A group of security researchers, hardware hackers, hardware developers and hobbyists have set out to demonstrate that many of the tools similar to those used by the United States National Security Agency (NSA) for surveillance operations can be reproduced on a low budget with open source software and hardware components.
The project, called the “NSA Playset,” came out of a collaboration between security researcher Dean Pierce and Michael Ossmann, founder of Great Scott Gadgets. Shortly after the NSA’s ANT catalog was leaked online, they recruited several others who had already implemented or were working on implementing capabilities that were similar to the ANT tools.
The ANT catalog is a 48-page classified document containing information on the technologies used by the NSA’s Tailored Access Operations (TAO) unit for cyber surveillance. The document is one of the many files obtained by the former NSA contractor Edward Snowden.
The technologies referenced in the ANT catalog have names such as BULLDOZER, CANDYGRAM, COTTONMOUTH, CROSSBEAM, and DROPOUTJEEP. Because of this, the individuals behind the NSA Playset have decided to give their projects silly names like BROKENGLASS, CHUCKWAGON, CONGAFLOCK, and TWILIGHTVEGETABLE.
The project was introduced at the Hack In The Box (HITB) security conference in Amsterdam earlier this year by Ossmann. After HITB, members of the group showcased the devices they built at various events.
|The CHUCKWAGON Open Source Hardware Device|
One of the ANT tools replicated by researchers is GENESIS, a modified GSM handset that’s designed to sniff and monitor traffic. In the catalog, the device is listed with a unit cost of $15,000. However, researchers have managed to develop a similar tool, which they’ve dubbed TWILIGHTVEGETABLE, with a budget of only $50 by using an Extreme USB flash drive from SanDisk, a NooElec RTL-SDR dongle, and an antenna.
SLOTSCREAMER is a PCIe attack platform that can be used to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system. While this might appear like a sophisticated tool, it’s actually just a $100 USB3380-AB evaluation board with custom firmware.
“Most of the tools build on top of existing open source software and hardware, so they were implemented with a few days to a few months of part-time work. None of the projects have material costs for development that exceed a few hundred dollars, and most of them can be reproduced in a couple hours with under a hundred dollars,” Joe FitzPatrick, a researcher at SecuringHardware.com and one of the main contributors to the NSA Playset project, told SecurityWeek. FitzPatrick presented on some of his projects at the recent Suits and Spooks Conference in London.
The gadgets built by the NSA Playset group are for different types of attacks, including passive radio interception, active radio injection, network reconnaissance, physical “domination,” and hardware/software implants.
“One goal is for all of the devices to be open source software and hardware, so full technical details will be published, available, and reproducible,” FitzPatrick said.
Currently, there are 10-20 people that are actively contributing to the project, eight of which presented various NSA Playset tools at the latest DEF CON conference. There appears to be a lot of interest in the project since the online discussion group on the NSA Playset website has over 150 members. And while there aren’t any organizations that officially support the initiative, the EFF auctioned a complete NSA Playset toolkit at DEF CON for a record $2,250.
FitzPatrick says he hasn’t received any significant or direct criticism from the security community regarding the NSA Playset. However, the researcher has pointed out that the community is always debating the relative benefits of responsible disclosure vs. full disclosure. In this case, some might argue that it’s irresponsible to build easy-to-use tools with otherwise advanced capabilities.
“The ultimate goal is to dispel the magic about the NSA’s capabilities. By showing that ‘state-actor capabilities’ are actually accessible cheaply and easily, we may also motivate vendors to fix some of the issues,” FitzPatrick said.
Another goal of the project, according to Pierce, is to lower the bar of entry for newer, younger, researchers.
While the NSA hasn’t contacted any of the members of the group in an official capacity, FitzPatrick says they all assume that the intelligence agency has attended their presentations, visited their website, and listened in on their online discussions.
*Updated to clarify that the NSA Playset came out of a collaboration between Dean Pierce and Michael Ossmann.