The U.S. National Security Agency's ability spy on computers not connected to the Internet became more widely known following the publication of a New York Times story last week. Such news followed up on earlier investigations by Der Spiegel that detailed an internal NSA catalog of spy tools, including some radio frequency technologies capable of helping agents spy on offline computers.
But the use of radio frequency devices installed on targeted computers is not nearly as widespread—or potentially troubling for some—as the NSA's broader surveillance programs. For those of you not keeping score at home, those programs include vacuuming up millions of online records daily from the servers of Internet companies such as Google and Yahoo and collecting cellphone location records from around the world. There's less alarm over the ability to spy on offline computers because it requires the NSA to physically insert a tiny circuit board or USB flash drive into a target computer and also have nearby agents carrying portable radar systems and computers.
"This isn't really a wholesale surveillance situation," said Yossi Oren, a postdoctoral research scholar at the Computer Architecture and Security Technology Lab at Columbia University's School of Engineering. "This is actually spycraft."
The relevant NSA documents hosted on Cryptome date back to 2008, which means the NSA's capabilities have undoubtedly improved beyond the technologies described in the documents. But the documents still provide a useful glimpse of how the agency might go about planting such spy tools—which are mostly made from off-the-shelf components—inside computers that don't have wired or wireless Internet connections. They also show why such frighteningly precise spying is far more limited than the NSA's broader mass surveillance of Internet data and cellphones.
Such spycraft requires the NSA's Tailored Access Operations unit to install one of two types of RF devices inside a target computer. An RF transceiver could both receive and transmit radio signals. By comparison, a cheaper RF transponder would only respond to RF signals from an external transmitter.
The NSA catalog lists RF transceivers such as a USB flash drive named "Cottonmouth" that can be manually inserted into a target computer. Another example is a circuit board named "Howlermonkey" that can be installed in the target computer either during the manufacturing process or by an agent in the field.
But the sneakiest surveillance tools employed by the NSA could be cheap RF transponders rather than transceivers, Oren explained. Because they behave like passive radio-frequency identification (RFID) tags, responding only to external RF signals sent out by an NSA agent's portable radar system, they are much more difficult to detect—even by someone monitoring radio frequencies. Even if a suspicious person opened up his or her computer and found the transponder, it would be a passive device "built to be captured," Oren said.
The NSA lists a range of transponders—some selling for as little as $30—in its internal catalog. One RF transponder can collect the keystrokes being typed on a target computer by tapping into the data line between keyboard and computer processor. Another model, meant to be installed on the cable connecting the computer's video card to the video monitor, gives NSA agents a peek at whatever is displayed on a computer's monitor.
A third transponder can amplify the gain of a computer's microphone so that it picks up the sounds of human speech at a "standard, office volume" from more than 6 meters away. And a fourth model acts as a beacon that helps NSA agents with portable radar systems to home in on transponders such as "Ragemaster." The beacon can be located "quite easily within a [15-meter] radius of the radar system being used to illuminate it," according to the NSA catalog.
Because the transponders don't actively transmit RF signals, they use a scant amount of power; this means they can run for years on a tiny internal battery. The NSA catalog also mentions batteries such as lithium coin cell batteries used in watches and cameras, but Oren speculated that recent advances in tiny nuclear-powered devices might have made those available for NSA usage.
Once the NSA has slipped in and installed a transponder in a target computer, the gadget still needs to be pinged in order for the agency to gather data. Human agents initiating that data collection use portable radar systems including a 4.5-kilogram radar unit called "Photoangle" that is "small enough to fit into a slim briefcase." It has a maximum bandwidth of 450 megahertz, a maximum RF output power of 2 watts, and can transmit on a 1-2 gigahertz frequency range (although it's possible that the NSA has improved the frequency range to 1-4 gigahertz in updated versions).
Oren suspects that the radar system uses a standard frequency-hopping method to change the transmitted signal's frequency thousands of times per second—another tactic for avoiding detection by anyone monitoring radio frequencies.
The NSA catalog even lists portable computers for processing the data collected by "Photoangle" and an older radar system called "CTX4000."
That all sounds pretty good for the NSA's purposes, but Oren pointed out a possible drawback to the transponder approach. He expects it's only a matter of time before somebody leaks the design of the transponders online so that anybody could build them using the same off-the-shelf parts. Particularly security-minded people might start using their own transponders to feed the NSA "nonsense" intelligence.
The overall effect could be similar to the Allied disinformation plan, "Operation Mincemeat," from World War II, which involved planting fake "top secret" plans on a uniformed corpse and allowing the body to fall into the hands of German agents. "You could do a mass 'Mincemeat,'" Oren said.
Then again, about six years have passed since the NSA catalog described in the documents leaked by Edward Snowden was published. The agency has likely already upgraded its technology—and it's certainly well aware of how various surveillance programs may have been compromised by Snowden's revelations.
Such targeted spycraft can still sound wildly intimidating in its almost "magical" ability to peek at offline computers, Oren said. Yet he joined other security experts in pointing out that the operations by the NSA's Tailored Access Operations (TAO) unit are much more limited in their targeting than the NSA's mass surveillance programs.
"TAO is retail rather than wholesale," said Matt Blaze, director of the Distributed Systems Laboratory at the University of Pennsylvania, in The Guardian. He suggested that such frightening tools "represent far less of a threat to our privacy and security than almost anything else we've learned recently about what the NSA has been doing."
A similar dose of rationality came from security guru Bruce Schneier: "As scarily impressive as TAO's implant catalog is, it's targeted. We can argue about how it should be targeted—who counts as a 'bad guy' and who doesn't—but it's much better than the NSA's collecting cell phone location data on everyone on the planet."
Illustration: Randi Klett; Images: iStockphoto
Jeremy Hsu has been working as a science and technology journalist in New York City since 2008. He has written on subjects as diverse as supercomputing and wearable electronics for IEEE Spectrum. When he’s not trying to wrap his head around the latest quantum computing news for Spectrum, he also contributes to a variety of publications such as Scientific American, Discover, Popular Science, and others. He is a graduate of New York University’s Science, Health & Environmental Reporting Program.