IP Over Avian Carriers, NSA Edition

If the NSA has been hacking everything, how has nobody seen them coming?

As the Snowden leaks continue to dribble out, it has become increasingly obvious that most nations planning for "cyber-war" have been merely sharpening knives for what looks like an almighty gunfight. We have to ask ourselves a few tough questions, the biggest of which just might be:

"If the NSA was owning everything in sight (and by all accounts they have) then how is it that nobody ever spotted them?" [...]

We think that the following reasons help to explain how this mass exploitation remained under the radar for so long:

  1. Amazing adherence to classification/secrecy oaths;
  2. You thought they were someone else;
  3. You were looking at the wrong level;
  4. Some beautiful misdirection;
  5. They were playing chess & you were playing checkers;
  6. Your "experts" failed you miserably.

This part is kind of amazing:

We see the use of an entire new protocol, called FASHIONCLEFT to effectively copy traffic off a network, attach metadata to it, then hide the packet within another packet allowed to exfil the targeted network.

Tunnelling one type of traffic over another is not novel (although a 27 page interface control document for the protocol is cool) but this still leaves open the possibility that you would see victim_machine talking to HOST_X in Europe. This is where passive collection comes in..

This is beautiful! So the data is munged into any packet that is likely to make it out of the network, and is then directed past a passive collector. This means that we cant rely on the host the data was sent to for attribution, and even if we did completely own the last hop, to see who shows up to grab the data, we would be watching in vain, because the deed was done when the packets traversed a network 3 hops ago.

This really is an elegant solution and a beautiful sleight of hand. With the NSA controlling tens of thousands of passive hosts scattered around the Internet, good luck ever finding that smoking gun!

So basically FASHIONCLEFT is IP Over Avian Carriers, NSA Edition.

It's a protocol for encapsulating hashed, possibly encrypted, packets from other protocols inside a completely different protocol: you allow outbound ssh (let's say) so it dumps your internal network traffic onto the end of legitimate ssh packets that were on their way out anyway! I'm not entirely clear on whether this encapsulation is happening at the transport layer (munging TCP packets) or the session layer (munging in protocol-specific ways, like MPEG frames or something).

Those packets can be going anywhere and NSA will still be able to see them all because they own the midpoint routers, passively inspecting packets during transit. They're using existing connections as dead-drops, but the payload is copied before it even makes it to the drop.

And it's probably your BIOS that's doing this. Good times.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

16 Responses:

  1. Jered says:

    Slide 2 says "Current: Implants on network infrastructure devices, not user endpoints", so this isn't your desktop BIOS, but is your Cisco router.

    Cisco routers seem to be the most popular from what's been revealed so far. If I were a non-US company, I would never buy any equipment from Cisco. I wonder if this has hurt sales, and if Cisco has a case against the US government. (Just kidding, it would be dismissed on grounds of national security.)

    • Barry Kelly says:

      We are also always open for ideas but our focus is on firmware, BIOS, BUS or driver level attacks.

      Check out IRATEMONK and WICKEDVICAR from http://www.spiegel.de/media/media-35661.pdf:

      Add support for the SSD to WICKEDVICAR. WICKEDVICAR is the remote tool used to perform remote survey and installation. This code is C++ and will involve interacting with the firmware implant from a Windows OS.

      Yes, it is your desktop BIOS, and your hard drive firmware, and your network card firmware, and anything else they can find that will survive and persist through upgrades. Focus on network infrastructure looks too narrow; they're probably everywhere important there already, using routers for passive dead drop.

      • Doctor Memory says:

        I never tire of reposting this one.

        ...and that was just a couple of extremely smart independent security researchers taking a casual stroll through some very well-documented aspects of the x86 architecture and building a proof of concept using nothing but existing open source tools. Now assume several hundred of the smartest people in the industry, an effectively unlimited budget, and the ability to compel compliance when dealing with major hardware vendors and interdict boat shipments from international suppliers.

  2. 95 says:

    maybe that 'tax free day' that happened years ago was a trade for this.

  3. John Adams says:

    Ironically, the only thing that would stop this is outbound deep packet inspection, which most companies do not even use (and NSA is doing everywhere!)

    Palo Alto Networks has a solution that does this, but it's one of the very few companies that can do this accurately (that is, deny an outbound protocol if the protocol doesn't match a known spec or has encapsulation on it.) Unfortunately, no one can afford them.

    I haven't seen any decent open source implementations of this level of network intelligence either. PF doesn't cut it for this sort of problem.

    • jwz says:

      It also wouldn't be too hard to craft packets that encapsulated hidden data while matching the spec, since just about all protocols have "extension records" of some kind. Who can tell whether an MPEG frame or an EXIF tag is valid?

      • John Adams says:

        You're certainly right about that. The only way to even begin mitigating this, is to stop all traffic.

        This is one of the reasons why nearly every data center I've built has had a default deny-all policy, outbound. The only way out of the network was via password protected egress HTTP proxies.

        No password, no outbound network for you. You have to compromise the host, figure out the outbound proxy scheme, log in, and then send data. Few companies do this either (and it's not a perfect solution.)

        • Chris Baxter says:

          Even that won't work, since they're not sending any packets - they're just attaching the data to packets that are already heading out of the network.
          The only real defence against this sort of thing would be to flood your local network with dummy packets that look like they're headed somewhere but actually just get dropped by the firewall.

  4. nooj says:

    bad news for LittleSnitch.

  5. nooj says:

    Information Technology Directorate to NSA Analysts: "Do the right thing, but you want everything, don't you?"

  6. James says:

    On the other hand, this kind of steganography is exactly what modern VPNs need to avoid fascist blocking.

  7. tobias says:

    what do you mean my outbound firewall doesn't detect this and/or tell me everything i need to know?

  8. jwz says:

    Last night at DNA, I was sitting at the bar explaining this to someone. A little while later, a woman came up to me and said, "I overheard your conversation earlier -- is there any way I can encrypt my files? On a Mac?" So I was about to start talking about FileVault, but instead I said, "Well, you can, but you can't protect yourself from NSA if they've taken an interest in you. They've got everything."

    She looked sad and said, "Ok, thank you."

    I said, "You shouldn't thank me! It's terrible news!"

    • hudson says:

      FileVault is also somewhat suspect even against non-NSA level adversaries, especially if they have physical access to your Mac or some of your accessories. Apple doesn't perform any checks on the bootrom, so if something like Thunderstrike modifies the EFI firmware, it is pretty much game over.

      • Owen W. says:

        I thought the general rule was that once an attacker has physical access it's game over anyway.

  • Previously