CANDYGRAM: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones.

(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.

(S//SI//REL) System HW

  • GPS processing unit
  • Tri-band BTS radio
  • Windows XP laptop and cell phone*
  • 9" wide x 12" long x 2" deep
  • External power (9-30 VDC).
*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).

(S//SI//REL) SW Features

  • Configurable 200 phone number target deck.
  • Network auto-configuration
  • Area Survey Capability
  • Remote Operation Capability
  • Configurable Network emulation
  • Configurable RF power level
  • Multi-Units under single C&C
  • Remote restart
  • Remote erasure (not field recoverable)

Status: Available 8 mos ARO

Unit Cost: approx $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 20, 2014 at 2:11 PM • 11 Comments


EFFitFebruary 20, 2014 2:50 PM

There's really little to discuss here at this time. The main reason is that governments no longer need IMSI catcher's to be able to track down and take control of peoples phones. They usually have full access to all data by/from/through the service providers. However, mobile units may still be of value, for short term tracking as clearly show in the recent Kiev events. All this have been demonstrated previously by the BB Osmocom developers and first demonstrated at 28C3. As for catching these devices they also developed the "Catcher catcher" which is just modded Motorola phone, interfaced to any linux box. A more recent attempt in building an Android based catcher-catcher application is in the works at XDA (developer portal).

BartFebruary 20, 2014 4:43 PM

"Mongo was easy. The bitch was inventing the CANDYGRAM. Probably won't even give me credit for it."

Clive RobinsonFebruary 20, 2014 4:55 PM

What is the betting,

    Remote erasure (not field recoverable)

Realy means the memory is encrypted and the remote command zeros the key.

PaulFebruary 20, 2014 6:25 PM

What I want to know is, why does the cell network allow just anyone to pretend to be a cell tower? I always assumed that a tower was uniquely identified and authenticated and its latitude/longitude were fixed. Now I learn this is maybe not so. Incredible.

CrankyGeeksFanFebruary 21, 2014 2:11 AM

@ Paul - "why does the cell network allow just anyone to pretend to be a cell tower?" The cell network knows its cell towers. The key question is "Does a cell phone know?".

A unique characteristic of GSM cell networks is the ability to overlap cell towers - femtocells and picocells for use in homes and office buildings, nanocells and microcells for use at sporting events where there are large crowds. The phones make handoffs when moving among the towers.

The first point under System Hardware is "GPS processing unit". This is to get latitude, longitude and time of day. Under Software Features, "Network auto-configuration"; "Area Survey Capability"; and "Configurable Network emulation" allow CANDYGRAM to blend in to existing cell network. "Configurable RF power level" would help shape the device's range.

CANDYGRAM would have to be modified to work with HSPA, CDMA 2000 (1xRTT) and LTE. These systems though do not support overlapping since they all utilize CDMA schemes and not a TDMA scheme like GSM.

Shiva Oso FlacoOctober 5, 2015 5:30 AM

One time I was looking at the location of my Android (ugh) phone on Google maps and it appeared hovering above our neighbors tin shed. I took the phone and walked around the block observing where my phone would appear on the map. It stayed pretty close to their tin shed. Since one of the occupants there is in a fairly well-known punk band with a unsettling name, I Googled the name and it appeared like he was talking about my private conversations and much more online. With this knowledge I decided to use my digital laser temperature device and pointed it at the silver tin shed about mid-day last week. Temperature was 109 degrees (we're in Phoenix). Then I pointed the temperature beam at my metal garage door, same sunny western side and it registered in the upper 140 to low 150's degrees. Then I decided to install a Wifi finding app for the phone and aimed it near the shed. It picked up two SSID's, both NETGEAR## format, both signals were very strong in that proximity. How can I tell if they've got one of these devices in that shed legally? It's very strange, they are CONSTANTLY in their backyard, they almost seem to live back there.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.