Many of the most recent NSA leaks are about a group of packet injection projects prefixed with QUANTUM. Based on the available information, how do these attacks work, and what sort of technical infrastructure is necessary to support them?
Many of the most recent NSA leaks focus on a class of packet injection attacks whose code names are prefixed with QUANTUM (there's a big list of them here
). I get the basic idea: TURMOIL passively sucks up all the network traffic it can get its hands on. TURBULENCE listens to this traffic for requests that contain targeted selectors like email addresses and cookies. It passes these requests to TURBINE, which performs a man-on-the-side attack, spoofing packets from the requested site that redirect the target to an NSA server and implant their system with malware. (Here's a diagram
). These attacks rely on low latency, such that a spoofed packed reaches the target before an authentic one. However, since modern sites like webmail and Facebook involve lots of short connections over a sustained period of time, it's easy to keep sending spoofed packets until one works.
I'm curious about the educated guesses more educated people than me can make based on what's we know about how QUANTUM works. Specifically: 1) Is this type of injection done by software implants or dedicated hardware? 2) Where would the injection happen, if it's designed for very low latency? Tier 1 providers? Exchange points? CDNs? 3) Given the first two guesses, does this infrastructure require overt cooperation from ISPs, and on what scale? 4) What else can you surmise about how these programs work based on the architecture?
I'v read Nicholas Weaver's Wired article
and most of the primary source documents.