NSA spy gadgets: LOUDAUTO

NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware is interesting reading on gadgets NSA is claimed to use to spy on you. There was some discussion on Facebook on of those devices were real or not asking for my comments on some of the devices if they are feasible or not.

Here is picture of LOUDAUTO listening microphone product that was mentioned on this catalog (also published by Der Spiegel and Wikipedia).

LOUDAUTO concept seems to be feasible. The used PPM coding method is presented in papers and claimed low current consumption seems to be doable. The constant wave radar target illumination and listening to signal scattering back is feasible at least in distance like meters or tens of meters. I consulted one radio engineer on to verify if this part looks feasible and he said yes this kind of methods can be used.

The listed RF instruments for receiving the signal are real (Rohde & Schwarz FSH-series protable spectrum analyzers, etc). Suitable radar signal source for this could be PHOTOANGLO. Some more details LOUDAUTO can be found A Surprising Feature in the NSA’s Radar Bugs: A Neurophone! blog posting.

Some information on very old microphones that use similar signal back scattering ideas ages ago can be found at THE GREAT SEAL BUG STORY and Thing (listening device) articles.

15 Comments

  1. Robert_key says:

    Reading this post reminded me of James_bond the super spy nice post man keep it up your blog offers quite helpful knowledge

    Reply
  2. Tomi Engdahl says:

    NSA Technology Goes Open Hardware
    http://hackaday.com/2014/05/02/nsa-technology-goes-open-hardware/

    When [Edward Snowden] smeared the internet with classified NSA documents, it brought to light the many spying capabilities our government has at its disposal. One the most interesting of these documents is known as the ANT catalog. This 50 page catalog

    The Sparrow II is an aerial surveillance platform designed to map and catalog WiFi access points.

    group of hackers at Hyperion Bristol has attempted to create their own version.

    Hardware – Open-Source NSA Technology (Airborne Wifi)
    http://hyperionbristol.co.uk/hardware-open-source-nsa-technology-airborne-wifi/

    Another thing to note at the very bottom is the price: $6000

    Let’s break down exactly what it is we want the system to do:

    Sniff WLANs
    Associate WLANs with a location
    Log the locations
    Operate autonomously (and independant of mains power)

    Now our budget is considerably lower than that of the NSA…

    Alpha AWUS036H
    Raspberry Pi Model B (512Mb RAM)
    Ublox GY-NEO6MV2 GPS Module
    12000mAh USB Battery

    So in total, that brings us to a cost of around £100. Of course, that’s assuming you pay full price. Ebay (and similar sites), or an Academic discount can be used to obtain this equipment at much cheaper rates… So how does it all fit together?

    So now all we need to to is go and attach this to an aircraft ;) So in summary, we’ve increased the amount of RAM, storage and computational power over the SPARROW-II system, whilst using a budget 60 times smaller.

    Reply
  3. Tomi Engdahl says:

    Replicating NSA’s gadgets using open source
    http://www.net-security.org/article.php?id=2039

    “Could we – could I – make the gadgets that the agency uses to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, and more, by just using open source software and hardware?”

    Reply
  4. Tomi Engdahl says:

    Hackers use Snowden leaks to reverse-engineer NSA surveillance devices
    http://www.engadget.com/2014/06/20/nsa-bugs-reverse-engineered/

    Before, nobody knew how the so-called “retro reflectors” worked, but armed with NSA documentation, Ossmann and co. were able to create their own tiny transistor-sized devices that could surreptitiously transfer wireless data to a nearby radio point (much like the NSA is reported to have done).

    Reply
  5. Tomi Engdahl says:

    Homebrew NSA Bugs
    http://hackaday.com/2014/07/10/homebrew-nsa-bugs/

    Thanks to [Edward Snowden] we have a huge, publicly available catalog of the very, very interesting electronic eavesdropping tools the NSA uses. Everything from incredibly complex ARM/FPGA/Flash modules smaller than a penny to machines that can install backdoors in Windows systems from a distance of eight miles are available to the nation’s spooks, and now, the sufficiently equipped electronic hobbyist can build their own.

    [GBPPR2] has been going through the NSA’s ANT catalog in recent months, building some of the simpler radio-based bugs. The bug linked to above goes by the codename LOUDAUTO, and it’s a relatively simple (and cheap) radar retro-reflector that allows anyone with the hardware to illuminate a simple circuit to get audio back.

    Also on [GBPPR2]‘s build list is RAGEMASTER, a device that fits inside a VGA cable and allows a single VGA color channel to be viewed remotely.

    Reply
  6. Tomi Engdahl says:

    GBPPR Vision #27: Overview of the NSA’s LOUDAUTO Radar Retro-Reflector
    https://www.youtube.com/watch?v=EOD1yHnerXg

    General overview of the NSA’s LOUDAUTO audio-based RF retro-reflector.

    Reply
  7. Tomi Engdahl says:

    GBPPR LOUDAUTO Experiments
    http://blockyourid.com/~gbpprorg/mil/photoanglo/loudauto/

    LOUDAUTO is an audio-based RF retro-reflector. It provides room audio from a targeted space using radar and basic demodulation and audio post-processing.

    LOUDAUTO’s current design maximizes the gain of the Knowles EK/EY-series microphone. This makes it extremely useful for picking up room audio. It can pick up speech at a standard, office volume from over 20 feet away. Note that concealments may reduce this distance.

    It uses very little power, approximately 15 µA at 3.0 VDC. So little, in fact, that battery self-discharge (internal resistance) is more of an issue for serviceable lifetime than the power draw from this unit. The simplicity of the design allows the form factor to be tailored for specific operational requirements. All components are Commercial Off-the-Shelf (COTS) and so are non-attributable to NSA.

    Room audio is picked up by the microphone and converted into an analog electrical signal. This signal is used to Pulse-Position Modulate (PPM) a low-frequency square wave carrier signal running at around 100 kHz. This square wave is used to bias a microwave FET (Field Effect Transistor) on and off. When the unit is illuminated with an unmodulated Continuous Wave (CW) signal from a remote radar unit (CTX4000/PHOTOANGLO), the illuminating signal is Amplitude Modulated (AM) with the PPM square wave.

    Reply
  8. Tomi Engdahl says:

    GBPPR Vision
    http://www.qsl.net/n/n9zia//vision/

    This is a small video series hosted on YouTube aimed at experimenters and hackers covering topics related to amateur radio, homebrew electronics, test equipment, and other similar interests.

    Reply
  9. Tomi Engdahl says:

    Hackers use Snowden leaks to reverse-engineer NSA surveillance devices
    http://www.engadget.com/2014/06/20/nsa-bugs-reverse-engineered/

    Reply
  10. Tomi Engdahl says:

    Building the NSA’s Tools
    http://hackaday.com/2014/08/01/building-the-nsas-tools/

    Back in 2013, the NSA ANT Catalog was leaked. This document contained a list of devices that are available to the NSA to carry out surveillance.

    [Michael Ossmann] took a look at this, and realized that a lot of their tools were similar to devices the open source hardware community had built. Based on that, he gave a talk on The NSA Playset at Toorcamp 2014. This covered how one might implement these devices using open hardware.

    Reply
  11. microwave device technology westford ma says:

    (+30dBm Survival) ±10 degrees, ±0.6 typ.

    Reply
  12. Tomi Engdahl says:

    The NSA Playset: A Year of Toys and Tools
    https://www.blackhat.com/us-15/briefings.html#the-nsa-playset-a-year-of-toys-and-tools

    Inspired by the contents of the leaked NSA ANT catalog, the NSA Playset project has produced an array of gadgets with capabilities similar to those employed by the spooks.

    http://www.nsaplayset.org/

    Reply
  13. radio earpiece says:

    bookmarked, cool website!

    Reply
  14. Tomi Engdahl says:

    Theremin’s Bug: How the Soviet Union Spied on the US Embassy for 7 Years
    http://hackaday.com/2015/12/08/theremins-bug/

    The man leaned over his creation, carefully assembling the tiny pieces. This was the hardest part, placing a thin silver plated diaphragm over the internal chamber. The diaphragm had to be strong enough to support itself, yet flexible enough to be affected by the slightest sound. One false move, and the device would be ruined.

    The man in this semi-fictional vignette was Lev Sergeyevich Termen, better known in the western world as Léon Theremin. You know Theremin for the musical instrument which bears his name. In the spy business though, he is known as the creator of one of the most successful clandestine listening devices ever used against the American government.

    In 1920, while working on his dielectric measurement device, Theremin noticed that an audio oscillator changed frequency when he moved his hand near the circuit. The Theremin was born. In November of 1920 Léon gave his first public concert with the instrument. He began touring with it in the late 1920’s and in 1928, he brought the Theremin to the United States. He set up a lab in New York and worked with RCA to produce the instrument.

    In 1938, with the Nazi threat growing stronger, Theremin returned to Russia.

    Upon arrival in Leningrad, Theremin was imprisoned, suspected of crimes against the state. He found himself working in a laboratory for the state department. This was not an unusual situation. Aircraft designer Andrei Tupolev and missile designer Sergei Korolyov were two of many others who faced a similar fate.
    It was during this time as a prisoner that Theremin designed his listening device.

    A group of 10 to 15 year old boys from the Young Pioneer Organization of the Soviet Union arrived at the US embassy carrying a hand carved great seal of the United States of America.

    The seal was given as a gesture of friendship between the US and Soviet Union. Harriman hung the plaque in the study of his residence, Spaso House.

    The device, later known as “The Thing”, would not be discovered until 1952 — roughly seven years later.

    The discovery of the great seal listening device is an interesting one. British broadcasters reported hearing American voices on the their radios in the vicinity of the American embassy. No Americans were transmitting though, which meant there had to be a bug. Numerous sweeps were performed, all of which turned up nothing.

    Powering up his equipment, Bezjian began a sweep of the building. With his receiver tuned to 1.8GHz, he heard the bug’s audio, and quickly isolated the source in the great seal.

    Close inspection of the carving found it had been hollowed out, and a strange device placed behind the eagle’s beak. No batteries or wires were evident, and the device was not powered through the nail which had been hanging the seal.

    The great seal bug quickly became known as “The Thing”. It was a passive resonant cavity device, containing no batteries or other power source. It consisted of an antenna and a small cylinder.

    Passive resonant cavities had been explored before, both in the US and abroad, but this is the first time we know of that was used for clandestine purposes. In his book Spycatcher, British operative Peter Wright claims that the US came to him for help determining how the device worked.

    Regardless of who figured out the device, the method of operation is devilishly simple. The Soviets would sit outside the embassy, either in another building or in a van. From this remote location they would aim a radio transmitter at the great seal. The bug inside would receive this signal and transmit voices in the room on a second, higher frequency. It did all of this with no standard internal components. No resistors, no tubes, no traditional capacitors, or the like. There were capacitive properties to the mechanism. For instance, a capacitor is formed between the diaphragm and the tuning peg of the device.

    While bugs of this type have fallen out of favor, the idea of “illuminating” a device with an external transmitter lives on. Check out [Elliot’s] description of the RageMaster bug from the ANT catalog here. Resonant cavities have found common use as well. Every microwave oven or radar system with a magnetron uses one.

    http://hackaday.com/2015/10/19/tempest-a-tin-foil-hat-for-your-electronics-and-their-secrets/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*