Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Detecting A Surveillance State - Part 1 Hardware Implants

This is the first in a series of four blog posts that will cover defenses and detection methods for hardware some state-actor surveillance groups may have been using. I felt it would be a good mental exercise to examine the programs and devices which were allegedly being used or in development about five years ago. In this first post I will cover a little introduction and get in to the details about some hardware implants. In subsequent posts I will discuss leaks regarding: radio transceiver bugs, firmware injections and cellular network monitoring.

The source of my knowledge about these devices is restricted to the now public knowledge about them found on Wikipedia, and what was publically disclosed at 30c3.

In total, over 40 devices and programs used by state-actor spy agencies were released. I will cover some theoretical defenses and detection methods for a hand-selected group of these leaked surveillance programs and services in a short series of posts. Due to the age and limited scope of the leaked documents, the defenses covered in this series of posts should not be relied upon for protection and I make no guarantees to their accuracy. They are provided for entertainment purposes only, so if you find yourself on the bad side of any nation's spying agency, don't blame this blog post for any misinformation (also, you may want to take a moment to reflect upon your life choices.)

At the time of my writing this post, no one has come forward with physical evidence of these hardware bugs installed on a system. So, you may wish to read their descriptions with a bit of healthy skepticism and remember, this is just a thought experiment covering theoretical defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.

In this first post I will cover three devices that are relatively similar: they each provide persistent access to a target system. They would also each be detected in similar ways because they are physical devices.

GODSURGE

This is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard, specifically targeting a certain hardware vendor. If you know what JTAG does, there is nothing exemplary to this sort of attack, except that it is a persistent device. If you're interested in learning more about JTAG, read these other blog posts from the Spiderlabs Blog: Getting Terminal Access to a Cisco Linksys E-1000 and Oops, I pwned your router.

To detect if a system has a GODSURGE device attached to it you would want to look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like.

For those interested, here is what a JTAG header without it's pins would look like:

10489_8c160886-caff-46be-aaa9-85e6ceb02d29

JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on.

GINSU and BULLDOZER

GINSU provides software application persistence on target systems with the PCI bus hardware implant, BULLDOZER.

Since this is a device that plugs in to the PCI bus on a system, it could be detected by simply opening the computer's case and looking for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video.

COTTONMOUTH-I II and III

Of these three, the COTTONMOUTH bugs are the more interesting attacks. These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet.

The only problem is, once again it is physical. You could open up the keyboard or USB hub and will be able to identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start.

In order to initiate an exploit against the target system for that persistent backdoor, the COTTONMOUTH device would perform a USB host attack, which means it will likely identify itself as a new USB device to the system (complete with USB ID etc.). Once it has done this it has given itself away. If you plug in a new USB device you got from a conference or dinner into your laptop and more than one USB device shows up on your system, you may want to grab a screwdriver and see what's going on inside the keyboard. Be wary of gifts given at conferences.

You could also detect each of these devices by monitoring radio frequencies in the room, but that is far too complicated for these specific backdoors. If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.

In the next post I will talk about some more complicated hardware backdoors. Including HOWLERMONKEY chips and a set of Radio Frequency (RF) bugs used for data exfiltration.

Read part two of this series here.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo