GENESIS: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

GENESIS

(S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments.

(S//SI//REL) The GENESIS systems are designed to support covert operations in hostile environments. A witting user would be able to survey the local environment with the spectrum analyzer tool, select spectrum of interest to record, and download the spectrum information via the integrated Ethernet to a laptop controller. The GENESIS system could also be used, in conjunction with an active interrogator, as the finishing tool when performing Find/Fix/Finish operations in unconventional environments.

(S//SI//REL) Features:

  • Concealed SDR with Handset Menu Interface
  • Spectrum Analyzer Capability
  • Find/Fix/Finish Capability
  • Integrated Ethernet
  • External Antenna Port
  • Internal 16 GB of storage
  • Multiple Integrated Antennas

(S//SI//REL) Future Enhancements:

  • 3G Handset Host Platform
  • Additional Host Platforms
  • Increased Memory Capacity
  • Additional Find/Fix/Finish Capabilities
  • Active Interrogation Capabilities

Status: Current GENESIS platform available. Future platforms available when developments are completed.

Unit Cost: $15K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 27, 2014 at 2:08 PM • 15 Comments

Comments

sweep the legFebruary 27, 2014 3:33 PM

OT (sorry, can't wait until squid day):

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission/3372143/tor-is-building-an-anonymous-instant-messenger

[1] http://www.dailydot.com/technology/tor-instant-messaging-bundle/
[2] https://www.torproject.org/
[3] https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting/notes/RoadmapTIMB

AlvinFebruary 27, 2014 3:57 PM

While it may not be obvious, this is direct evidence of NSA involvement in targeted assassination. "Find/Fix/Finish" is the military term for an offensive operation, advance to contact, or what used to be called "search and destroy". It's used somewhat incorrectly here, but the meaning is clear.

Using this exploit as the "finish" tool in in conjunction with an "active interrogator" means a phone with this exploit will act as a transponder for a drone to lock a missile onto. It's already known the drones carry the interrogators. And where do they operate, except "unconventional environments"?

BenniFebruary 27, 2014 4:21 PM

Yes, the intercept also writes that find fix finish means killed by drone:
https://firstlook.org/theintercept/article/2014/02/10/the-nsas-secret-role/

find fix finish was also part of the entourage tao device:
https://www.schneier.com/blog/archives/2014/02/entourage_nsa_e.html

The ENTOURAGE application works in conjunction with the NEBULA active interrogator as part of the Find/Fix/Finish capabilities of the GALAXY program.

Now what is the "NEBULA active interrogator" and what is Galaxy?

An antenna on a predator drone is called GILGAMESH according to the intercept.

@epic_butthurt
I think the webcam gate should be discussed under the squid threat as long as bruce does not open a specialised thread for this.

The interesting point on this webcam things are that this must be connected to the recent slides where gchq says they would be using sexually explicit material for mobbing company employees and talibans

https://www.eff.org/document/07252014-nbc-gchq-honey-trap-cyber-attack-2
https://www.eff.org/document/20140224-intercept-training-covert-online-operations
https://www.eff.org/document/20140218-intercept-gchq-sigdev
https://www.eff.org/document/07022014-nbc-gchq-honey-trap-cyber-attack

So they get their sexually explicit material by setting up some honey trap of a prostitute and a web cam chat. and then they give this to the taliban colleagues, or they blackmail a software engineer, saying him they give this pictures to his wife, if he does not introduce a certain line of code into a crypto api....


NopeFebruary 27, 2014 4:45 PM

The sheer volume and level of detail of the NSA tradecraft that the Snowden docs are spewing is astounding. As US taxpayers, we have paid tens of billions of $USD - likely more - over the course of decades to develop and deploy this cutting edge intel tech. Seeing adversaries and competing economies get at for free is so very tragic.

Anonymous CowardFebruary 27, 2014 9:47 PM

@Alex

Benni described one way in which targets are "finished," but we also should suspect that these tools can be used for a more low-key "finishing." In some non-permissive environments, special operators could be used to kill/capture the target using GENESIS to obtain positive identification of the target.

Hell, the NSA doesn't even need to know who they're killing/capturing, they can just decide on targets based on massive-scale metadata collection and social network graphs.

65535February 27, 2014 10:08 PM

I wonder if this “finishing” tool will become an advanced “Swatting” tool. It’s not hard to imagine a prankster or malefactor running up a series of conversations or text messages considered “terror” related then giving his cell phone to an adversary. The adversary is driving on an empty street and gets zapped. There could be many permutations to this deadly prank.

Clive RobinsonFebruary 28, 2014 3:19 AM

ON Topic :-)

There is nothing new about this, you can get "Test SIMs" that enable a subset of this functionality.

But it goes back even further when I was designing cordless phones way back in the last century we would include "test code" to enable a user to switch the receiver to any channel and display the RSSI level and display the coresponding ID code.

We used to supply the certificational "test house" with phones with the test code installed so they could do their tests. Likewise the company that we were designing the phones for would get similar for their testing. Usually the code would stay in the production code you just had to know the magic numbers to key in (I usually used the hex values of my initials CR which gives 4352) and where in the UI functionality)

In some of the phones the lack of buttons on the base units ment we used incoming DTMF codes to change channels and report back RSSI and ID info. Which ment if you knew what you were doing you could phone somebody, wait for the answer machine to kick in then enter the magic code and listen to any active calls the base could pick up in it's area...

BenniFebruary 28, 2014 5:37 AM

@65535
I believe the taliban certainly already exploit this as a swatting tool. The don't even need to give their phones to the enemie.

Simply sell the phones after one day of real talking to some dumb families, e.g some farmers in a local village. The kids will certainly like these phones, but not for long.

And then, when the local people are beginning to complain that the US drones kill innocent kids, the taliban have their perfect recruiting argument:

"Join us in our fight against the us. they are foreign invaders who kill our children with drones. So, all local people in this village, join the taliban forces..."

It could be that these poor people whowanted to go to a wedding simply were victims of such swatting:

https://firstlook.org/theintercept/article/2014/02/20/report-yemen-wedding-drone-strike-may-violated-laws-war/

Apparently, the nsa insists that the drone strike was against a mobile phone of a terrorist.
In contrast, the survivors just claim that they wanted to go to a wedding, having nothing to do with terrorism....


Clive RobinsonFebruary 28, 2014 9:24 AM

@ 65535, Benni,

Such swapping of phones is quite normal amongst criminals in certain areas of London thanks to amongst others the "Adams family" criminal empire.

What happens is they have an "interest" in second hand mobile phone re-sellers [2], which they have used to their advantage. What they do is get a bunch of pre-paid SIMs for as litle as 3GBP each and just select a phone from those that are sitting waiting to be resold. On the appropriate day they slip in a SIM and use it just for one or possibly two calls then chuck the SIM and go swap the phone for another with the one that has been used sold on quickly with a factory reset and new SIM (for phones with easy to change IMEI it's changed).

Apparently it's been known for some phones to get "obviously" used to raise suspicion and then end up with SIM and IMEI intact in odd places like rivals property along with other "items of interest" to authorities...

It's been suggested in some places that the Adams Family associates have connections with old PIRA and other such organisations who are involved with arms dealing through South Africa, which might account for where the knowledge of how to play these "games" has come from.

[1] http://en.m.wikipedia.org/wiki/Clerkenwell_crime_syndicate

[2] The "interest" is via associates in what is know as the "protection business" and drug suppliers.

GVFebruary 28, 2014 9:32 AM

Have none of these terrorists thought to maybe stow their phone safely into a lead-lined, shielded cell phone case when not in use?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..