and inject malicious code, the tool os considered very effective for the attack on air gapped networks.

“One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer “through a covert channel” that allows “data infiltration and exfiltration.” Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being walled off from the Internet constitutes real protection.” states Cryptome.org.

Basically the NSA intelligence agency has fitted all necessary technology into a USB plug to spy on victims, unfortunately, the price indicated in the catalog is high due to the sophisticated hardware used, Cottonmouth-I was over $1 million per lot of 50 units ($20,000 per device).

Obviously, the technology evolves and the costs for the construction of devices such as the Cottonmouth-I decline rapidly and this is what the wireless security researcher Michael Ossman has demonstrated at Shmoocon conference recently. Ossman, which is also the founder of Great Scott Gadgets, is one the contributor of the NSA Playset program, an initiative that aims to duplicate in open source the technologies exposed in the NSA surveillance catalog. The experts has presented his progress on the TURNIPSCHOOL project, which is a hardware man-in-the-middle USB cable based on the design of a USB hub-on-a-chip and a microprocessor with a built-in radio onto a circuit board that fits into a molded USB plug.

cottonmouth usb-cable replicated by TURNIPSCHOOL

Ossman presented the TURNIPSCHOOL project and other two other projects with his colleagues, Dominic Spill and Jared Boone. Spill is the author of the project USBProxy, realized using the BeagleBone Black development platform, which provides a way to monitor traffic passing over a USB 2.0. The experts explained that hackers worldwide could build tools more sophisticated of the implants described in the worldwide could build tools more sophisticated of the implants described in the NSA ANT catalog.

 “The tools spooks use aren’t that big a deal,” said Ossman. “We can build them ourselves.” [toold developed by independent hackers] “are more sophisticated than stuff in the ANT catalog.”

The purpose of the NSA Playset is to design NSA-like spying devices with off-the-shelf components, for example with the BeagleBone Black platform.

I have found TURNIPSCHOOL simply amazing, it is based on the following components:

Ossman explained that solder and plastic cover not included so he has done it by itself.

“I soldered it myself,” Ossman said. “It’s totally accessible at a hobbyist level.”

The three researchers are also working on the building of a custom printed circuit boards for hacking purposes. The Daisho is another interesting project, a SuperSpeed USB 3.0 FPGA platform, which uses a general purpose circuitry based on field-programmable gate array (FPGA) that could allow monitoring USB 3.0 bus.

Daisho received funding support from the DARPA Cyber Fast Track program, a government program developed with intent to funds multiple small projects for all technologies related in the area of cyber characterized by high value-added in shorter time frames, limited cost and with the expectation of results demonstrated in less than 12 month periods.

The technology will make it increasingly simple espionage activities at low cost.


[adrotate banner=”9″] [adrotate banner=”12″]  

Pierluigi Paganini

(Security Affairs –  NSA surveillnce catalog, TURNIPSCHOOL)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment