How does QUANTUMINSERT work?
March 20, 2014 7:21 PM Subscribe
Many of the most recent NSA leaks are about a group of packet injection projects prefixed with QUANTUM. Based on the available information, how do these attacks work, and what sort of technical infrastructure is necessary to support them?
Many of the most recent NSA leaks focus on a class of packet injection attacks whose code names are prefixed with QUANTUM (there's a big list of them here). I get the basic idea: TURMOIL passively sucks up all the network traffic it can get its hands on. TURBULENCE listens to this traffic for requests that contain targeted selectors like email addresses and cookies. It passes these requests to TURBINE, which performs a man-on-the-side attack, spoofing packets from the requested site that redirect the target to an NSA server and implant their system with malware. (Here's a diagram). These attacks rely on low latency, such that a spoofed packed reaches the target before an authentic one. However, since modern sites like webmail and Facebook involve lots of short connections over a sustained period of time, it's easy to keep sending spoofed packets until one works.
I'm curious about the educated guesses more educated people than me can make based on what's we know about how QUANTUM works. Specifically: 1) Is this type of injection done by software implants or dedicated hardware? 2) Where would the injection happen, if it's designed for very low latency? Tier 1 providers? Exchange points? CDNs? 3) Given the first two guesses, does this infrastructure require overt cooperation from ISPs, and on what scale? 4) What else can you surmise about how these programs work based on the architecture?
I'v read Nicholas Weaver's Wired article and most of the primary source documents.
Many of the most recent NSA leaks focus on a class of packet injection attacks whose code names are prefixed with QUANTUM (there's a big list of them here). I get the basic idea: TURMOIL passively sucks up all the network traffic it can get its hands on. TURBULENCE listens to this traffic for requests that contain targeted selectors like email addresses and cookies. It passes these requests to TURBINE, which performs a man-on-the-side attack, spoofing packets from the requested site that redirect the target to an NSA server and implant their system with malware. (Here's a diagram). These attacks rely on low latency, such that a spoofed packed reaches the target before an authentic one. However, since modern sites like webmail and Facebook involve lots of short connections over a sustained period of time, it's easy to keep sending spoofed packets until one works.
I'm curious about the educated guesses more educated people than me can make based on what's we know about how QUANTUM works. Specifically: 1) Is this type of injection done by software implants or dedicated hardware? 2) Where would the injection happen, if it's designed for very low latency? Tier 1 providers? Exchange points? CDNs? 3) Given the first two guesses, does this infrastructure require overt cooperation from ISPs, and on what scale? 4) What else can you surmise about how these programs work based on the architecture?
I'v read Nicholas Weaver's Wired article and most of the primary source documents.
Remember that if you can spoof the DNS lookup, everything after that is easy. (Well, easyish if you have access to NSA-level resources.) DNS lookups are usually UDP rather than TCP, so you don't even need to faff around with sequence numbers. Just be quicker in generating a response than the real DNS server. This does require compromising routers closer to your target than their ISP's DNS server, but that's the kind of thing the NSA does before breakfast.
This is one of the reasons that a secure DNS infrastructure is important & we really don't have one at the moment.
posted by pharm at 3:59 AM on March 21, 2014
This is one of the reasons that a secure DNS infrastructure is important & we really don't have one at the moment.
posted by pharm at 3:59 AM on March 21, 2014
This thread is closed to new comments.
We know they have backdoored a large number of routers, so it seems to me that they are more likely identifying targets with passive snooping and then, once a target has been identified, rerouting replies from Facebook or whatever back through their equipment which then injects malware into the page.
Relying on having a lower latency to your target than the legitimate site the target is trying to visit is a fool's errand unless you actually have the cooperation of the ISPs, and that seems very not-NSA to me. Given that almost all currently used OSes use TCP sequence number randomization to prevent just that sort of blind attack, it would be difficult on many levels to do it exactly the way it is diagrammed and described. Not only that, but detecting such an attack is trivial.
If they're capturing the response packets and thus can know the sequence number, they already have everything in place necessary to do a full MITM that can't be detected by the target other than by scanning the content in the response and finding the exploit payload. TBH, I'm not sure that the QUANTUM slides aren't at least partial disinformation. Given the (presumed) target audience of nontechnical people, it wouldn't matter if there were some inaccuracies in the technical details.
posted by wierdo at 7:48 PM on March 20, 2014 [1 favorite]