CANDYGRAM: NSA Exploit of the Day
Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:
(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station’s area of influence, the system sends out an SMS through the external network to registered watch phones.
(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.
(S//SI//REL) System HW
- GPS processing unit
- Tri-band BTS radio
- Windows XP laptop and cell phone*
- 9″ wide x 12″ long x 2″ deep
- External power (9-30 VDC).
*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).
(S//SI//REL) SW Features
- Configurable 200 phone number target deck.
- Network auto-configuration
- Area Survey Capability
- Remote Operation Capability
- Configurable Network emulation
- Configurable RF power level
- Multi-Units under single C&C
- Remote restart
- Remote erasure (not field recoverable)
Status: Available 8 mos ARO
Unit Cost: approx $40K
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.