Using documents leaked by Edward Snowden, hackers have built bugs that can be attached to computers to steal information in a host of intrusive ways

Turn on, tune in, sneak out (Image: Michael Olivers/Alamy)

RADIO hackers have reverse-engineered some of the wireless spying gadgets used by the US National Security Agency. Using documents leaked by Edward Snowden, researchers have built simple but effective tools that can be attached to parts of a computer to gather private information in a host of intrusive ways.

The NSA’s Advanced Network Technology catalogue was part of the avalanche of classified documents leaked by Snowden, a former agency contractor. The catalogue lists and pictures devices that agents can use to spy on a target’s computer or phone. The technologies include fake base stations for hijacking and monitoring cellphone calls and radio-equipped USB sticks that transmit a computer’s contents.

But the catalogue also lists a number of mysterious computer-implantable devices called “retro reflectors” that boast a number of different surreptitious skills, including listening in on ambient sounds and harvesting keystrokes and on-screen images.


Computer-implantable devices the NSA calls ‘retro reflectors’ boast a range of surreptitious skills

Because no one outside the NSA and its partners knows how retro reflectors operate, security engineers cannot defend against their use. Now a group of security researchers led by Michael Ossmann of Great Scott Gadgets in Evergreen, Colorado, have not only figured out how these devices work, but also recreated them.

Ossmann specialises in software-defined radio (SDR), an emerging field in which wireless devices are created in software rather than constructed from traditional hardware such as modulators and oscillators. Instead of such circuits, an SDR uses digital-signal-processing chips to allow a programmer to define the wave shape of a radio signal, the frequency it uses and the power level. It operates much like a computer’s sound card, but instead of making sounds or processing incoming audio, it makes and receives radio signals. And a single SDR can be changed to any band instantly, including AM, FM, GSM and Bluetooth.

“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” says Ossmann.

An SDR Ossmann designed and built, called HackRF, was a key part of his work in reconstructing the NSA’s retro-reflector systems. Such systems come in two parts – a plantable “reflector” bug and a remote SDR-based receiver.

One reflector, which the NSA called Ragemaster, can be fixed to a computer’s monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.

Getting the information from the bugs is where SDRs come in. Ossmann found that using the radio to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR’s versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK. “Software-defined radio is flexibly programmable and can tune in to anything,” he says.

Ossmann will present his work in August at the Defcon hacking conference in Las Vegas. Other teams will be there as well, unveiling ways to usurp NSA spy technology. Joshua Datko of Cryptotronix in Fort Collins, Colorado, will reveal a version of an NSA device he has developed that allows malware to be reinstalled even after being dealt with by antivirus software. It works by attaching its bug to an exposed portion of a computer’s wiring system – called the I2C bus – on the back of the machine. “This means you can attack somebody’s PC without even opening it up,” says Ossmann.

Having figured out how the NSA bugs work, Ossmann says the hackers can now turn their attention to defending against them – and they have launched a website to collate such knowledge, called NSAPlayset.org. “Showing how these devices exploit weaknesses in our systems means we can make them more secure in the future,” he says.

Leader: “Hail hackers for reverse-engineering NSA bugs“

This article appeared in print under the headline “Opening a can of bugs”