Treasure Map: It’s About Location, Not Gold

Der Spiegel and The Intercept published collaborative reporting this weekend on another Snowden document — this one referring to a National Security Agency program named TREASURE MAP.

The most chilling part of this reporting is a network engineer’s reaction (see here on video) when he realizes he is marked or targeted as a subject of observation. He’s assured it’s not personal, it’s about the work he does – but his reaction still telegraphs stress. An intelligence agency can get to him, has gotten to him; he’s touchable.

The truth is that almost any of us who follow national security, cyber warfare, or information technology are potential subjects depending on our work or play.

The metadata we generate is only part of the observation process; it provides information about our individual patterns of behavior, but may not actually disclose where we are.

TREASURE MAP goes further, by providing the layout of the network on which any of us are generating metadata. But there is some other component either within TREASURE MAP, or within a complementary tool, that provides the physical address of any networked electronic device.

The NSA has the ability to track individuals not only by Internet Protocol addresses (IP addresses), but by media access control addresses (MAC addresses), according a recent interview with Snowden by James Bamford in Wired. This little nugget was a throwaway; perhaps readers already assumed this capability has existed, or didn’t understand the implications:

…But Snowden’s disenchantment would only grow. It was bad enough when spies were getting bankers drunk to recruit them; now he was learning about targeted killings and mass surveillance, all piped into monitors at the NSA facilities around the world. Snowden would watch as military and CIA drones silently turned people into body parts. And he would also begin to appreciate the enormous scope of the NSA’s surveillance capabilities, an ability to map the movement of everyone in a city by monitoring their MAC address, a unique identifier emitted by every cell phone, computer, and other electronic device.

[emphasis added]

In simple terms, IP addresses are like phone numbers — they are assigned. They can be static; a printer on a business network, for example, may be assigned a static address to assure it is always available to accept print orders at a stationary location. IP addresses may also be dynamic; if there’s an ongoing change in users on a network, allowing them to use a temporary address works best. Think of visits to your local coffee shop where customers use WiFi as an example. When they leave the premise, their IP address will soon revert to the pool available on the WiFi router.

But MAC addresses are physical attributes, like a house number and street name. They are assigned to the network interface card (NIC) inside electronic devices by their manufacturer. The range of addresses used indicate the maker and are registered to that firm. Any device that attaches to a network, from server at one end to cellphones at the other, has a MAC address. Devices with more than one NIC will have a MAC address for each NIC.

(Note that some cellphones may have an International Mobile Station Equipment Identity (IMEI number) or Mobile Equipment Identifier (MEID) as well as a MAC address if they attach to both wireless and WiFi networks. IMEI/MEID works much like a MAC address, assigned by the manufacturer to a handset, but not to a  subscriber identity module (SIM card) which can be swapped out in a handset.)

MAC addresses and IP addresses do not always coincide, the first being physical and the later being virtual. They cannot be used reliably to identify an individual all the time and can be foiled as a tracking tool. Users can swap phone network cards and still grab the same IP address they had been using. Spoofing — substituting a fake alternative address — is possible, to subvert tracking users. In the case of cellphones, “burner” disposable phones tossed after limited use detach both addresses from the user.

In spite of the ability to thwart tracking, the implementation of applications like TREASURE MAP ahead of the public’s awareness suggests the entire network, physical and virtual, has been laid out. The NSA can find an overwhelming majority of users’ physical location, and gradually fill in the rest with a systematic match of behavior patterns culled from metadata, matched against MAC addresses.

We know there have been other attempts to gather information about the internet. Malware created by nation-state entities like Duqu and Flame, relatives of cyber weapon Stuxnet, have intelligence gathering components “phoning home” information about a wide swath of infected devices.

But TREASURE MAP and its affiliated mapping application(s) may be far more effective and informative. The application only needs to target key nodes like ISPs on the internet, as well as those persons most likely to control those nodes. Once a particular IP address’ behavior pattern attributed to a specific individual or group has been associated with a particular MAC address, it is relatively easy to identify that individual or groups physical location. The potential applications are alarming.

Imagine a tiny processor chip equipped with both WiFi network capability and a MAC address, attached to an oblivious target. Imagine the chip transmitting the target’s every word and move to a remote observer, without ever giving away its presence.

Imagine a drone targeting that same chip when it pings a network — or perhaps pings from two different chips over a distance, allowing an accurate calculation about the length of time required to transmit volatile information.

No need for Star Wars when the same capabilities can be achieved closer to the earth’s surface.

There are links to space, however; the reach of the map to satellites from ISPs to end users is worth additional consideration. The recent failure rate across satellite launches and operations gives pause, in particular among Russian communications and navigation satellites. These malfunctions and breakdowns range from launch setbacks to GLONASS’ 12-hour outage. Given the frequency of failures, one might wonder whether network-related systems affiliated with these Russian programs been affected by malware or other interference intended to obstruct similar network mapping capability.

Conflicting information regarding disposition of satellites does not help.  Source in the US reported a Russian imaging reconnaissance satellite burned up over North America 03-SEP, while Russia maintains the same satellite is still in orbit. GLONASS’ outage in particular has been attributed to a software bug, but outage beginning at the top of the hour on 01-APR looks less like a bug than not. When added to a growing body of failures, one can’t help but wonder if this is all purely coincidental, or if much less benign forces are at work to prevent satellite connections to networks.

We’ll likely never know if there are links between the implementation of NSA’s network mapping tools and specific satellite failures. But we do know based on Der Spiegel’s and The Intercept’s reporting that identifying and targeting users through a satellite-relayed network by way of TREASURE MAP is possible.

Perhaps there really is gold where TREASURE MAP marks the spot. It might inform its users the fastest route to send trading information ahead of the rest of the market. It might point to the right subject of obstruction to prevent or launch economic havoc.

Imagine executing an “immaculate” trade in one country’s market, milliseconds before a key victim hits the ground in another.


11 replies
  1. scribe says:

    Of course, you’re omitting the little warranty card thing.

    Assume one buys an electronic device with a MAC address. One might have a little warranty card to fill out (the device is likely to be expensive enough to justify a warranty). Or in this high-tech age, the warranty might be an electronic page to fill in.

    What’s on that warranty card?

    The purchaser’s/user’s name, address, maybe a phone number and/or an email, as well as the MAC info on the device.

    And, of course, the collection of warranty cards would, in the hands of the warranty-giving manufacturer fit well within any definition of “business record”. Even the relatively stringent one in the Rules of Evidence. And, in addition, that information will have been freely, voluntarily given up by the person filling out the warranty card. No privacy issues….

    Not for nothing, it’s also worth noting that for some time printers and photocopiers have been programmed to print their MAC (or similar) identifier on every page they print. It’s done in very small print – invisible to the naked eye – and it’s done in locations not disclosed to the public. It’s done to help law enforcement, including but not limited to copyright issues and “who copied that document?” inquiries.

    • emptywheel says:

      Hadn’t thought about satellites. I remember in the early Bush years, there was a lot of worry about China striking out at our satellites. We seem not to be worried about it anymore. I guess this is why?

      • scribe says:

        IMHO, if you want to eliminate the utility of satellites, the easier way to go is to get the ground station. That way, you don’t have to lift things high above the ground and then hit them in orbit. Gravity and all that is expensive to deal with. Just make some antennas useless or hack the control computers and, bingo, those satellites are so much space junk.
        But I’m not a military professional, so what do I know.

    • P J Evans says:

      I don’t bother with ‘warranty cards’ – they’re for the marketing guys, not the quality/reliability engineers.

  2. Rayne says:

    scribe (4:01 pm) — Completion rate on warranty cards approaches nil in tandem with cost of equipment. I won’t bother with completing a card on a $150 tablet or a $20 cellphone, for example. Yet those are the items that proliferate across the ends of the internet. Warranty info more likely filled out on commercial equipment, liks ISPs’ servers and routers — but the NSA has no need of steenkin’ warranty card info, as Der Spiegel and The Intercept showed.

    Christ…can you imagine being a lowly network engineer and seeing your personal email address and a key client’s password show up in an intelligence report?

    emptywheel — yeah, I think we have some Star Wars going on overhead, but it doesn’t look like we imagined in the 1980s. The large number of inconsistencies suggest the possibility something akin to Stuxnet is at work. But it’s not just the Russians; SpaceX had a failure recently, though it likely had a benign cause.

    Hadn’t really figured out how to work in this bit from Australia, where the gov’t wants to log NOT IP addresses, but the MAC addresses. Jeebus.

  3. bloopie2 says:

    Spying is one thing. But intentional destruction of another country’s military/intelligence equipment, if done via mechanical means, would certainly be considered an act of war; why not if done by cyber? How far up the line are these actions authorized? I’d guess not up to the President; lower, perhaps much lower. Kind of makes the “Congressional authorization of ISIS action” debate rather meaningless. And, I wonder where is the Fail Safe line? Some day one country will go too far (in the eyes of the other) and there will be a really hurtful retaliation. Is this what we want?

    • bruno marr says:

      “How far up the line are these actions authorized?”

      All the way to the top. That’s why he calls himself the Commander in Chief (and not just president).

  4. Rayne says:

    scribe (4:29) — If you look at the satellite failures, many don’t lift off, happen on the ground. Or they cause delays. The GLONASS outage is a different situation; assuming the network was ‘infected’ with bad code, there wasn’t a need to take the satellites down, only a need to stop their reporting location information. Keep in mind the tension at the Ukraine/Russian border on 01-APR, and that both countries would use GLONASS for positioning data versus GPS.

    bloopie2 — Large nations are engaged in regular cyber warfare skirmishes, have been for roughly a decade now, maybe more if worms were nation-state deployments.

    • scribe says:

      Just an interesting coincidence, I’m sure, but the other day there was an article in the Suddeutsche Zeitung (SZ) about how the Soviets’ counter to our Star Wars came acropper.
      In short, they developed a kilowatt-range carbon-dioxide laser they built into a bus-sized satellite station (based on an earlier space station-type development), which was to be launched into space. There, the laser station would target and shoot its laser at the American anti-missile satellites, the objective being not to blow up the US satellites but just scramble their electronics. That’s all the power that laser had.
      This came to testing in the late 80s. The base satellite was so big and heavy they needed to develop their Energia booster to get it into space. That, no problem. But, when they launched the satellite – without any CO2, so as to not be an active space weapons test, which would have caused an incident – there was a minor software problem. In short, when the last staging was to take place, the guidance software turned the satellite 180 degrees, to aim at the ground, and the last stage ran perfectly and shot the thing into the Pacific. By that time, the antecedents to the breakup of the Warsaw Pact was well underway and the program was abandoned.
      Or so the paper said.
      But, I can see software “problems” and “minor errors” being a continuing method of checking adversaries’ developments.

  5. Anon says:

    MAC addresses can be changed. Many PC NICs support this feature in hardware and software tools can be used to change the address or to make it communicate a different address.

    Interestingly this used to be a common feature of all PC NICs until recently when Intel and others began locking it down citing “security risks”.

  6. Rayne says:

    Anon (9:21) — Yes, MAC addresses can be changed. Look above for the word ‘spoofing.’ And yes, it’s rather convenient that MAC addresses were suddenly locked down for security. Uh-huh.

    scribe (8:30) — Keep in mind that irregular, unreproducible errors in software and in output were the hallmark of Stuxnet. The random number generator in WinOS was used to this end, to prevent a consistently milled uranium product.

    Any time I see failures now in military operations where software is required — and in the case of Russian satellites, ALL are military-launched or operated, including GLONASS — I can’t help but wonder if a variant of Stuxnet was inserted.

Comments are closed.