CYCLONE Hx9: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • EGSM 900MHz
  • Macro-class (+43dBm)
  • 32+Km Range
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • GSM Security & Encryption

(S//SI//REL) Advanced Features:

  • GPS—Supporting Typhon applications
  • GSM Handset Module—Supports auto-configuration and remote command and control features.
  • 802.11—Supports high speed wireless LAN remote command and control

(S//SI//REL) Enclosure:

  • 3.5″H x 8.5″W x 9″D
  • Approximately 8 lbs
  • Actively cooled for extreme environments

(S//SI//REL) Cyclone Hx9 System Kit:

  • Cyclone Hx9 System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 800 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Overlay GSM cellular communications supporting up to 32 Cyclone Mx9 systems providing full mobility and utilizing a VoIP back-haul.
  • GPRS data service and associated application

Unit Cost: $70K for two months

Status: Just out of development, first production runs ongoing.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 24, 2014 at 2:44 PM4 Comments


G. Bailey February 24, 2014 4:43 PM

I assume this means that the NSA can setup a fake cell tower that is just as powerful as the legitimate ones.

What they do after that is up to them, but cell phone security is usually based around trust of the carrier, so I doubt there are many limitations.

Arclight February 24, 2014 6:45 PM

It’s not clear to me whether this is another spoofing system, or more of a deployable “private cell system” for spooks, contractors, etc.



G. Bailey February 24, 2014 6:53 PM


I don’t think the NSA wants to have “NSAComm” as a cell tower in any country we operate in. The “spooks” are supposed to be spooky, not advertise.

Clive Robinson February 24, 2014 9:24 PM

@ Arclight,

    It’s not clear to me whether this is another spoofing system, or more of a deployable “private cell system” for spooks, contractors, etc


The DoD and various NATO countries have been making pre-contract enquires in the recent past for “private cell systems” with a high degree of interoperability.

The sad truth for “military radio suppliers” is they can nolonger compeate with COTS cell phone systems on all fronts, not just those they traditionaly fail on. The same is true for commercial “Trunked PMR” suppliers to transportation and LEO’s and other first responders

It’s been noticed by “command” that soldiers prefer to use their iPhones for a whole host of reasons and some soldiers have designed apps to replace a lot of the “necessary bulk junk” they would otherwise have to deal with.

A look at the UK’s Met Police (one of the larger LEOs) shows that the “boots on the ground” officers are routienly carrying their “TETRA-Crap” radios and two or more mobile phones because the Tetra-crap is not working for them and the mobiles are.

Further when it comes to “under cover” operations unlike the traditional covert radios that are a very definate liability, mobiles are like gold watches etc seen as “status symbols” by criminals et al, thus an operative is almost expected to have the latest mobile phone to alay suspiscion by those they are trying to infiltrate…

Whilst traditional GSM security (A5/1 encryption etc) is sufficient for mild “privacy” from low level attackers and can be used for some tactical situations, more secure comms can be achived by the VoIP system mentioned, which would just be any other “game app” etc [1]. The advantage of “owning the base station” is you can route such traffic away securely without it ever touching the Internet with all it’s problems.

Further there is a lot of talk about “kill switches” and the like for use during “national emergancies”, a system such as this would not be effected by such things so would continue to work as long as the battaries and coverage do in any environment it’s employed.

And that raises another issue, there are quite a few places in the world where the NSA et al don’t have control of the local mobile phone systems or the legal leverage etc to do so, and for many reasons it might be undesirable to do so.

Adding another mobile base station is unlikely to attract the attention of a national monitoring athority in the same way as adding the equivalent of a PMR network or network in other bands. Mobile operators are starting to deploy “special events” systems at stadiums etc and other places, they are usually “trusted” to do any band planning etc themselves by the national authorities that in these times of austerity have better things to do with their diminishing budjets.

So yes such systems would be of considerable use for both providing “agent coms” and “target directed attacks” to any intel agency from high end National security to basic local/regional law enforcment. And to be honest I would expect the likes of Israel to be considerably more advanced in this area of work for a number of reasons.

[1] A quick scan on the Internet will show that there are quite a few people advertising Secure VoIP etc Apps for mobile phones. Although I have no idea of how good/bad they are and make no recomendation an example is to see what features are advertised.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.