It’s been well over two years since the infamous whistleblower known as Edward Snowden killed mass surveillance, rendering NSA’s information-gathering tools completely public. Among the effective techniques deployed by the NSA is a rather simple-yet-efficient tool known as a Quantum Insert.
Apparently, this tool is useful in places where phishing attacks are not; as it works by corrupting the internet browser while its accessing a page, but rather forcing it to access another page that leads to downloading vicious malware. But in order to detect sneaky NSA ‘Quantum Insert’ attacks, one has to understand the way this technique works.
How sneaky NSA ‘Quantum Insert’ attacks work
There have been a few publications regarding Quantum Insert attacks by various international blogs and newspapers, but let’s go into further detail. Both the NSA and GCHQ as ‘partners in crime’ so to speak, require fast-acting servers that are placed near the target’s machine in order to intercept the browser’s request before it accesses the requested page, and in turn sending a redirect order to access another web-page that would lead to downloading harmful malware.
In order to achieve this, the servers would have to be placed strategically throughout the internet, also known as ‘shooters’, so that they cover larger areas or specific areas that are aimed to be intercepted.
The normal flow for visiting a web page goes like this:
- Browser sends GET request to server with the following information
- Source and Destination IP address of the browser
- Sequence and Acknowledge or ACK numbers
- Server responds with the same ACK numbers and adds sequential numbers to the TCP packets
- Using the TCP packets in sequential order, the browser constructs the web page properly
In case of the QI attack:
- The Quantum Insert is shot by the ‘shooter’ server to arrive before the real GET request
- The QI then fakes the same sequence of the TCP packets but with a different payload
- The fake TCP packets are read by the browser first while ignoring the real one
- The fake TCP packets construct the fake web page that downloads the intended malware content
This method was used in the Belgacom hack by identifying profiles of employees working for the Belgian telecom and creating identical copies of their profiles, such as ones in LinkedIn.
In this way, when the profile of the employee is visited, the fast-acting servers a.k.a ‘shooters’ would shoot the same signal just before the legitimate signal to access the malware downloading page and install malware on the victim’s machine.
This method, however, highly depends on the race between the actual browser’s access speed or ‘GET request’, and the time it takes the ‘shooter’ to place the fake request just before the real GET request, hence the placement of servers at strategic points of the internet.
How to detect sneaky NSA ‘Quantum Insert’ attacks
Due to limited knowledge about Quantum Insert attacks, the methods of detecting it aren’t fully developed. The Fox-IT researchers have replicated the attack on their own servers in order to develop research data into further protecting yourself from a QI attack as well as learning how to detect it. The following information can be gathered thanks to their contribution.
- Payload Inconsistency
Analyzing the first TCP packet’s payload data is the first step you can take in detecting a QI. However, this isn’t a guaranteed method as the first TCP packet may also be the real one as the QI might insert the fake TCP anytime during the TCP session.
- TTL anomaly
The Time To Live values can also be different between packets and in case of the QI attack, the packet tends to have a longer TTL since it may be deployed later than the actual packet.
- Intrusion Detection Systems
Although there isn’t enough data to properly tackle detecting a Quantum Insert attack, the Fox-IT researchers have come up with a method of using Intrusion Detection Systems or IDS to detect a QI attack. In the case of the IDS, the detection system analyzes network data that is being transmitted and compares it against a database of packet capturers developed by the Fox-IT team during their QI attack experiment. More information on the specific packets can be found here: https://github.com/fox-it/quantuminsert/tree/master/pcaps
How to avoid sneaky NSA ‘Quantum Insert’ attacks
Avoiding the attacks requires basic knowledge in online tracking and staying anonymous online.
QI attacks may be avoided through the following techniques:
- Encrypting Data
- Awareness of popular web services
- VPN services
- TOR browsing
- Disabling Web Tracking
We will not be covering the methods in this article but below you may find a list of suggested techniques as well as a helpful link to understanding the techniques and how to deploy them. In order to better understand how to stay anonymous while browsing the internet or avoid online tracking, you may visit our guide on “Tips and tools to protect yourself from the NSA PRISM”.