A few months back, Der Spiegel published a carefully selected cache of documents about the NSA Exploit Kits used to compromise a wide range of commercial network and security hardware and software. I haven’t seen anyone discussing the implications for commercial espionage.
NSA Exploit Catalog
A few months back, Der Spiegel published a carefully selected pool of documents about the NSA Exploit Kits used to compromise a wide range of commercial network hardware and software. Well known and widely used firewall products from top name vendors like Cisco , Juniper and Huawei can be readily compromised for a sustained period. The details vary according to the specific firewalls but
- most of the exploits are persistent across software updates, configuration changes and complete flash formatting
- most of the exploits include modes for data exfiltration via the Internet
- most of the exploits include control and configuration management from a central location.
- extra tools for control and exfiltration use radio instead of Internet or WAN.
I don’t feel qualified enough to discuss the details but you should get the idea that most commercial network devices and routers are vulnerable to suitably motivated attacker. For the politically minded, this included products from China, America, Israel etc. It was very democratic.
Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are “remotely installable” — in other words, over the Internet. Others require a direct attack on an end-user device — an “interdiction,” as it is known in NSA jargon — in order to install malware or bugging equipment.
You can find a full cache of documents that overview the exploits at NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware | LeakSource
If you review the documents, you will find the exploits are wide-ranging.
- Dell & HP server management modules
- Juniper, Cisco, Huawei firewalls
- Huawei, Cisco, Juniper router operating systems
- USB hardware implants (COTTONMOUTH)
- GSM exploits on phones and base station hijacks.
Recently, Bruce Schneier needs to point out the obvious about Snowden documents released by Der Spiegel a few months ago:
Finally — I think this is obvious, but many people are confused — I am not the one releasing these documents. Der Spiegel released these documents in December. Every national intelligence service, Internet organized crime syndicate, and clued terrorist organization has already pored over these pages. It’s us who haven’t really looked at, or talked about, these pages. That’s the point of these daily posts. – Schneier on Security: MAESTRO-II: NSA Exploit of the Day.
Most of the NSA exploit kits are from five years ago. On consideration, I judge it likely that the reviewers chose older documents to minimise the threat to security organisations. It is a practical assumption that many of exploits have been uncovered in that time and are well-known by covert practitioners. A breach tool doesn’t stay secret for very long. And most of the products are becoming obsolete.
Let’s consider a few of the published documents. HOWLERMONKEY is an RF-implant receiver that is similar (aside from the packaging) of the PWNIE PLUG (Pwn Plug R2 – Penetration Testing Device – Pwnie Express) available for USD$1095 Retail. What about IRATEMONK as a persistent MBR vector for implanting programs onto Laptops. MBR is a relatively old but installing the breach into the hard drive firmware seems like a new idea that will survive a sector level reformat and reinstall. And don’t forget phones, GOPHERSET implants software onto the SIM card to exfiltrate SMS data.
You get the idea. The risk now is industrial espionage. Now that the documents are out there, other people can review them. Forget where they came from, the data shows that your current security infrastructure is vulnerable. There are actors who will plan to use these techniques to breach corporations. The methods are complex and require highly skilled individuals but there are many of those already.
….So the Point Is
What are you doing about it ?
I believe that the breaches allow an NSA actor to access internal systems and perform data extraction. If another actor develops the tool chain then your company may be vulnerable.
If your company relies on secrecy for commercial products, R&D, processes then you are much more vulnerable than you were a few months ago. I hope you have done something about it already.
PS: Don’t Blame the Messenger
Many people want to blame Snowden “for causing the problem”. The point is that these vulnerabilities and product flaws existed anyway and you must assume that someone would have exploited them eventually. I don’t particularly blame the vendors either – the documents describe older products but they certainly could have done a better job of securing their “security” products.
Equally, I haven’t seen any announcement from the vendors that show they their current products are secure either. You should be demanding guarantees and researching their compliance methods.