How the NSA Could Hack (Almost) Any Browser
A little trick called ‘packet injection’
The feds can theoretically use your computer against you to mount an almost untraceable attack — by butting in on your electronic conversation.
This technique, known as “packet injection,” works because, absent cryptographic protection, a software client can not distinguish an attacker's reply from a legitimate reply. So all an electronic wiretapper needs to do is examine the traffic, determine that it meets some criteria and inject his own response timed to arrive first.
Most famously, the “Great Firewall of China” uses this technique. It simply watches all requests and, when it discovers that a client desires banned content, the Great Firewall injects a reply which the client interprets as ending the connection.
So, speculatively, what could an agency like the National Security Agency, with an avowed interest in offensive tools, an arsenal of exploits, the budget to simply buy exploits from willing sellers and subject to allegations of widespread hacking do with a global network of wiretaps? Why, attack practically any Web browser on the planet, whenever they want.
All the NSA needs to do is provide its analyst with a point-and-click tool and modify their wiretaps appropriately. After identifying the computer of a target, the global wiretaps could simply watch for any Web traffic from that computer. When the victim's browser requests a script from somewhere on the Web, the odds are good it will pass by the wiretaps. When a wiretap sees such a request, it injects a malicious reply, using a zero-day attack to ensure that the victim gets compromised.
If the attack itself only resides in memory, it would hardly leave a trace on the victim's computer, as memory resident attacks disappear when the computer is reset. Normally, this would represent a significant limitation, but with the ability to so easily infect browsers, a hypothetical attacker could easily reinfect their victims.
A sophisticated network monitor might detect injected packets based on race-conditions (after all, the real reply still arrives, it simply arrives late). But since the Internet is messy, such race conditions might not always occur and, even if they do occur, may simply indicate a bug rather than an attack. Even more sophisticated taps could also block the legitimate reply, eliminating this anomaly.
Detecting the attack payload itself is also a very hard problem. There are a couple of companies developing products which attempt to detect zero-day attacks, but overall this represents areas of active research and development.
Finally, even if a victim detects an attack, attributing such an attack to a particular intelligence agency is also difficult. The NSA and its U.K. friends in the GCHQ (the British Government Communications Headquarters) can build this. And they aren't the only ones: any country with sufficient Internet transit passing through or near their borders might deploy such a system. Germany and France probably have enough network visibility to build something like this on their own soil.
Other countries would need to deploy out-of-country wiretaps, as Russia and particularly China are less used for transit, while Israel's native reach is probably limited to Middle Eastern targets. Of course, any country that wants to attack their own citizens this way can simply buy an off-the-shelf tool for a few million dollars (Google translate).
Again, I know of no evidence that the NSA or any other intelligence agency has built or is using such universal attack tools. But as we are now all bystanders in what appears to be an escalating espionage conflict, we may need to consider the Internet itself hostile to our traffic. Universal encryption of our messages does more than protect us from spies, it protects us from attack.
Finally, the electronic spooks need to understand that difficult to detect and attribute does not mean impossible. With public revelations of both NSA and Chinese hacking on the global radar, as well as commercial malware, private companies and researchers are focusing considerable talent on detecting nation-state hacking.
Update: Bruce Schneier in The Guardian has confirmed that the NSA uses this technique, which they call “Quantum,” in order to infect their victims. And victims can belong to NATO allies, as Der Spiegel revealed that Belgacom was hacked by the GCHQ using a “Quantum Insert.”
Nicholas Weaver (@ncweaver) is a researcher at the International Computer Science Institute in Berkeley and a visiting researcher at the University of California, San Diego. His opinions and speculations are his own.
We previously covered the NSA’s support of CIA assassin drones. Subscribe to War is Boring: medium.com/feed/war-is-boring