Using convoluted language in explanations to law makers, the NSA has blurred the lines of legality, conducting mass surveillance and network intrusions with impunity. Now, a new report from Der Spiegel, citing leaked documents, examines how the NSA gets the job done.
On Sunday, Der Spiegel published a series of articles focused on TAO, the NSA's Tailored Access Operations unit. Formed in 1997, TAO has hacked 258 targets in nearly every country in the world by using software flaws, intercepted data transmissions, or hardware implants.
According to the documents, the NSA uses traditional intercept technologies, including base stations to capture mobile phone transmissions, or mobile Wi-Fi tools that enable injection attacks, in addition to passive data collected over the wire.
One such example of passive collection comes from error reports generated by Microsoft's Windows operating system. According to Der Spiegel, TAO collects the Windows error reports, which are largely transmitted in clear text, and uses the information in them to assess the vulnerability of a given target; including the presence of vulnerable third-party software.
From the article:
"The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer."
Interestingly enough, the same day that the Der Spiegel report was published, security vendor Websense outlined a talk that is to be given at the RSA Conference in February, which focuses on this exact topic:
"One troubling thing we observed is Windows Error Reporting (a.k.a. Dr. Watson) predominantly sends out its crash logs in the clear. These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration..."
Another revelation from the Der Spiegel article, in the sense that it exposed additional information to the public, is the fact that the NSA has persistent backdoors into several types of networking equipment, including gear sold by HP, Juniper, Dell, Cisco, and China's Huawei. If needed, the NSA will intercept hardware deliveries and make the required hardware or firmware modifications in order to obtain access.
While the documents reference products from six years ago, it's unlikely that newer hardware and firmware are out of reach for the TAO unit.
- HP ProLiant 380DL G5 servers (hardware implant)
- Dell PowerEdge 1850 / 2850 / 1950 / 2950 RAID servers with BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7 (BIOS exploits)
- Dell PowerEdge 1950 / 2950 servers (hardware implant, JTAG interface)
- Huawei Eudemon 200, 500, and 100 series firewalls (installed as a boot ROM upgrade).
- Moreover, the document says that Huawei routers are targeted, as part of a joint operation between the NSA and the CIA to exploit Huawei equipment (project: TURBOPANDA).
- Juniper Netscreen ns5xt, ns25, ns50, ns200, ns500, and ISG 1000 firewalls
- Juniper SSG 500 and SSG 300 firewalls (320M, 350M, 520, 550, 520M, 550M).
- JUNOS (Juniper's customized version of FreeBSD) on all J-Series, M-Series, T-Series routers
- Cisco Pix and ASA (Adaptive Security Appliance) firewalls, 5505, 5510, 5540, 5550 (firmware implant)
Cisco, in a statement, said they are concerned about the claims made by the NSA in the published documents, and are reaching out to Der Spiegel in order to obtain more information.
John Stewart, Cisco's Chief Security Officer, blogged:
"We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information... At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."
I've reached out to all of the named vendors in the hope they would offer their reaction and address the NSA's claims. However, due to the holidays, many of their press representatives were out of the office. So I'll update this post if there's any response.
In the meantime, if you're interested in learning more about the TAO unit, the Der Spiegel reports are worth reading.
Juniper has responded with the following:
Juniper Networks recently became aware of, and is currently investigating, alleged security compromises of technology products dated from 2008 and made by a number of companies, including Juniper.
We take allegations of this nature very seriously and are working actively to address any possible exploit paths. As a company that consistently operates with the highest of ethical standards, we are committed to maintaining the integrity and security of our products. We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps.
To further add, Juniper Networks is not aware of any so-called "BIOS implants" in our products and has not assisted any organization or individual in the creation of such implants. Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include "backdoors" that would potentially compromise our products or put our customers at risk.
Huawei sent the following:
We have read the recent media reports and we have noted the references to Huawei and a number of our ICT peers. As we have said in the past, and as the media reports seem to validate, threats to network and data integrity can come from any and many sources. While the security assurance programs we have in place are designed to deter and detect such malicious activity, we will conduct appropriate audits to determine if any compromise has taken place and to implement and communicate any fixes as necessary.
HP responds with a statement:
HP was not aware of any of the information presented in the Der Spiegel article, and we have no reason to believe that the HP ProLiant G5 server mentioned was ever compromised as suggested in the article.
HP's privacy and security policies are quite clear; we do not knowingly develop products to include security vulnerabilities. We are also active in testing and updating our products regularly to eliminate threats and make our products more secure. HP takes the privacy and security of our customer information with great seriousness. We will continue to put in place measures to keep our customers' information confidential and secure.
Dell issued a statement on their blog:
"... Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. Our highest priority is the protection of customer data and information, which is reflected in our robust and comprehensive privacy and information security program and policies. We take very seriously any issues that may impact the integrity of our products or customer security and privacy. Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.
"Dell does not work with any government – United States or otherwise – to compromise our products to make them potentially vulnerable for exploit. This includes ‘software implants’ or so-called ‘backdoors’ for any purpose whatsoever."