CROSSBEAM: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board.

(TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information via connected modules or 4 different GSM data modes (GPRS, Circuit Switched Data, Data Over Voice, and DTMF) back to a secure facility. The CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized phone component, a customized software controller suite and an optional DSP (ROCKYKNOB) of using Data Over Voice to transmit data.

Status: Limited Supply Available

Unit Cost: $4k

Delivery: 90 days for most configurations

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 21, 2014 at 2:41 PM6 Comments


d33tah February 21, 2014 2:58 PM

I hope that this wasn’t asked before already – is there a MediaWiki website for the implants? It sounds like something that should happen. When I read about CROSSBEAM referencing WAGONBED, it kind of begs for a hyperlink.

Clive Robinson February 21, 2014 4:30 PM

If you look at the pictures on the page you will see two circuit boards. One has a miniture surface mount connector at the end furthest away from the camera that mates with a connector on the underside of the other unit. This other unit is manufactured by Motorola in Israel and you can buy them commercialy (I’ve six or seven of them in my work bench draw and I’ve used them to do very similar activities).

In the UK you can buy these moduales from a company called “Adaptive Moduals” and you can find further information on the modern versions of these Motorola devices on their web site,

RonK February 23, 2014 1:17 AM

@ Clive

Thanks for the info! One quibble: the document implies that the “commercial cellular product” (the Motorola module you’ve enlightened us about) is “modified”.

Clive Robinson February 23, 2014 4:04 AM

@ RonK,

    Thanks for the info! One quibble:….

Motorola now offer several hardware devices that they flash with different firmware.

The firmware on offer approximates “Standard”, “java”, and “Development”.

The java development one you can load your own java moduls onto it’s quite large internal Flash ROM (there is also OTA as well). It’s not always possible to tell when you hold one of these moduals in your hand which firmware version you have (2 of the units I have were “re-flashed” in Adaptive’s offices). However I don’t know if they still offer it but you could get code added to standard parts by the factory “team”.

I was at the time looking for a GSM part that would have one serial port to talk to a microcontroler and one to a GPS modual (this was at the transistion time of US legislation about mandatory GPS). Such that the GPS modual would be incuded in the AT command set using the proposed GPS extentions for the US legislation. The negotiations fell through because the Israli team basically wanted me to pay them to developed the extensions but alow them to sell it as part of their standard product to any other customer… so I said we’d develop the code and retain the rights which they did not want to alow… so I went down a different route.

The microcontroler I was using had a DSP co-processor and interfaced to a minimum of 2GByte of Flash ROM a couple of microphones, USB connector to connect to a PC, the equivalent of a panic button, anti-tamper features and a largish capacity battery. It could do all that this TAO unit appears to be offering and more 😉 the BOM would be down around 150USD in small quantities, including a nice case manual, software for PC and cardboard (got to keep it green in the EU) shipping carton.

One of the functions I had it do was “geo-kill” you could program it so that if you took it out of an area or GPS went down for more than a selected period of time it “forgot” it’s symetric key used to encrypt the flash memory.

So how they can justify a 4K USD price for a much lesser product even back then I’d realy like to know, I’m guessing a captive market that neither knew nor carred or both.

paul February 25, 2014 9:41 AM

In the presence of a watched (even slightly) telecom system this product seems potentially very leaky.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.