US & World
Attendees at the Chaos Communications Congress in Hamburg this weekend got a surprising rundown of the NSA's surveillance capabilities, courtesy of security researcher Jacob Appelbaum. Appelbaum, who co-wrote the Der Spiegel article that first revealed the NSA catalog, went into further detail onstage, describing several individual devices in the catalog and their intended purposes.
The exploits could be delivered by drone
Alongside pre-packaged exploits that allowed control over iOS devices and any phone communicating through GSM, Appelbaum detailed a device that targets computers through packet injection, seeding exploits from up to 8 miles away. He even speculated the exploits could be delivered by drone, although he conceded that in most cases, an unmarked van would likely be more practical.
The brochure in question dates from 2007, suggesting capabilities may have advanced even further since then — but Appelbaum left little doubt that he believes these tactics are still in use, and offered several instances in which he's seen them in action. One case involved Julian Assange's current home at the Ecuadorian Embassy in London, where visitors were surprised to receive welcome messages from a Ugandan telephone company. It turned out the messages were coming from a foreign base station device installed on the roof, masquerading as a cell tower for surveillance purposes. Appelbaum suspects the GCHQ simply forgot to reformat the device from an earlier Ugandan operation.
Update: Cisco, cited in the original Der Spiegel article, is formally investigating the potential hack. "On Monday, December 30th, Der Spiegel magazine published additional information about the techniques allegedly used by NSA TAO to infiltrate the technologies of numerous IT companies," wrote senior VP John Stewart. "As a result of this new information coming to light, the Cisco Product Security Incident Response Team (PSIRT) has opened an investigation."
Update 2: Der Spiegel has published an interactive graphic showing the various devices in action.
We'll email you a reset link.
If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.
Choose an available username to complete sign up.
In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.