Hackers reverse engineer NSA wireless spying gadgets

Douglas Crawford

Douglas Crawford

June 19, 2014

Meet Michael Ossmann, a ‘wireless security researcher who makes hardware for hackers.’ Ossmann specialises in software-defined radio (SDR), a new field of technology where radios are created out of software, rather than the traditional physical hardware (using oscillators, modulators, and suchlike).

Ossmann and his team of security researchers at Great Scott Gadgets have used the NSA’s Advanced Network Technology (ANT) catalog, released by Edward Snowden, to reverse engineer some of the products pictured or listed in it. Products included in the catalogue are USB sticks designed to transmit a computer’s data when plugged in, and fake cell phone base stations that intercept phone calls.

What Ossmann’s team was interested in however, was a series mysterious devices called ‘retro reflectors’, which the catalog claims can do a range of interesting things, including keylogging, collecting on-screen images, and listening in on ambient sounds. No-one really had a clue about how these worked (and therefore how to defend against them), so Ossmann & co. decided to find out!

retro reflector

Retro reflectors are mentioned on pages 13, 18, and 28 of the ANT catalog. Here it looks at the SDR receiver

What they came up with was not just an explanation, but a working device – the SDR based HackRF! Much like how a computer sound card outputs sound and processes inputted audio, SDR uses digital-signal-processing chips to define a radio wave’s frequency, power, and shape. One of the best things about the technology is that it can instantly change to any radio band, including FM, AM, Bluetooth, and GSM. As Ossmann says,

SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format.

Ossmann discovered that ‘retro reflectors’ comprised a two part system – a surprisingly simple and small (2cm wire) bug (called a ‘reflector’) acting as an antenna, and an SDR remote receiver (similar to the HackRF)…

retro reflector ragemaster

The ‘RAGEMASTER’ reflector is attached to a commuter’s monitor cable to pick up images

retro reflector surlyspawn

‘SURLYSPAWN’ connects to a keyboard cable so it can be used for keylogging

The SDR radio emits a high-frequency radar signal, which causes a bug to wirelessly transmit its collected data to the radio, whose SDR versatility allows it to pick up noisy radio waves that are often scattered across different bands,

Software-defined radio is flexibly programmable and can tune in to anything.

Ossmann will present his work at the Defcon hackers conference, and has started a Kickstarter campaign for those wanting to get their hands on HackRF devices. He has also set up a Wiki page called,

Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!

HackRF kickstarter portapack

(Our thanks to New Scientist for the article on which this one is based).

Exclusive Offer
Get NordVPN for only
Get NordVPN for only