EBSR: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

EBSR

(S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • LxT Model: 900/1800/1900MHz
  • LxU Model: 850/1800/1900MHz
  • Pico-class (1Watt) Base station
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • SMS Capability

(S//SI//REL) Enclosure:

  • 1.9"H x 8.6"W x 6.3"D
  • Approximately 3 lbs
  • Actively cooled for extreme environments

(S//SI//REL) EBSR System Kit:

  • EBSR System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 90 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Supports Landshark/Candygram capabilities.

Status:

Unit Cost: $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 25, 2014 at 2:11 PM • 6 Comments

Comments

exjimmyFebruary 25, 2014 6:45 PM

Could some of the pros on this site please help me understand this better.


Integrated GPS, MS, & 802.11
Antenna to support MS, GPS, WIFI, & RF

I have seen this several times now when referring to rogue cell sites. Is MS mobile system and in the context of antenna support what does RF refer to? Is it not all RF?

Josh RubinFebruary 25, 2014 7:22 PM

I'm confused about one point. This and some other catalog entries contain the line:

"Operational Restrictions exist for equipment deployment."

What does this mean? My guess is that, because the device is a transmitter, it could interfere with civilian or military communications, break local laws, or be easily discovered.

Clive RobinsonFebruary 25, 2014 10:54 PM

@ Josh,

You forgot to mention another reason "control" of other agencies operations...

If you look at the catalog pages you will see that some equipment is for sale and some only for "rent".

I've not analysed it but there may be a correlation between the addition of restrictions on usage and change to hire that can give an indication of the reasons.

However TAO may be doing the old trick of getting other agencies "dependent" on their product and then exploiting it to their advantage.

For instance getting another agency to tell you some or all of the operational details of their current and future "covert" activities offers a potential level of political power few in that business would pass up given the opportunity.

The equipment may even have ET (call home) and backdoor control functions added so that TAO have secret control of the equipment... afterall if TAO uses "cracker mentlity" people the chances are they will continue to have the same atitude when building systems...

StuartFebruary 26, 2014 4:38 AM

> (S//SI//REL) Operational Restrictions exist for equipment deployment.

While an individual target user will not be able to detect that their phone has roamed onto this impersonating network, the operator will be able to see it in terms of failed handover attempts. This is where phone in a call will see the network and attempt to handover the call to this basestation. This will fail as the real network does not know of this basestation.

best laptops 2015February 27, 2014 2:17 AM

Heya my business is for that most important occasion listed here. I stumbled onto this specific plank we to find It genuinely practical & the item helped me available considerably. I really hope to give a thing back plus assistance people as you reduced the problem.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..