NEBULA: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//FVEY) Multi-Protocol macro-class Network-In-a-Box (NIB) system. Leverages the existing Typhon GUI and supports GSM, UMTS, CDMA2000 applications. LTE capability currently under development.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • Dual Carrier System
  • EGSM 900MHz
  • UMTS 2100MHz
  • CDMA2000 1900MHz
  • Macro-class Base station
  • 32+Km Range
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data

(S//SI//REL) Advanced Features:

  • GPS—Supporting NEBULA applications
  • Designed to be self-configuring with security and encryption features
  • 802.11—Supports high speed wireless LAN remote command and control

(S//SI//REL) Enclosure:

  • 8.5″H x 13.0″W x 16.5″D
  • Approximately 45 lbs
  • Actively cooled for extreme environments

(S//SI//REL) NEBULA System Kit:

  • NEBULA System
  • 3 Interchangeable RF bands
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 1500 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Future GPRS and HSDPA data service and associated application


Unit Cost: $250K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 28, 2014 at 2:16 PM9 Comments


Karl Hall February 28, 2014 3:07 PM

Has Snowden ever indicated why he blew the cover on TAO? Like Bruce indicated previously, these TAO devices/apps seem to be in service of the most defensible work the NSA does.

Benni February 28, 2014 3:28 PM

now the question remains, what is Typhon?
And what is active interrogator of the previous tao device with find fix finish capability?

@Karl Hall: As some of these TAO devices are used in the us Berlin embassy with its radar emissions, and as some of the TAO devices are in routers, switches and servers of large telecommunication companies, and as some of the TAO devices are used for “fix find and finish” of mobile phones and some innocent people who wear a mobile phone that the nsa thinks it belongs to a terrorist, it is absolutely legitimate to publish them.

The TAO devices are used to spy an us allies and industrial companies. They are used for killing people wo carry the mobile phones of terrorists, and the terrorists know and use this for swatting innocents.

Na, all these things should be published. As long as the US gratify their allies by spying on them, and as long as the US do not know how to really fight in a war, which traditionally is always by going after the enemy, and not cowardish attacks from miles away, with the only evidence of the enemy in form of a mobile phone, as long as the situation is such, the tao devices must all be published. period.

Anura February 28, 2014 3:47 PM

The information on TAO is neither helpful to foreign intelligence agencies, a surprise to those with an interesting in intelligence, nor damaging to the NSA. It’s simply interesting.

As for why Snowden included it, well, he left it up to the press to determine what should be made public; I figure if he went through and slowly leaked details himself, there would be more incentive for the government to eliminate him.

Vance February 28, 2014 11:27 PM

The original articles in Der Spiegel never identify the source for the documents; a contemporaneous AP article states that they couldn’t immediately reach Der Spiegel for clarification. A quick search didn’t turn up any attribution for the documents, only speculation or assumptions in various quarters that they came from Snowden. Can anyone point to a definitive statement as to where they came from?

Peter March 2, 2014 6:30 PM

Maybe it is telling that it was Jacob Appelbaum who presented these pages at a conference presentation, and I remember he also was the co-author of the Spiegel article. Publishing these things fits his ‘hactivist’ engagement to bring down NSA and all other intelligence services.

I also see no legitimate reason to publish this kind of information as it damages US intelligence collection, which is this case is not illegal. Maybe some people see that otherwise, but remember that both Snowden and Greenwald initially said that they only wanted to expose the wrongdoings of NSA, and not to expose things without a specific reason or need.

Nick P March 2, 2014 6:53 PM

@ Peter

Funny you mention that about Jacob without mentioning how often he is harassed at airports and such by US govt due to Tor work. US govt has been attacking cryptographers and privacy tech developers for years. Jacob, a target, publishing their attack methods makes plenty of sense.

Another issue is NSA has been lying to Americans about what their solutions do to stop TLA level threats. They promoted NetTop, VMware based solutions, and taps of our infrastructure giving them monitoring (and control) of it all. Yet, when we see their list of attacks, it contradicts all their assurances as it shows even they knew the defenses were trivial for TLA’s to bypass.

Now, tks to leaks, we know what vectors a TLA actually uses and have plenty motivation to secure from hardware up.

Carpe March 3, 2014 1:06 PM

@ Peter

You really think they are getting warrants to use this sort of thing on just a particular target? If so, I have oceanfront property in Oklahoma to sell you.

Peter March 4, 2014 4:28 PM

How understandable the actions of Appelbaum might be, fact is that those TAO/ANT gadgets are not proving any large scale NSA wrongdoing, so publishing them is not according to the limits Snowden and Greenwald set themselves. This is more like the Wikileaks approach.

NSA doesn’t need a warrant to use these kind of tools in foreign countries. Within the US it’s FBI that uses similar equipment though, but they do need a warrant, so if you’re an American who fears this, look at the FBI.

Nick P March 4, 2014 5:25 PM

@ Peter

The NSA is using their mass surveillance systems in the United States against American citizens at a large scale. That you think they get warrants before interceptions makes me think you missed most of the Snowden revelations.

” so if you’re an American who fears this, look at the FBI.”

We need to also look at the FBI. Hoover, Carnivore, and many other problems were discussed in the past. The catalog and mass surveillance systems are NSA’s developments. So, we’re looking at NSA now.

“This is more like the Wikileaks approach.”

Indeed. Wikileaks exposed massive amounts of corruption, lies and schemes during its run. The DOD, State Department, and tax dodging banks were all exposed. Military and intelligence particularly were exposed for their lies in relation to wars overseas. Now, we are seeing that same organizations are lying yet again about the surveillance systems and how they are using them. We know this because of the Snowden leaks.

The TAO manual was leaked and it serves a different purpose. Seeing all their lies and abuses, quite a few people/organizations would rather NSA not have total control over their equipment and total knowledge of their data. So far, NSA’s security recommendations were rigged to make them easier to hack, by NSA and [incidentally] foreign TLA’s. Leaked TAO manual proves their defenses wouldn’t stop TLA’s. So, they lied again promoting technologies that wouldn’t work and would simply give them more control over American systems.

They’ve shown they can’t be trusted. They’re willing to weaken and compromise as many US systems as possible to achieve their goal of knowing everything that happens in this country. They put us all at risk when they weaken our systems. The only way to build strong systems, even strong enough to stop NSA, is to know how a TLA (esp NSA) attacks systems. The TAO manual gives that information.

Thanks to that leak, people can clearly see what Clive and I have been saying here for years: every layer from silicon up must be replaced with a secure alternative to stop a TLA and then there’s still work (eg EMSEC, usability, shipping). There are now more people than ever working on each layer to fix the problems. The sad irony is that was the NSA’s job [1]. Rather than failing it, they went one further and sabotaged it outright.

[1] NSA’s Information Assurance Directorate is supposed to try to protect American systems, esp. used for defense purposes. Relevant excerpts of Executive Order 12333 are below. So, pretending to secure those systems while making them weaker to sophisticated adversaries is a failure of legal responsibility. It’s also aiding and abetting the enemy far as I’m concerned.

“(10) Protection of the security of its installations, activities, property, information, and employees by appropriate means, including such investigations of applicants, employees, contractors, and other persons with similar associations with the NSA as are necessary;
(11) Prescribing, within its field of authorized operations, security regulations covering operating practices, including the transmission, handling and distribution of signals intelligence and communications security material within and among the elements under control of the Director of the NSA, and exercising the necessary supervisory control to ensure compliance with the regulations; “

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.