Schneier on Security
A blog covering security and security technology.
« DDoSing a Cell Phone Network |
| Was the iOS SSL Flaw Deliberate? »
February 26, 2014
ENTOURAGE: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system.
(S//SI) The ENTOURAGE application leverages the 4 Software Defined Radio (SDR) units in the HOLLOWPOINT platform. This capability provides an "Artemis-like" capability for waveforms of interest (2G,3G,others). The ENTOURAGE application works in conjunction with the NEBULA active interrogator as part of the Find/Fix/Finish capabilities of the GALAXY program.
- Software Defined Radio System
- Operating range 10MHz - 4GHz
- 4 Receive paths, all synchronized
- 1 Transmit path
- DF capability on GSM/UMTS/CDMA2000/FRS signals
- Gigabit Ethernet
- Integrated GPS
- Highly Mobile and Deployable
- 1.8"H x 8.0"W x 8.0"D
- Approximately 3 lbs
- 15 Watts
- Passively cooled
(S//SI//REL) Future Developments:
Status: The system is in the final testing stage and will be in production Spring 09.
Unit Cost: $70K
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 26, 2014 at 2:38 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What does this mean:
". The ENTOURAGE application works in conjunction with the NEBULA active interrogator as part of the Find/Fix/Finish capabilities of the GALAXY program."
does "finish" mean a drone strike or what?
FRS? Please, someone tell me they weren't seriously trying to use a $70k device to triangulate the cheapie blister-pack Family Radio Service 400MHz 2-way radios.
A $12 RTL2382u USB stick can do that. Can also intercept most GSM signals without too much difficulty as well.
@Benni "does "finish" mean a drone strike or what?"
hehe, well you know, Obama does hold the leading spot for highest use/number of drone strikes thus far in presidential history so it wouldn't surprise me. i also heard something about a law making it legal now to "finish" americans who are suspected of "terrorism". :/ sad times for the USofA sadly...
I know that they pilot drones from the german base ramstein and nominate the targets in the africom headquaters in the german town stuttgart: http://www.sueddeutsche.de/politik/...
the question is: Is it this drone killing program for which the above NSA exploit of the day is used? Is the codename for the drone strikes "galaxy program"?
And what is NEBULA?
The reason for my question is that the german secret service BND usually gives mobile phone numbers of of terrorism suspects to the nsa. And the german government recently replied to a question officially, that
it does not believe that email adresses can lead to an imminent localization and to a drone strike:
is there more on the galaxy program somewhere in the snowden files, that could prove this link between mobile phone numbers and a drone strike?
sorry the sentence: "it does not believe that email adresses..." should read "it does not believe that mobile phone numbers.."
Who writes these things? They cannot tell the difference between compliment and complement. Figures.
????????: NSA Exploit of the Day
What happened to your blog post on Nebula? I don’t see it listed from the index, and the link from your RSS feed 404s.
I am kind of bored of these NSA exploits. I think they are not really surprising anymore. I have found myself visiting here less often because its mostly NSA "spam". Maybe I have a different imagination of the readership of this blog, but the exploits seem easily imaginable while wearing only the smallest tinfoil hat... so we aren't typically having our worlds expanded with these posts. Now squids, those are amazing... :)
tj && Wm
--Do you have any defenses against the attacks? Nope, didn't think so. What's hilarious is this is COTS-grade, as Alex stated above Hams pick up these signals for fun and SDR's and these incredible digital radios today can do quite a lot.
A almost certain defense is OTP encrypted convo's before transmission; and if you're doing that you probably don't have much actual work to do.
@Figureitout I do love the fox-hunt. The signal may travel at the speed of light, but it also tells where you are at the speed of light. Thanks physics!
--You ignored my question troll. It's slightly below "c" and a hacked smartphone can tell you where an innocent person is to get droned; not to mention automatic wifi-sniffing and automatic unapproved updates installing malware.
"Maybe I have a different imagination of the readership of this blog,"
that line says you do. Most readers prob arnt about the imagining, but the the realisation of the item under discussion (all threads, not just NSA specific).
Yes FRS is but one of many. Whilst I would expect the kit to do a lot more --and is listed as doing so-- perhaps you should invert the question and then ask what the consiquences of it are...
That is "Why does the person responsible for making the catalog page think FRS is so important to the potential TAO customers that it needs to be listed?"
After all there are plenty of other HF-UHF two way radio's that people can easily get hold of so why not say CB, Ham/ARS or PMR or "Hunter radios"?
What some people don't know is some northen European "Hunters Radios" are interoperable with some older
It might be that the physicaly very small FRS units with SelCall, small headsets and VOX included were/are being used by "drone meat" for close protection work around their VIPs...
 What is not well known is some northen European "Hunters Radios" are interoperable with some NATO nation older military radio systems (VHF-FM) used to do Forward Air Control (FAC) ground to air target identification that have been used in some recent combat zones. I suspect it is something known to the Taliban etc.
You know what?
I think you are an agent of NSA and U.S government.
Your mission is to exaggerate about power of U.S. information agencies and "horrify people".
how do you live in America without any problem?
Every day you say something NSA and it's spaying tools.
I think NSA has concluded that can't hide the truth about itself anymore and decided to reveal some gratuitous information (sb named Snowden here...).
@tj, @wm: So you actually find the first products from the NSA catalog that are actually advertized (in this very catalog!) to help killing suspects instead of collecting intelligence on them "boring"? Boy, you must have an interesting democratic life.
I used to do (amateur) radio direction finding for fun when I was young enough for the running about so this is quite familiar and I would have given arms and legs for it back then. This is at least partly a radio direction finding system - the key words in the TAO catalogue being "line of bearing".
Direction finding requires a multi channel receiver and multiple antennas, or a steerable antenna. Normal direction finding requires either simultaneous bearings from multiple locations (the transmitter being where the lines cross on the map) or taking the direction finding equipment from one location to the next and hoping the transmitter hasn't moved in the meantime. I do wonder if the TDM aspects of the GSM protocol make it possible to get range and bearing from one location by transmitting the appropriate query to a target phone - I am not an expert in GSM.
In the radio world there are really four separate passive security threats - detection (the enemy knowing a signal is being transmitted), interception (recording and decryption of the transmitted data), position finding (the enemy discovering where you are when you transmit) and traffic analysis (the enemy logging who and when you communicate with even if they can'd decrypt the content). Encryption at best protects you from decryption and some forms of traffic analysis. I am ignoring the active threats of impersonation (equivalent to MITM) and Jamming (equivalent to DOS or DDOS) for this post before Clive corrects me!.
The mere fact that you transmit exposes you to detection and the risk of position finding. Traditionally the risk of being detected and found increases if you transmit for longer and on the same frequency. Now that A to D converters fast enough to digitise the entire RF spectrum from DC to UHF are commercially available (just look at digital storage scope specs and prices) it may no longer require much time for a professional adversary to find any kind of radio so that is no longer a safe bet.
The best counter to detection and traffic analysis is either to transmit an encrypted stream constantly as a broadcast station (like naval fleet broadcasts) or to hide below the noise floor with some form of spread spectrum or multicarrier system that is easy to correlate if you know what to look for but doesn't show as a 'spike' on anyone's FFT or spectrum analyser display. If you can be detected you are vulnerable to position finding. There are some countermeasures such as the use of multiple radios on the same frequency but they are technically challenging to set up and operate on a small scale.
Modern military radios use frequency hopping or spread spectrum (an extreme form of CDMA) to try and hide from interception and mesh like networking to complicate position finding but the COTS technology used by most of the "bad guys" (be that pmr 446/ FRS, VHF-FM in Ham/PMR forms or cellular) is much less frequency agile - and in the case of cellular can be made to transmit on demand by a real or fake base station (is this Nebula?)
@Figureitout: It is important to realise that encryption (however good) will not prevent an adversary from locating the source of a radio signal even if the content of that signal is unknown. A good description of one method (Pseudo Doppler) is given at: http://www.pi4wag.nl/index.php/... . There are other methods (Interferometry for example, as used in the Plessey Vampire DF stations of the British Army until the 1990s).
@ Alex: I think it is more a case that something that can do direction finding of GSM (which probably involves following the GSM signalling to track the channel and timeslot in use by the wanted mobile) can also do single channel FM with the greatest of ease. You are right that the capabilities in this unit are now to be found in a USB stick for less than $20; I imagine if this unit was to be available in 2009 it was designed years earlier. Certainly $70K for 10MHz-4GHz application protocol aware DF would seem like a bargain to the UK Ministry of Defence which spent tens of millions on Vampire in the 1980s to cover 30-120MHz against fixed frequency FM radios only, and blew many more millions on Vixen (a failed successor around the turn of the century). This doesnt need an extra large landrover either !
@Benni: I think "finishing" in this context may just be the final stages of locating a transmitter beyond the accuracy that can be achieved by use of data from cell sites. From practical experience the last hundred metres can be challenging because of issues like reflections and shielding by metal objects, especially in a built up area.
I'm still concerned. there is this line "needed to compliment the HOLLOWPOINT system and completes the ground based system."
the ground based system? So is there an air based system complimenting this ground based system? If there is an air based system, this would certainly be a drone. This article: https://firstlook.org/theintercept/article/2014/02/10/the-nsas-secret-role/ write that they mount fake phone towers acting as gsm locators on drones. But the intercept does not give the codename for the system mounted on the drones.
Sorry, no, the intercept called the drone antenna GILGAMESH. buth there is this line from the article:
As the former drone operator explains, the process of tracking and ultimately killing a targeted person is known within the military as F3: Find, Fix, Finish. “Since there’s almost zero HUMINT operations in Yemen – at least involving JSOC – every one of their strikes relies on signals and imagery for confirmation: signals being the cell phone lock, which is the ‘find’ and imagery being the ‘unblinking eye’ which is the ‘fix.’” The “finish” is the strike itself.
"find fix finish", according to the intercept, this means killing by drones.
And then "find fix finish" is what this tao implant should be part of, according to its description
--Oh I know, I've conducted many experiments and observations on agent activities to learn their methods and signatures. W/ that sort of heat on you, all bets are off; really people need to experience these attacks and see for themselves the hell that is coming. And solving the "anonymity" problem is not my cup of tea; I say it's impossible w/ the level of surveillance these days (I'll just wink when they can't crack my codes but know who, when, and where I'm talking to) no matter how much opsec you think can change that. One thing may be encrypted IR, custom protocol for short range comms that die quick. Another is taking advantage of atmospheric interference; that's very unreliable and hit-or-miss though.
Just as a thought game, I like to look where I would have 120VAC power so I could set up my pre-programmed timed radio that says it's message when I'm gone and I never see it again.
Anyway thanks for the link, I liked the vector drawings and my good friend sine wave.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.