HOWLERMONKEY: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

HOWLERMONKEY

(TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant RF Transceiver. It is used in conjunction with a digital core to provide a complete implant.

(TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB layouts are tailored to individual implant space requirements and can vary greatly in form factor.

Status: Available—Delivery 3 months

Unit Cost: 40 units: $750/ each, 25 units: $1,000/ each

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: , , , , ,

Posted on January 30, 2014 at 8:38 PM18 Comments

Comments

reroll January 30, 2014 8:50 PM

I hope someone is compiling all of these revelations into a free Ebook.

What’s next, 1/2 of all tiny insects are really gov spy bots?

34kfj3kfjf3kjh January 30, 2014 9:08 PM

I know I’ll be blasted for this: but isn’t this just a digital carrier RF transceiver? At most it has a good filter bus and power management. The firewalk version is the most refined mesh, but I’ve seen better..

The manufacturing tech here isn’t advanced by any means.. It looks like they contract cheap from the public sector.. No custom silicon or casings..

Clive Robinson January 31, 2014 1:09 AM

@ 34kfj3kfjf3kjh,

    I know I’ll be blasted for this: but isn’t this just a digital carrier RF transceiver?

Based on what little information is on the page I would say that’s a fairly reasonable first impression.

Although the pictures are quite grainy the circuit appears to be made of the same components on each board and at a guess I’d say there’s a single chip microcontroler and an RF RX/TX chip on there as well as a voltage regulator.

One of the photos –YELLOWPIN top right– appears to have a printed circit loop around it’s periphery of a total length of around 110mm. Now this might just be an artifact of the layout or it might be a loop antenna. Theres no easy way to tell, and as it does not appear on the other photos it would tend to suggest artifact not antenna, but… it has a seperate product name which could be because it is different to the others with the difference being it has the antenna on board. So flip a coin and make your choice 🙂

Now this is where I take a real leap in the dark and say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the milliwatt or less range as there is no apparent “heatsinking”, thus the working range unit to unit being in the low tens of meters.

Andrew January 31, 2014 10:32 AM

Not a specific comment on this revelation, but…

I want to know who has the job of naming these programs? HowlerMonkey?

Clive Robinson January 31, 2014 12:07 PM

@ Andrew,

    I want to know who has the job of naming these programs?

Find the person with a warped sense of humour…

Many of the intel types have a selfbelief of mental superiority that’s strong enough to trip over(and they do), and can result in a purile humour, that they believe only they have the intelect to understand. I came across this with the UK’s DWS several decades ago and I suspect these people or their ilk are still calling the shots…

Thus I suspect a look up of words in a thesuras or by running through automated translation systems through three or four languages will reveal some kind of insult or put down.

However there was before everything became Ultra PC in the US a “techie” expression used by hardware engineers to describe the latest bit of kit being speedy as “It moves like a r4p3d ape” (why it came about I have no idea nor do I wish to). Apes and monkeys are both primates and “screaming” is sometimes used as a discription of speed as in “It went screaming past” etc, an alternative word for screaming is howling…

No doubt other latteral thought will provide other connections

kingsnake January 31, 2014 12:24 PM

The NSA has been flinging poo at the Constitution, so at least the name of this exploit is appropriate …

Skeptical January 31, 2014 1:51 PM

If they continue to allow their tools such colorful names, one almost suspects that the 2014 TAO Catalog will have BRUCESCHNEIER listed as an exploit.

(TS//SI//REL) BRUCESCHNEIER is a custom nano implant that can function as both software and hardware over a wide array of systems. It operates in conjunction with PGP and a COTS-based system.

(TS//SI//ORCON//NOFORN) Status: In development. Presently self-initiating implant encrypts target system, emits memorable password to the target system user via system speakers, scolds target system user for thinking the target system to be secure, and then uploads itself to the Woods Hole Oceanographic Institute site where it conducts security tests on servers containing squid studies. NSA suspects implant is prank by US Navy. TAO exploring possibility of replacing all USN on-ship entertainment content with an audible version of Knuth’s TACP, using the voice of Arnold Schwarzenegger. —message ends

65535 January 31, 2014 8:23 PM

@ Clive R

“Although the pictures are quite grainy the circuit appears to be made of the same components on each board and at a guess I’d say there’s a single chip microcontroler and an RF RX/TX chip on there as well as a voltage regulator…

“…YELLOWPIN top right– appears to have a printed circit loop around it’s periphery of a total length of around 110mm. Now this might just be an artifact of the layout or it might be a loop antenna…

“Now this is where I… say this is more likely to be a CLI system for CC than a bulk data ex/infiltrator. And that the RF power is going to be down in the milliwatt or less range as there is no apparent “heatsinking”, thus the working range unit to unit being in the low tens of meters.”

Yes, that looks like a good estimate. Now, I just googled around for power consumption and I found RX and TX mode on a Intel PRO Wireless (WPC2011EU) used, “561 mW RX typical, 990 mW TX typical…”

[Power consumption of WLAN network elements, page 8]

http://www.tkn.tu-berlin.de/fileadmin/fg112/Papers/TR-WLAN-Power.pdf

That would be enough for a fairly close AP to link the implant board to the outside world.

The only problem I see is the metal case. I assume the implant intends to TX out of the cooling slots and fan holes in the case. That could be chancy.

On the whole, the implant looks unpleasantly effective given the time constraints of a server facility Admin and his ability to keep all servers running (let alone finding the implant). It’s a real threat to data confidentiality.

Iain Moffat February 1, 2014 3:42 AM

@Clive, 65535

The top left photo also has two similar length thick tracks (albeit much shorter than YELLOWPIN) so possibly it is made for a range of frequencies. Higher frequency/shorter wavelength would certainly have the best chance of escaping from a metal server case.

Wifi devices may not be the best choice if all that is intended is CLI access or exfiltration of small files – people like Texas Instruments make low power transmitters for remote control (think wireless car keys) and instrumentation applications e.g. http://www.ti.com/product/cc1101 – these require between 50 and 80mW (22mA at 3.6V on transmit) which is an order of magnitude less power than the Wifi chip. Data rates up to 600Kbits/s and a RF power of 10mW are supported. If the intent is simply to jump firewalls within a compromised environment that might well be enough.

Hope this helps

Iain

Mike Amling February 1, 2014 7:33 AM

@Bruce: “Tranceiver” should be spelled as it is in the linked graphic, “Transceiver”.

Leave a comment

All comments are now being held for moderation. For details, see this blog post.

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.