Schneier on Security
A blog covering security and security technology.
« Co3 Systems at the RSA Conference |
| Friday Squid Blogging: Squid vs. Owlfish »
February 21, 2014
CROSSBEAM: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board.
(TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information via connected modules or 4 different GSM data modes (GPRS, Circuit Switched Data, Data Over Voice, and DTMF) back to a secure facility. The CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized phone component, a customized software controller suite and an optional DSP (ROCKYKNOB) of using Data Over Voice to transmit data.
Status: Limited Supply Available
Unit Cost: $4k
Delivery: 90 days for most configurations
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 21, 2014 at 2:41 PM
• 6 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks for the info! One quibble:....
Motorola now offer several hardware devices that they flash with different firmware.
The firmware on offer approximates "Standard", "java", and "Development".
The java development one you can load your own java moduls onto it's quite large internal Flash ROM (there is also OTA as well). It's not always possible to tell when you hold one of these moduals in your hand which firmware version you have (2 of the units I have were "re-flashed" in Adaptive's offices). However I don't know if they still offer it but you could get code added to standard parts by the factory "team".
I was at the time looking for a GSM part that would have one serial port to talk to a microcontroler and one to a GPS modual (this was at the transistion time of US legislation about mandatory GPS). Such that the GPS modual would be incuded in the AT command set using the proposed GPS extentions for the US legislation. The negotiations fell through because the Israli team basically wanted me to pay them to developed the extensions but alow them to sell it as part of their standard product to any other customer... so I said we'd develop the code and retain the rights which they did not want to alow... so I went down a different route.
The microcontroler I was using had a DSP co-processor and interfaced to a minimum of 2GByte of Flash ROM a couple of microphones, USB connector to connect to a PC, the equivalent of a panic button, anti-tamper features and a largish capacity battery. It could do all that this TAO unit appears to be offering and more ;-) the BOM would be down around 150USD in small quantities, including a nice case manual, software for PC and cardboard (got to keep it green in the EU) shipping carton.
One of the functions I had it do was "geo-kill" you could program it so that if you took it out of an area or GPS went down for more than a selected period of time it "forgot" it's symetric key used to encrypt the flash memory.
So how they can justify a 4K USD price for a much lesser product even back then I'd realy like to know, I'm guessing a captive market that neither knew nor carred or both.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.