Cryptographer, developer and activist Jacob Appelbaum took to the pages of Germany’s Der Spiegel and the keynote dais of the 30th Chaos Communication Congress this weekend to deliver a damning expose of the catalog of backdoors, monitoring programs and products that potentially have and could be compromised by the National Security Agency.
Appelbaum’s hour-long keynote, culled from top-secret agency documents provided by Edward Snowden and written about in the German publication, described the scale of surveillance the NSA has and hopes to achieve worldwide.
“Their goal is to have total surveillance of everything they’re interested in. There really is no boundary to what they want to do,” Appelbaum said. “There is only sometimes a boundary of what they are funded to do and the amount of things they are able to do at scale. They seem to do [those things] without thinking too much about it. And there are specific tactical things where they have to target a group or individual, and those things seem limited either by budgets or simply by their time.”
Appelbaum described the intricacies of the agency’s dragnet surveillance system carried out by an elite team of hackers known as the agency’s Tailored Access and Operations unit, or TAO, whose job is to break down or scale digital hurdles standing between the agency and data it wishes to collect, store and analyze, Appelbaum said. The system is threefold, starting with a passive, deep-packet inspection system known as TURMOIL that feeds data into another system called TURBINE that turns loose any number of off-the-shelf or zero-day exploits that are injected into a data stream to compromise a vulnerable machine.
At the hub is a third component known as QFIRE that Appelbaum said uses nodes known as diodes to regionally compromise home routers and other available equipment to inject attacks into packets before they reach their destination, exploiting a race condition.
“For these systems to exist, we have been kept vulnerable,” Appelbaum said, referring to the government’s practice of buying vulnerabilities and exploits from brokers under non-disclosure agreements that the vulnerabilities will be kept from the vendor in question and, as a result, never patched. “The NSA has retarded the process by which we secure the Internet because it has established a hegemony of power in secret to do these things.”
Appelbaum also showed top-secret slides and provided information from documents stolen by Snowden while working as a NSA contractor that describe a number of tools used for surveillance not only to exploit endpoints and networks, but to link contacts between targets, maintain persistence and monitor communication such as phone calls, email and Internet surfing and searches.
Appelbaum also went into more detail about the FoxAcid program, which was first described in October by Bruce Schneier in the pages of the Guardian. FoxAcid matches vulnerabilities found on a particular compromised system with any number of attacks available at the NSA’s disposal. Appelbaum exposed a number of QUANTUM-X tools that include everything from the NSA’s stockpile of zero days, to tools that tamper with security measures such as host-based intrusion detection, to man-on-the-side attacks that exploit the lack of encryption on certain Internet services. He also brought up a program called QUANTUMCOPPER which he equated to the NSA’s version of the Great Firewall of China, except it could interfere with TCP/IP and file uploads and more for the entire planet.
Appelbaum also showed slides describing compromises for server hardware from a number of vendors including Dell and Sun at the BIOS level. He explained the exploits work on a number of platforms, including Windows, Linux, FreeBSD and Sun’s Solaris UNIX OS. By name, he said Dell PowerEdge commodity servers (1850, 1950, 2850 and 2950) are vulnerable to BIOS-level attacks, and HP Proliant servers are vulnerable to another exploit that enables the agency to siphon data. All of these attackers are possible, he said, because the NSA tampers with hardware either in shipping or via physical access.
Mobile exploits were also among the trove of information in the documents, specifically targeting Apple iOS devices and Windows CE devices that allowed for complete compromise of the phones in question.
Appelbaum said the TAO unit is younger than average NSA staff and that the agency has tapped into the geek generation, actively recruiting at hacker conferences such as DefCon where Director Keith Alexander spoke two summers ago. Appelbaum wrote that the TAO unit has units in five states nationwide.
Their activities, meanwhile, have transformed the agency into the most powerful such-organization in the world, Appelbaum said, adding that the majority of U.S. legislators are not skilled enough to adequately discuss and propose solutions.
“Encrypting the Internet ends it all in a sense, but it will come back in another sense,” he said. “We need a marriage of a technical and political solution. We don’t have those two things yet so we’re stuck here. At the moment, I feel the NSA has more power than any one person or agency in the world.”