CANDYGRAM: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones.

(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.

(S//SI//REL) System HW

  • GPS processing unit
  • Tri-band BTS radio
  • Windows XP laptop and cell phone*
  • 9" wide x 12" long x 2" deep
  • External power (9-30 VDC).
*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).

(S//SI//REL) SW Features

  • Configurable 200 phone number target deck.
  • Network auto-configuration
  • Area Survey Capability
  • Remote Operation Capability
  • Configurable Network emulation
  • Configurable RF power level
  • Multi-Units under single C&C
  • Remote restart
  • Remote erasure (not field recoverable)

Status: Available 8 mos ARO

Unit Cost: approx $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 20, 2014 at 2:11 PM • 10 Comments


EFFitFebruary 20, 2014 2:50 PM

There's really little to discuss here at this time. The main reason is that governments no longer need IMSI catcher's to be able to track down and take control of peoples phones. They usually have full access to all data by/from/through the service providers. However, mobile units may still be of value, for short term tracking as clearly show in the recent Kiev events. All this have been demonstrated previously by the BB Osmocom developers and first demonstrated at 28C3. As for catching these devices they also developed the "Catcher catcher" which is just modded Motorola phone, interfaced to any linux box. A more recent attempt in building an Android based catcher-catcher application is in the works at XDA (developer portal).

BartFebruary 20, 2014 4:43 PM

"Mongo was easy. The bitch was inventing the CANDYGRAM. Probably won't even give me credit for it."

Clive RobinsonFebruary 20, 2014 4:55 PM

What is the betting,

    Remote erasure (not field recoverable)

Realy means the memory is encrypted and the remote command zeros the key.

PaulFebruary 20, 2014 6:25 PM

What I want to know is, why does the cell network allow just anyone to pretend to be a cell tower? I always assumed that a tower was uniquely identified and authenticated and its latitude/longitude were fixed. Now I learn this is maybe not so. Incredible.

CrankyGeeksFanFebruary 21, 2014 2:11 AM

@ Paul - "why does the cell network allow just anyone to pretend to be a cell tower?" The cell network knows its cell towers. The key question is "Does a cell phone know?".

A unique characteristic of GSM cell networks is the ability to overlap cell towers - femtocells and picocells for use in homes and office buildings, nanocells and microcells for use at sporting events where there are large crowds. The phones make handoffs when moving among the towers.

The first point under System Hardware is "GPS processing unit". This is to get latitude, longitude and time of day. Under Software Features, "Network auto-configuration"; "Area Survey Capability"; and "Configurable Network emulation" allow CANDYGRAM to blend in to existing cell network. "Configurable RF power level" would help shape the device's range.

CANDYGRAM would have to be modified to work with HSPA, CDMA 2000 (1xRTT) and LTE. These systems though do not support overlapping since they all utilize CDMA schemes and not a TDMA scheme like GSM.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.