|
|
|
|
|
|
|
Bugs NSA Catalog →
|
FIREWALK is the codename or cryptonym of a covert implant, developed
around 2007 by or on behalf of the US
National Security Agency (NSA) as part
of their ANT product portfolio.
The device is implanted into the RJ45 socket of the Ethernet interface of
a PC or a network peripheral, and can intercept bidirectional
gigabit ethernet traffic and inject data packets into the target network.
|
The implant is housed inside a regular stacked RJ45/twin-USB socket,
such as the one shown in the image on the right. At the top are two
LEDs and inside are the ethernet transformer and in some
cases even an Ethernet Phy (eg. Broadcom).
NSA was able to manipulate this standard off-the-shelf computer part
– probably somewhere in the supply chain or directly at the factory
where the product was assembled – and replace the internal electronics
by a miniature ARM9 / FPGA computer platform, named TRINITY [2].
Also implanted inside the socket, is a miniature wideband radio frequency
(RF) tranceiver, named HOWLERMONKEY. It allows the implant to bypass
an existing firewall or air gap protection [3].
|
|
|
The implant is suitable for 10/100/1000 Mb (gigabit) networks
and intercepts all network traffic, with is then sent through a VPN tunnel,
using the HOWLERMONKEY RF module. If the distance between the target
network and the node to the Remote Operations Center (ROC)
is too large, other implants
in the same building may be used to relay the signal.
The implant can also be used to insert data packets into the target network.
The diagram below shows the construction.
At the left are the RJ45 and twin-USB sockets,
with two LED indicators at the top.
Immediately behind the sockets is a PCB with the power circuitry.
At the back is the actual NSA FIREWALK implant, which is built around
a TRINITY multi-chip module,
consisting of an 180 MHz ARM9 microcontroller,
an FPGA with 1 million gates, 96 MB SDRAM and 4 MB Flash memory.
The latter contains the firmware, which can be tailored for a specific
application or operation. In practice, the firmware would filter the network
packets and relay the desired ones to the NSA's ROC, using a nearby RF
node (outside the building) and the internet to transport the
intercepted data [1].
The above information was taken from original NSA datasheets from
January 2007, that were disclosed to the press in 2013 by
an unidentified party (other than former
CIA/NSA contractor Edward Snowden).
The items were developed by, or on behalf of, the cyber-warfare
intelligence-gathering unit of the NSA, known as The Office of Tailored
Access Operations (TAO), since renamed Computer Network Operations [4].
➤ NSA ANT product catalog
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Monday 16 November 2020. Last changed: Saturday, 19 August 2023 - 07:36 CET.
|
 |
|
|
|
