SPARROW II: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards.

(U//FOUO) System Specs

Processor: IBM Power PC 405GPR

Memory: 64MB (SDRAM), 16MB (FLASH)

Expansion: Mini PCI (Up to 4 devices) supports USB, Compact Flash, and 802.11 B/G

OS: Linux (2.4 Kernel)

Application SW: BLINDDATE

Battery Time: At least two hours

(TS//SI//REL) The Sparrow II is a capable option for deployment where small size, minimal weight and reduced power consumption are required. PCI devices can be connected to the Sparrow II to provide additional functionality, such as wireless command and control or a second or third 802.11 card. The Sparrow is shipped with Linux and runs the BLINDDATE software suite.

Unit Cost: $6K

Status: (S//SI//REL) Operational Restrictions exist for equipment deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 27, 2014 at 8:06 PM15 Comments


Bryan January 27, 2014 8:27 PM

For many uses, likely replaced by a smartphone.

Likely runs on Arm chips now. This likely could be done with COTs hardware.

David January 27, 2014 10:19 PM


I would agree. Two hours of running time, and the blurb about operational restrictions makes me think this is a targeted platform, not at all like the “set it and forget it” ethos behind the router implants.

Just from the picture, it looks like a standard Wifi omnidirectional antenna, probably to soak up local traffic passively. If you wanted to tag who’s who at a conference or meeting, I would guess this would be difficult to pick up.

OTOH, “Operational Restrictions” is interesting. Does that mean “Don’t put it too near the gym showers” because it’ll die in humid conditions, or “Don’t put it near this list of targets, because they can find it and pull the list of compromised/exposed systems”?

SchneieronSecurityFan January 28, 2014 1:06 AM

I wonder why the 2.4 Linux Kernel is used and not the 2.6 Kernel which would had been available for at least 4 years prior to the creation of this slide in 2008.

T January 28, 2014 1:20 AM

@SchneieronSecurityFan , I think 2.4 had better raw packet support, which got phased out to stop ddos, FreeBSD still has support, but I don’t think gentoo has, not sure about other linuxs

65535 January 28, 2014 1:42 AM


“…it looks like a standard Wifi omnidirectional antenna, probably to soak up local traffic passively. If you wanted to tag who’s who at a conference or meeting, I would guess this would be difficult to pick up.”

Nothing is totally passive. It has “command and control” and multiple wifi cards. It must emit some radiation.

Clive Robinson January 28, 2014 2:48 AM

You could build one of these yourself using entirely of the shelf readily available bits in the slightly bigger PC-104 plus format for less than 500USD.

If you wanted to go smaller there are other PCI formats, whilst the IO cards are readily available I’ve not seen CPU cards or card cages. Possibly because I’ve not felt the need to go looking when there are “gumstick” style SBCs with on board IO and for as little as 25USD Raspberry Pi boards.

I’ve recently hacked a Raspberry Pi and four port network hub and four port USB hub into a small box for somebody I know who wants to “badge lable it” and use it as a hub for IP based CATV systems it uses parts you could buy at the equivalent of Radio Shack for under 100USD. Getting it to do WiFi scanning and phoning home via a GSM modem would be fairly trivial and something I would expect a keen CS undergrad to do for fun and then add say GPS for a 2nd year project or controls for an RC plane etc for a final project. Especialy as US authorities are going to alow commercial drones in the very near future and it’s going to be a project you can take directly into employment or even look for an Angel to go out on your own with.

Tom January 28, 2014 7:02 AM

To sum up what others have said, they have put a battery on a small-form-factor PC and attached an external WiFi antenna. For this, the NSA pays $6k each. I’m in the wrong business.

Clive Robinson January 28, 2014 11:31 AM

@ Tom,

Whilst IO cards are cheap and available from Amazon etc, I suspect the CPU card may be a custom design with a custom PCI bus cage.

As one of the uses is to put it in a toy plane I suspect they don’t figure on selling more than a couple of dozen, so there is the cost of hardware design and porting of the OS and application software to amortize.

So the question should be “Is 50K USD to much for a working design?”

That sum would get you about about a man month tops, and that’s without paying for hardware manufacture for test, so maybe four man weeks…

anonymous January 28, 2014 2:38 PM

This is from 2008. There were no Raspberry Pis and assorted other cheap, powerful, credit-card-sized ARM boards for less than 100 bucks around at that time.

Clive Robinson January 28, 2014 4:06 PM

@ anonymous,

Whilst the chip from Broadcom that the Raspbery Pi is made from may not have been in circulation back then, all of the usefull bits were in two or three other chips at the time. And the mobile phone chipsets back then were sub 15USD.

And it was not much after that a Linux computer appeared in a case little larger than a “wall-wart” of the time.

Without running it down all the Raspberry Pi has done technicaly is given a new lease of life to a chip…

But socialogicaly what they have done by making it available to not just the man on the street but more importantly his kids, that still dream of “what can be”, not the nightmares of “what has to be” –to put food on the table whilst keeping the roof over their heads–, is give todays kids the chance to be as UK kids were in the 1980’s. Who used the acorn chips in the BBC Model B computer to learn, and some of whom went to work at Acorn to develop the ARM processors of today.

Moshe Yudkowsky January 29, 2014 8:34 AM

The most interesting part to my mind shows up in the web page for this device: “Wireless survey – airborne operations – UAV.”

Since the text describes analysis tools, I will guess that this device can be used to download data collected on a UAV; to analyze that data in real time if needed via an attached device or screen and keyboard; and probably control the UAV (e.g., to designate where to fly and what to collect there) in real time in order to support data collection.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.