EBSR: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • LxT Model: 900/1800/1900MHz
  • LxU Model: 850/1800/1900MHz
  • Pico-class (1Watt) Base station
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • SMS Capability

(S//SI//REL) Enclosure:

  • 1.9″H x 8.6″W x 6.3″D
  • Approximately 3 lbs
  • Actively cooled for extreme environments

(S//SI//REL) EBSR System Kit:

  • EBSR System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 90 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Supports Landshark/Candygram capabilities.


Unit Cost: $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 25, 2014 at 2:11 PM7 Comments


exjimmy February 25, 2014 6:45 PM

Could some of the pros on this site please help me understand this better.


Integrated GPS, MS, & 802.11
Antenna to support MS, GPS, WIFI, & RF

I have seen this several times now when referring to rogue cell sites. Is MS mobile system and in the context of antenna support what does RF refer to? Is it not all RF?

Josh Rubin February 25, 2014 7:22 PM

I’m confused about one point. This and some other catalog entries contain the line:

“Operational Restrictions exist for equipment deployment.”

What does this mean? My guess is that, because the device is a transmitter, it could interfere with civilian or military communications, break local laws, or be easily discovered.

Clive Robinson February 25, 2014 10:54 PM

@ Josh,

You forgot to mention another reason “control” of other agencies operations…

If you look at the catalog pages you will see that some equipment is for sale and some only for “rent”.

I’ve not analysed it but there may be a correlation between the addition of restrictions on usage and change to hire that can give an indication of the reasons.

However TAO may be doing the old trick of getting other agencies “dependent” on their product and then exploiting it to their advantage.

For instance getting another agency to tell you some or all of the operational details of their current and future “covert” activities offers a potential level of political power few in that business would pass up given the opportunity.

The equipment may even have ET (call home) and backdoor control functions added so that TAO have secret control of the equipment… afterall if TAO uses “cracker mentlity” people the chances are they will continue to have the same atitude when building systems…

Stuart February 26, 2014 4:38 AM

(S//SI//REL) Operational Restrictions exist for equipment deployment.

While an individual target user will not be able to detect that their phone has roamed onto this impersonating network, the operator will be able to see it in terms of failed handover attempts. This is where phone in a call will see the network and attempt to handover the call to this basestation. This will fail as the real network does not know of this basestation.

anon November 8, 2015 10:54 AM

Not into the protocols myself here, but shouldn’t one be able to detect this kind of interception:

  • monitoring the base-station ids one usually connects to and determine there’s a “new one”? Not sure if they use existing ids? Monitoring the signal-strength when at home and detecting changes here would identify the latter too? And should be rather easy to implement this in an OpenSource mobile (Android, Cyanogen, the like)?
  • if one moves while having an established connection, shouldn’t that “break” once the rogues-bs is out of reach?

But it just confirms we need to get ZRTP or alike for voice communications. Then they probably will need to get hands on your endpoint to intercept. I’d assume they are generally after that anyways though. Probably too tempting to have control over mic/camera(s) on the person all time 😉

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.