Schneier on Security
A blog covering security and security technology.
« RCS Spyware and Citizen Lab |
| Brian Krebs »
February 20, 2014
CANDYGRAM: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones.
(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.
(S//SI//REL) System HW
*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).
- GPS processing unit
- Tri-band BTS radio
- Windows XP laptop and cell phone*
- 9" wide x 12" long x 2" deep
- External power (9-30 VDC).
(S//SI//REL) SW Features
- Configurable 200 phone number target deck.
- Network auto-configuration
- Area Survey Capability
- Remote Operation Capability
- Configurable Network emulation
- Configurable RF power level
- Multi-Units under single C&C
- Remote restart
- Remote erasure (not field recoverable)
Status: Available 8 mos ARO
Unit Cost: approx $40K
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 20, 2014 at 2:11 PM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
@ Paul - "why does the cell network allow just anyone to pretend to be a cell tower?" The cell network knows its cell towers. The key question is "Does a cell phone know?".
A unique characteristic of GSM cell networks is the ability to overlap cell towers - femtocells and picocells for use in homes and office buildings, nanocells and microcells for use at sporting events where there are large crowds. The phones make handoffs when moving among the towers.
The first point under System Hardware is "GPS processing unit". This is to get latitude, longitude and time of day. Under Software Features, "Network auto-configuration"; "Area Survey Capability"; and "Configurable Network emulation" allow CANDYGRAM to blend in to existing cell network. "Configurable RF power level" would help shape the device's range.
CANDYGRAM would have to be modified to work with HSPA, CDMA 2000 (1xRTT) and LTE. These systems though do not support overlapping since they all utilize CDMA schemes and not a TDMA scheme like GSM.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.