Computerworld

Spy agencies around the world use radio signals to tap data from targeted systems

NSA's program, dubbed Quantum, surreptitiously taps data from 100,000 systems worldwide, according to <i>New York Times</i> report

Reports this week that the National Security Agency uses radio signals to collect data from tens of thousands of non-U.S. computers, some not connected to the Internet, is sure to fuel more acrimony towards the U.S. spy agency.

But observers note that the NSA is not the first of the world's spy agencies to use such technology to surreptitiously gather classified information from other countries.

For instance, intelligence personnel in the former Soviet Union used similar tactics to secretly gather information from electric typewriters at U.S. government offices in Moscow and Leningrad more than 30 years ago. And experts say it's a near certainty that the spy agencies of other advanced nations are doing the same thing today.

"Physical compromise of a target's technology is what we expect intelligence agencies to do," said John Pescatore, director of emerging technology at the SANS Institute and a former NSA security engineer.

"The Chinese have been doing it to the laptops and smartphones of foreign executives visiting China. Years ago the French did similar things in their country and I'm sure British intelligence has done the same thing," Pescatore said. "What the NSA is doing now is what all superpower intelligence agencies have done, are doing, and will do."

The New York Times reported Tuesday that documents leaked last year by former NSA contractor Edward Snowden disclosed that the NSA has embedded software and hardware "bugs" in some 100,000 targeted systems around the world. The "bugs" allow the NSA to collect information from the systems even when they are not connected to the Internet.

The technology, which has to be physically installed in most cases, has been available since at least 2008. It "relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers," according to the Times report. Data captured by the devices are sent to small briefcase-sized relay stations often set up miles away from the target system.

The software has apparently allowed the NSA to do an end-run around whatever cybersecurity controls are installed on the compromised systems.

The spy technology is said to be part of an intelligence operation, code-named Quantum, that mostly targets units of the Chinese Army, Russian military networks and systems used by drug cartels and police in Mexico. The program also targets European Union trade institutions, and government agencies in India, Pakistan and Saudi Arabia.

"They [bugs] are very impressive," said noted security researcher and cryptographer Bruce Schneier, CTO at Co3 Systems. "These hardware implants show that the NSA has been continuing its research and development since the Cold War, which is what we should expect."

However, experts do note that the collection of information via radio frequency is not new.

In the mid-1980s, Soviet secret police planted electromechanical bugs in numerous electric typewriters at the U.S. embassy in Moscow and its consular office in Leningrad. Like the NSA implants described in the Times story, the Soviet bugs transmitted data using radio waves.

Declassified NSA documents describe how the bugged typewriters allowed the Soviets to access copies of routine memos and classified documents, oftentimes before U.S officials read them.

Between 1976 and 1984, the Soviets installed the bugs on 16 IBM Selectric typewriters. The bugs operated at 30, 60 or 90 Mhz range via radio frequency and were concealed in a metal bar, called the comb supporter, in the typewriters.

The Soviets upgraded the implants several times and eventually completed work on five generations, three that operated on DC power and two on AC power. The bugs could be installed in 30 minutes or less, could be switched on and off remotely and contained integrated circuits that were very advanced for the times, according to the NSA documents. Some had beacons that indicated when the electric typewriters were turned on or off.

The implants were designed to pick up the magnetic energy generated when a typewriter key was struck, convert it into digital electrical signals and transmit it via radio frequency to a nearby Soviet listening post. According to the NSA post-mortem, the bug marked the first time that data was captured in this fashion from a device that held plaintext information.

The discovery of the implants triggered an NSA response, codenamed GUNMAN, that eventually led to the replacement of more than 11 tons of equipment in the offices targeted by the Soviets. It also prompted sweeping changes in U.S. State Department security practices and an overhaul of the U.S. technology and techniques used to detect and respond to electronic threats.

"This was in the 1980s when electric typewriters were the PCs of the day," Pescatore said. "The NSA was also doing the same thing to the Soviets back then -- the Soviets were just better at the time."

Schneier added and the NSA "might have a larger budget than anyone else in the world, but they're not made of magic. These are the sorts of techniques that any well funded national intelligence agency would employ and -- as they get cheaper -- criminals will employ."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.