Andrea Shepard, a Seattle-based core developer for the Tor Project, suspects her recently ordered keyboard may have been intercepted by the NSA.
Following the purchase of a new IBM Thinkpad Keyboard from Amazon.com, Shepard discovered her package to be taking a strange detour to the East Coast, revealed by a screenshot of her shipment tracking information.
— Andrea (@puellavulnerata) January 24, 2014
Instead of shipping straight towards Seattle from the Amazon storage warehouse in Santa Ana, California, Shepard’s package made its way clear across the country to Dulles, Virginia. Jumping around an area deep inside what some privacy experts refer to as America’s “military and intelligence belt,” the package was finally delivered to its new endpoint in Alexandria.
While not uncommon to see packages sent to major shipping hubs in different areas of the country, the “out for delivery” and successful “delivered” statuses clearly indicate the item’s final destination was changed without Shepard’s approval, leading privacy experts to take notice.
“Could Amazon have made a mistake in notifying Shepard about this extra journey, which was likely meant to stay a secret?” PrivacySOS asks. “If this really is an example of the TAO laptop-interception program in action, does this mean that companies like Amazon are made aware of the government’s intention to “look after” consumer products ordered by their customers? Or did Shepard receive this weird notice only after some sort of glitch in the NSA’s surveillance matrix?”
According to recently revealed internal NSA documents, the agency’s Office of Tailored Access Operations group, or TAO, is responsible for intercepting shipping deliveries of high-interest targets.
“If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops,” Der Speigel noted last month. “At these so-called ‘load stations,’ agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies.”
Given the NSA’s deep interest in Tor, a popular online anonymity tool, some speculate Shepard’s keyboard could likely have been implanted with a TAO bug known as “SURLYSPAWN,” a small keylogging chip implanted in a keyboard’s cabling. According to NSA slides, a bugged keyboard can be monitored even when a computer is offline.
“If it ever shows, I’ll be inspecting it as closely as I’m capable of,” Shepard said on Twitter.
“We will never be able to de-anonymize all Tor users all the time,” the presentation states. “With manual analysis we can de-anonymize a very small fraction of Tor users.”
Whether Shepard’s incident was the result of a simple error by Amazon, an NSA interception, or an act of intimidation is still unclear. Given the government’s history of targeting Jacob Appelbaum, Tor’s main advocate, the idea of a top Tor developer being singled out for advanced NSA surveillance is far from unlikely.