A QUANTUM Thought: Advanced Targeting

Or: Hey DGSE, here’s a good one for you…

Nicholas Weaver
5 min readDec 12, 2013

We’ve learned a bit more about the NSA’s QUANTUM program, their technique that turned the Internet backbone into a weapon. The agreement with Sweden to test QUANTUM attacks has formalized the terms somewhat: a “tip” is a redirection, while a successful “shot” is an exploitation. Out of 100 tips in their experimental deployment, this generated only 5 shots. Now either this experiment didn’t use a very good exploit, so only 5% of attempted victims were vulnerable, or tips represented just preliminary targeting, and only 5% of the possible victims were deemed worthy of attack.

It could easily have been the former: if the attack was simply using an old, known exploit, its quite conceivable that only a few would fall victim to the NSA’s shots. Yet what if its the latter? How could the NSA turn a “this might be someone worth exploiting” tip into a “we should exploit this person” shot? Enter mass-QUANTUMCOOKIE exploitation.

We already know that the NSA will use LinkedIn or Slashdot (or, really, any page which contains user identification in the clear) for QUANTUM targeting. A QUANTUM wiretap sees both requests and replies, but only can act on requests. So it sees user cookies in every web request, but it needs to know the user associated with the cookies to know when to attack.

Thus the process is a two-part affair, and works for any site which reveals the logged-in user over unencrypted HTML. The first request reveals the cookies, and the reply indicates the user: a LinkedIn page reveals the LinkedIn name and user ID, a Slashdot page reveals the Slashdot user, a Youtube page reveals the Google username and email address, battle.net reveals the user’s WoW account, etc… This enables the QUANTUM wiretap to associate cookies to users. When it sees a subsequent request from a target, it now knows to tip the victim over to be shot.

Yet this seems like a lot of waiting: there are undoubtedly tons of traffic that the NSA would categorize as “perhaps worth shooting”, but by waiting, they might miss the opportunity for exploitation. There is a solution, a target identification tip. How could this work?

  1. The QUANTUM wiretap sees a request from a “perhaps worth shooting” target. It takes a small, inconsequential fetch and injects a tip redirecting the victim to a user-identification script running on an NSA server.
  2. The victim’s browser fetches the user-identification script and starts executing it. This script opens up a series of hidden iframes, elements in the web browser that the user doesn’t see, which cause the browser to connect to a host of user identifying sites such as Youtube, LinkedIn, etc.
  3. Back at the QUANTUM wiretap, it sees all these requests, records the cookies, and waits for the replies. Thus for any logged-in site, the wiretap now is able to map cookies to username, allowing the QUANTUM wiretap to know who should be shot based on their cookies.
  4. Back on the victim’s browser, the user identification script waits for about 10 seconds, and then opens up a second set of hidden iframes to the sites. The browser now reconnects to all these sites, enabling the QUANTUM wiretap to execute its shots.
  5. Finally, the QUANTUM wiretap sees the second set of requests and, if they are from people in the “worth shooting” category, it executes a packet injection attack on one of these requests, tipping them over and letting them get shot.

We don’t know if the NSA uses this technique, but I’d be shocked if they didn’t. It enables them to turn “perhaps worth shooting” into “worth shooting” into “shot” with laser-guided precision, while leaving very little trace in the process. It also explains how 100 tips turned into just 5 shots.

Of course, the NSA isn’t the only institution able to use this technique. Any country can use it within their own borders, and since both political and economic targets are now in-scope, everyone traveling overseas needs to assume that, if the local intelligence agency wants to attack them by name, they will be a victim.

Yet foreign intelligence agencies can do even better. Want to target every Senator, every DC staffer, and every lobbyist by name? Do you have their Gmail addresses, LinkedIn profile, and/or Warcraft player names? Have a couple of “diplomats” you can afford to get kicked out of the country on the very remote chance your caught? If so, this one is for you. So the DGSE (the French version of the NSA) should listen up.

  1. Deploy a bunch of Raspberry Pi boxes with WiFi around Washington DC, in the local Starbucks, hidden in hotels, and anywhere else there is free WiFi. Have them join the open WiFi networks and start listening in.
  2. Program these Raspberry Pi boxes to do user-identification packet injection on any visitor which might be of interest.
  3. When the injector identifies a user, it queries the command and control server to see if the user is on the target list (hint, you too can use ghost servers for command and control).
  4. If the user is in-scope, the injector then tips the victim over to your own exploit server to be shot with the exploit and malcode of your choice.

Now you aren’t going to get onto any classified systems this way, but there is a ton of unclassified material that will make juicy reading. The appointment calendars and contact lists alone will be golden. Your total hardware cost is a few thousand dollars (about $50 per Starbucks), the odds of you being identified are slim, and even if you are caught, just repeat after me:

It wasn’t us. And even if it was, you started it. I believe your saying is ‘sauce for the goose’

Of course, once you have an infected computer, if it moves into a different network, it too can become a packet-injecting attacker, identifying and exploiting possible victims. Spread the love from Starbucks to the conference room.

And why limit the fun to major intelligence services? Small countries can contact their local Vupen and Gamma International sales representatives for details (yeah, it will cost more: Raspberry Pis are cheap, but malcode is expensive, but hey), while criminal gangs can do the same thing, either also using deployed boxes or leveraging an existing botnet.

The Internet is now a very dangerous place: all unencrypted traffic is a potential attack vector! The NSA, by their broad hacking, has painted a huge target on our backs. Targets that, for anyone who wants to, they can illuminate and attack.

Update 12/30/2013: A new slide deck possibly explains the inefficiency: the initial QUANTUM implementation was simply poorly designed! Rather than implementing the attack logic at the wiretaps, the wiretaps would forward information to remote TURBINE command-and-control servers, adding hundreds of crucial milliseconds.

This easily explains why 100 attempts would only result in 5 successful shots: if the test deployment in question used the old, not well designed QUANTUM architecture you’d expect such a failure rate.

As recently as June 2011, a better design (QFIRE), where the attack logic is colocated with the wiretaps, was only in development. Its unclear whether the improved system is even operational, let alone widely deployed.

--

--

Nicholas Weaver

Researcher: International Computer Science Institute & Lecturer @ UC Berkeley