| Seriously! [1] > The Black Chamber’s sophisticated hacking operations go way beyond using software vulnerabilities to gain access to targeted systems. The Chamber has a catalog of tools available that would make James Bond’s Q jealous, providing Chamber analysts access to just about every potential source of data about a target. > In some cases, the Black Chamber has modified the firmware of computers and network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard, Huawei, and Juniper Networks—to give its operators both eyes and ears inside the offices the Chamber has targeted. In others, the Black Chamber has crafted custom BIOS exploits that can survive even the reinstallation of operating systems. And in still others, the Black Chamber has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside. > [...] > Either way, the altering of systems’ firmware or hardware gives the Black Chamber the ability to install backdoors that can survive a total operating system wipe and re-installation. One BIOS attack, called SWAP, was developed by the Black Chamber to attack a number of types of computers and operating systems by loading surveillance and control software at boot-up. SWAP uses the Host Protected Area on a computer’s hard drive to store the payload and installs it before the operating system boots. > [...] > An implanted wireless device is the Black Chamber’s go-to approach for dealing with “air-gapped” networks—networks that don’t have an Internet connection for security reasons. There are a number of other implanted devices that the Black Chamber has in its TAO arsenal, including USB and Ethernet implants that can transmit short-range radio signals and more robust implanted hardware for longer-range transmissions. These radio links create a shadow Internet that allows the Black Chamber to move data out of an adversary’s network and into its TURMOIL and X-KEYSCORE collection system. > [...] > But why stop at network data? The Black Chamber also uses some fairly exotic tools to grab computer video, keyboard strokes, and even audio from inside more difficult-to-reach places by using passive electronic devices that are actually powered by radar. These devices, charged by a specially tuned continuous wave radio signal sent from a portable radar unit (operating at as little as 2W up to as much as 1kW of power in the 1-2GHz range), send back a data stream as a reflected signal, allowing the Black Chamber’s operators to tune in and view what’s happening on a computer screen or even listen to what’s being said in the room as they paint the target with radio frequency energy—as well as giving a relative rough location of devices within a building for the purposes of tracking or targeting. > Hacking smartphones > The 2007 Black Chamber wish book for analysts also includes a number of software tools that allow data to be stolen from a variety of smartphones and dumb cell phones. One software hack, called DROPOUTJEEP, is a software implant for Apple iOS devices that allows the Black Chamber to remotely control and monitor nearly all the features of an iPhone, including geolocation, text messages, and the microphone and camera. (Researcher and developer Jake Appelbaum, who helped write the Spiegel article revealing the documents, said separately this week that the Black Chamber claims DROPOUTJEEP installations are always successful.) Another package, called TOTEGHOSTLY, does the same for phones based on the Windows Mobile embedded operating system. > [...] > But these aren't the only way the Black Chamber can get to cell phone data. Also in the bag of tricks are a number of wireless monitoring devices, as well as “networks in a box” and other gear that can pose as cell towers and networks—intercepting devices as they enter an area and grabbing up their voice, data, and SMS traffic. A "tripwire" program called CANDYGRAM can send out alerts whenever a cell phone hits a specified cell tower. > Old tricks, new tricks > It’s important to note that the exploits in the documents are largely over five years old, so they don’t necessarily give a complete picture of what the Black Chamber is capable of today. That doesn’t mean that these techniques are no longer in circulation—given the stubbornness of Windows XP, many of the exploits developed for older Windows platforms may have years left in them, and some of the adversaries the Black Chamber is trying to monitor don’t have Fortune 500 hardware refresh rates. It's long past time. [1] https://news.ycombinator.com/item?id=6991227 |