How the US (probably) spied on European allies’ encrypted faxes

[nsane.forums]

Grainy image stokes speculation of old-school, Tempest-style attack.

Part of a secret document published by The Guardian detailing "Dropmire," a program that reportedly spied on encrypted faxes sent to the European Union's Washington, DC, mission.

US intelligence services implanted bugging tools into cryptographic facsimile devices to intercept secret communications sent or received by the European Union's Washington, DC outpost, according to the latest leak from former National Security Agency staffer Edward Snowden. Technical details are scarce, but security experts reading between the lines say the program probably relies on an old-school style of espionage that parses electric currents, acoustic vibrations, and other subtle types of energy to reveal the contents of encrypted communications.

The bugging method was codenamed Dropmire, and it appears to rely on a device being "implanted on the Cryptofax at the EU embassy, DC," according to a 2007 document partially published Sunday by The Guardian. An image included in the document, presumably taken from a transmission traveling over a targeted device, showed highly distorted text that can just barely be read by the human eye as the letters "EC" followed by "NCN." The fax device was used to send cables between foreign affairs ministries and European capitals, according to Sunday's report.

The ability to approximate the plaintext message but not capture it as it appeared when fully decrypted likely means Dropmire didn't crack the precise algorithm or key used to encrypt the message. That—along with the detail about something being "implanted" in the fax device—has led to speculation that the program monitored electrical, mechanical, or acoustical energy emanating from the device to deduce clues about the plaintext messages being received. Such techniques fall under the umbrella term Tempest, which was coined more than three decades ago as an NSA tactic for reading sensitive communications relating to national security. More recently, Tempest has come to mean any investigation or analysis that uses so-called "compromising emanations" to reveal the contents of sensitive communications or lead to the decryption of encrypted data.

"Having done many experiments to eavesdrop on office equipment myself, the noisy image at the bottom third of the picture above looked instantly familiar," Markus Kuhn, a computer scientist and senior lecturer at Cambridge University, wrote in a blog post published Monday. "It is what you might get from listening with a radio receiver on the compromising emanations of a video signal of a page of text."

Three security experts Ars spoke with agreed with Kuhn's analysis. They said it makes a strong case that the attacks targeting the EU encrypted fax devices were relying on what's known as side-channel attacks, which target weaknesses in a specific cryptographic implementation rather than the underlying cipher or mathematics it's built on.

"It's breaking things that really have nothing to do with the cryptography itself," Justin Troutman, a cryptographer and independent security and privacy researcher, told Ars. He went on to say that the effort required on the part of US intelligence agents was likely justified when considering the intelligence value of the encrypted data. "I think the side-channel attacks are plausible, and I think the target warrants it. So even though it's speculation at this point, it's certainly a valid point within the realm of reason."

Side-channel attacks analyze subtle fluctuations in power drawn by a cryptographic device or slight differences in the amount of time it takes the device to complete certain tasks. The side data is then used to ferret out clues about the underlying plaintext or the key or algorithm that was used to encrypt it. In some cases, side-channel attacks can be used to recover the entire cleartext once enough clues are gathered. Other times, the technique reveals only partial contents of the message.

"One way I've seen other side-channel attacks work is once you convert a signal into a binary, you can hope that it's as easy as reading the data," Troutman explained. "There's going to be noise, so it may take other algorithms to parse through that noise and filter it out. But if you can get bits and pieces, a few letters here, a few letters there, over time you may be able to build a picture of what the conversation is about, or enough to at least identify what this communication channel is used for, or possibly even identify names attached to other projects."

Cryptographic device makers have known about side-channel attacks for decades and often work hard to prevent their wares from leaking clues that can compromise customers' encrypted messages. Hardened devices often use data "padding" to obscure the size of encrypted messages. Devices may also be programmed to ensure there's more uniformity in the amount of time it takes for different types of data to be encrypted or decrypted. They frequently encase cryptographic devices in protective shields that prevent them from leaking electric or other types of emanations that can be analyzed by an adversary. That being the case, how might US intelligence agents carry out a side-channel attack on an encrypted fax device belonging to the EU?

One possibility is to plant some sort of bug on or near a targeted device that captures compromising emanations and delivers them to intelligence agents for analysis. While the data intercepted by such a Tempest-style bug has clear disadvantages—namely, the crudeness of the data it intercepts—it might also be considerably easier to plant and harder for EU defenders to detect. By contrast, a more advanced bug secretly added to a fax device might be able to deliver a more reliable copy of the protected communication while being relatively easy for someone to spot. In some cases, the bug might not be anything that's added but, rather, something removed to permit leakage that wouldn't otherwise occur. The corruption in the image included with The Guardian article suggests the device was closer to the former.

"That the image is so distorted, and getting edges instead of content, indicates that it's something simple, such as adding a wire or removing wire, as the [Kuhn] article indicates," said Rob Graham, CEO of security consultancy Errata Security. "Adding a circuit board would be detectable, snipping a trace on a circuit board to enhance emanations wouldn't be."

It's also possible that the surveillance was conducted by using a bug to analyze radio frequency emissions only after the sensitive data had been decrypted and was in the process of being printed by the fax device. In 2009, for instance, researchers demonstrated two methods for eavesdropping on passwords and other sensitive data by exploiting vibrational patterns and electromagnetic pulses that emanate with every character entered into a computer.

"The laser printer of a fax machine certainly fits the profile and unless specific countermeasures are in place, it might be vulnerable to such eavesdropping techniques, which would not be mitigated by the encryption layer, as they target the end output of the printer," said Andrea Barisani, chief security engineer for Inverse Path and one of the researchers behind the 2009 demonstration. "Our company is often given the task to assess the interaction between physical electronics and software security of embedded devices such as printers and fax machines. In the vast majority of cases, all of the tested targets are vulnerable to software attacks, hardware attacks, or a combination of the two."

The lack of specific details in The Guardian article makes it impossible to know just how accurate speculation is that US intelligence services are launching Tempest-style attacks on its European allies. But based on the information available, it's not possible to rule out these James Bond-type of surveillance techniques either.

View: Original Article