Schneier on Security
A blog covering security and security technology.
« Was the iOS SSL Flaw Deliberate? |
| Decoding the Voynich Manuscript »
February 27, 2014
GENESIS: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments.
(S//SI//REL) The GENESIS systems are designed to support covert operations in hostile environments. A witting user would be able to survey the local environment with the spectrum analyzer tool, select spectrum of interest to record, and download the spectrum information via the integrated Ethernet to a laptop controller. The GENESIS system could also be used, in conjunction with an active interrogator, as the finishing tool when performing Find/Fix/Finish operations in unconventional environments.
- Concealed SDR with Handset Menu Interface
- Spectrum Analyzer Capability
- Find/Fix/Finish Capability
- Integrated Ethernet
- External Antenna Port
- Internal 16 GB of storage
- Multiple Integrated Antennas
(S//SI//REL) Future Enhancements:
- 3G Handset Host Platform
- Additional Host Platforms
- Increased Memory Capacity
- Additional Find/Fix/Finish Capabilities
- Active Interrogation Capabilities
Status: Current GENESIS platform available. Future platforms available when developments are completed.
Unit Cost: $15K
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 27, 2014 at 2:08 PM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
ON Topic :-)
There is nothing new about this, you can get "Test SIMs" that enable a subset of this functionality.
But it goes back even further when I was designing cordless phones way back in the last century we would include "test code" to enable a user to switch the receiver to any channel and display the RSSI level and display the coresponding ID code.
We used to supply the certificational "test house" with phones with the test code installed so they could do their tests. Likewise the company that we were designing the phones for would get similar for their testing. Usually the code would stay in the production code you just had to know the magic numbers to key in (I usually used the hex values of my initials CR which gives 4352) and where in the UI functionality)
In some of the phones the lack of buttons on the base units ment we used incoming DTMF codes to change channels and report back RSSI and ID info. Which ment if you knew what you were doing you could phone somebody, wait for the answer machine to kick in then enter the magic code and listen to any active calls the base could pick up in it's area...
@ 65535, Benni,
Such swapping of phones is quite normal amongst criminals in certain areas of London thanks to amongst others the "Adams family" criminal empire.
What happens is they have an "interest" in second hand mobile phone re-sellers , which they have used to their advantage. What they do is get a bunch of pre-paid SIMs for as litle as 3GBP each and just select a phone from those that are sitting waiting to be resold. On the appropriate day they slip in a SIM and use it just for one or possibly two calls then chuck the SIM and go swap the phone for another with the one that has been used sold on quickly with a factory reset and new SIM (for phones with easy to change IMEI it's changed).
Apparently it's been known for some phones to get "obviously" used to raise suspicion and then end up with SIM and IMEI intact in odd places like rivals property along with other "items of interest" to authorities...
It's been suggested in some places that the Adams Family associates have connections with old PIRA and other such organisations who are involved with arms dealing through South Africa, which might account for where the knowledge of how to play these "games" has come from.
 The "interest" is via associates in what is know as the "protection business" and drug suppliers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..