The NSA needs your updates

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

That drew no attention, but they discovered that once decrypted one of those encrypted packets (US media suspects the presence of the Chinese Government in the research, which would explain the scope and depth of the research and the availability of the computing power required for decryption), it contained a second encrypted data block C2 and an executable. The executable analysis revealed the presence of IP addresses not related with the addresses assigned to the manufacturer, and several references to the US postal service (?).

The most curious thing is that this same pattern repeated not only in equipment that not compromised, but also in other manufacturers update packages. I.e., a block of encrypted data C1 that contains an encrypted block C2 accompanied by an executable (three slightly different versions of this executable have been found, according to the researchers) with the same characteristics.
Once received, the system executed the program, hiding it “under” the system idle process and began what appeared to be a process of decryption of the block C2 data. Thus, the presence of the process was not transparent to the user, but invisible.

In view of such behavior, the researchers put twelve computers with different configurations and created an infrastructure that simulated a real environment, but with fake update servers (and real update packages, though). They were able to determine the following operating mode:

  1. At time T1, the computer performs two communications to the outside, apparently related with a software update:
    • The first request goes to the manufacturer of the update. The content seems to be the expected.
    • The second request consists of a stream of UDP packets that follows a repetitive and very well defined temporal pattern (some mechanism similar to port knocking). It communicates with several IP (between three and seven) belonging to a class C address, but different from the manufacturer addressing (¿US postal service?).
  2. At time T2, the computer receives the updates, which accompanies the encrypted block C1. As described, it did include the second cipher block C2 and the executable. Then the system decrypts encrypted block C1, executes the program and starts the decryption of the encrypted block C2. Draws attention that the procedure of distributed decryption seems to adapt to the computing power of the device and their estimated update frequency, whose purpose seems related to hide its presence.
  3. At time T3 (usually close to T1), the computer performs a second communication, which again contains two communications:
    • A first request goes to the manufacturer of the update and its content is an encrypted data block C3. Surprisingly, the system displayed the transmission as a data download, not as an upload. The size of C3 was directly related to the size of C2.
    • The second request is, again, a stream of UDP packets with different temporal pattern (again, port knocking), that was sent to various IP in the same class C address as before (but different IP).

    So far, there were signs that allowed us to be a little bit paranoid, but the researchers were interested in the relationship between C2 and C3; they minimized artificially the computing power of one of the computer, and achieved to reduce the encrypted data block C2 at a minimum size of 65536 bytes. It took them some time to establish a relationship between the encrypted packages.
    This is where the most interesting part comes:

    • The encryption key “A” of encrypted block C3 and block C1 is the same, suggesting that C1 and C3 package have the same origin and destination.
    • Although there are several “A” keys, a given computer always works with the same key.
    • C2 encryption type is different from that of C1 and C3 and highly variable between upgrades and equipment.
    • The decrypted contents of C2 and C3 are the same.
    • The decrypted content of C2/C3 is random and not linked among them. It neither shows any interest: images, plain text, web pages, streams of video, etc.

    According to the researchers, the process is as follows:

    1. A computer receives, together with a software update, an encrypted data packet C1. It notifies of the receipt of this package to a third party.
    2. C1 data package is decoded with a key known by the system, obtaining encrypted data block C2.
    3. The computer launches the executable and begins the decryption of the encrypted data block C2.
    4. Once obtained C2 in plain text, is encrypted again with the C1 key, which gives as a result C3.
    5. C3 data package is sent to the manufacturer in the next update process. It notifies of it to a third party.

    I guess that the scheme sounds slightly familiar, since it is very similar to the SETI program. If we enter the realm of speculation and conspiracy, some speculate that, with the acquiescence of major manufacturers of software, US Government agencies (the NSA name sounds firmly) would be taking advantage of the computing power not used by million computers around the world for distributed decryption of packets. This, some say, would explain the enormous power of decryption that attributed always to the NSA.

    The specific research data has not been disclosed (and is not expected to be so in the short term), although up to now this behavior aims at Google, Microsoft, Mozilla Foundation, Oracle, Adobe and Apple. Some media are pointing that the collaboration of hardware manufacturers would be required to hide part of the operation of this scheme. It is not known if this behavior is also present on mobile devices.

    According to Wired, some of the manufacturers involved have informally denied the findings of the research. They argue that those encrypted packages are as a security measure to prevent the infection of computers by fraudulent updates. The rest declined to make statements. Official communications are expected to be issued in a few hours.

    As you might expect, neither the Pentagon nor the NSA have made declarations, although Xi Jinping held two days ago talks with Barack Obama, whose content has not transcended.


    (As I write this, I remember the movie Three Days of the Condor and a cold sweat goes down my spine)

See also in:


  1. i try to check in all the links and everytime i get “server not found” as answer????
    i check in google but no trace about this study.

    can you guys check the links and write in here one answer, thanks

  2. Hi Mac Master. This entry was posted on 28th december, the Spanish equivalent to your April Fools’ Day. Therefore, it was all a joke; there’s no such study and the links are puspodsely wrong :^)

  3. i just realaize was a joke WTF HAHAHAHA , i check everywhere for more than 2 hours and nothing in finally i saw (Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke).