NSA Custom Hardware: The FLUXBABBITT Implant (And Why It’s Important)

One of the more interesting documents to emerge from the Snowden leak was a single page detailing an implant known as FLUXBABBITT. The device appears to attach to the JTAG header of certain server class motherboards and provides “software application persistence” – in other words, it ensures that should, say the machine’s HDD fail and a new one is inserted and a fresh install of the OS installed, that their spyware can re-attain a foothold, perhaps via means not dissimilar to Computrace (and yes, I overuse that analogy, but it is such a good one: the BIOS module has minimal NTFS functionality, enough to dump itself over an existing Windows service that will normally be executed at boot time – and of course the real file is renamed and executed in due course by the uh, malware). The document specifically mentions that the Dell Poweredge 1950 and 2950 servers running Xeon processors were the target. The actual spyware which this device ensures persists on the system is code-named GODSURGE, and unfortunately we can only speculate on its purpose and capabilities. Nonetheless this particular disclosure was important as it showed us just a hint of what a custom hardware hack from a government agency would look like.

A leaked slide detailing the capabilities of a device that connects to a motherboard’s JTAG header.

It doesn’t take much imagination to think of all manner of crazy look-alike devices that the NSA would create to fulfill their roles – perhaps a keyboard with an integrated logger, a portable hard drive with a pinhole camera writing to a secreted few chips of flash, etc. but it appears that their most prized creations are devices used to sniff traffic off corporate sized networks – and forget about vampire taps, these things are allegedly so sensitive that they can reliably intercept data without even piercing the wire – well, unless your office happens to use the ultra-expensive shielded and armored stuff.

Stanislav over at Loper OS has written a very interesting piece on just how this device may function, and includes some pictures of the JTAG port of a machine similar to the targets referenced in the slide. Jacob Appelbaum also mentioned this and other covert devices in his presentation for 30c3, and fortunately there is an annotated transcript available on the Naked Capitalism blog.