The National Security Agency’s Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP’s VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

OTP’s VPN exploit team had members assigned to branches focused on specific regional teams, as well as a “Cross-Target Support Branch” and a custom development team for building specialized VPN exploits. At the regional level, the VPN team representatives acted as liaisons to analysts, providing information on new VPN attacks and gathering requirements for specific targets to be used in developing new ones.

While some VPN technologies—specifically, those based on the Point-to-Point Protocol (PPTP)—have previously been identified as being vulnerable because of the way they exchange keys at the beginning of a VPN session, others have generally been assumed to be safer from scrutiny. But in 2010, the NSA had already developed tools to attack the most commonly used VPN encryption schemes: Secure Shell (SSH), Internet Protocol Security (IPSec), and Secure Socket Layer (SSL) encryption.

The NSA has a specific repository for capturing VPN metadata called TOYGRIPPE. The repository stores information on VPN sessions between systems of interest, including their “fingerprints” for specific machines and which VPN services they’ve connected to, their key exchanges, and other connection data. VPN “fingerprints” can also be extracted from XKEYSCORE, the NSA’s distributed “big data” store of all recently captured Internet traffic, to be used in identifying targets and developing an attack. Because XKEYSCORE includes data from “untasked” sources—people and systems not designated as under surveillance—the OTP VPN Exploitation Team’s presentation requested, “Try to avoid relying on (XKEYSCORE) workflows due to legal and logistical issues.” But XKEYSCORE, it was noted, is best for attacks on SSH traffic.

Analysis of TOYGRIPPE and XKEYSCORE data, as well as from “daily VPN exploits,” is fed into BLEAKINQUIRY—a metadata database of “potentially exploitable” VPNs. This database can be searched by NSA analysts for addresses matching targeted individuals or systems and to generate requests for the VPN Exploit crew to convert the "potentially" into an actuality.

When an IPSec VPN is identified and “tasked” by NSA analysts, according to the presentation, a “full take” of its traffic is stored in VULCANDEATHGRIP, a VPN data repository. There are similar, separate repositories for PPTP and SSL VPN traffic dubbed FOURSCORE and VULCANMINDMELD, respectively.

The data is then replayed from the repositories through a set of attack scripts, which use sets of preshared keys (PSKs) harvested from sources such as exploited routers and stored in a key database called CORALREEF. Other attack methods are used to attempt to recover the PSK for each VPN session. If the traffic is of interest, successfully cracked VPNs are then processed by a system called TURTLEPOWER and sorted into the NSA’s XKEYSCORE full-traffic database, and extracted content is pushed to the PINWALE “digital network intelligence” content database.

But for those that aren’t successfully cracked, the VPN Exploit Team’s presentation noted, the team works to “turn that frown upside down” by doing more data collection—trying to capture IPSec Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic during VPN handshakes to help build better attacks. In cases where the keys just can’t be recovered, the VPN Exploit Team will “contact our friends for help”— gathering more information on the systems of interest from other data collection sites or doing an end-run by calling on Tailored Access Operations to “create access points” through exploits of one of the endpoints of the VPN connection.