Schneier on Security
A blog covering security and security technology.
« US Infosec Researchers Against NSA Surveillance |
| What Information Are Stun Guns Recording? »
February 17, 2014
PICASSO: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
(S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target.
(S//SI) Target Data via SMS:
- Incoming call numbers
- Outgoing call numbers
- Recently registered networks
- Recent Location Area Codes (LAC)
- Cell power and Timing Advance information (GEO)
- Recently Assigned TMSI, IMSI
- Recent network authentication challenge responses
- Recent successful PINs entered into the phone during the power-on cycle
- SW version of PICASSO implant
- 'Hot-mic' to collect Room Audio
- Panic Button sequence (sends location information to an LP Operator)
- Send Targeting Information (i.e. current IMSI and phone number when it is turned on -- in case the SIM has just been switched).
- Block call to deny target service.
(S//SI//REL) Handset Options
- Eastcom 760c+
- Samsung E600, X450
- Samsung C140
- (with Arabic keypad/language option)
(S//SI) PICASSO Operational Concept
(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic'd and has a "Panic Button" key sequence for the witting user.
Status: 2 weeks ARO (10 or less)
Unit Cost: approx $2000
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on February 17, 2014 at 2:20 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"for the witting user" made me laugh
You could call it an "undercover agent phone" and the undercover agent is the witting user, it's the others they are spying on etc who are the pottential "unwitting" targets.
In a lot of under cover operations the best way into a target group and rise to the top is to be a supplier/quatermaster who has the contacts to get equipment and supplies as needed.
Once trusted handing out phones with this implant is a good way of not having to ask to many questions and thus become a suspicious person.
As I've mentioned before mobile phones with a "bug mode" are faily easily detected with quite simple equipment. GSM phones especialy make a "buzzing" noise when close to cheap unscreened audio amplifiers in portable radios / CD players etc.
Which is why a more uptodate implant is likely to not continuously transmit but use a background data service such as GPRS in burst mode with the audio data suitably compressed and stored within the phone. The length of data bursts and the frequency they occure is related to the data service bandwidth available storage on the phone and acceptable latency. In many cases the storage and latency requirments might mean that an hour or so of "talk recording" might not be sent for a day or so...
This is a 6 year old piece of hardware that does not take into account subsequent research to come out of outfits like the CASL, nor the recent advances in GPGPU architecture.
24/7 exfil in burst transmissions of higher level information as plaintext on more modern units can easily be accomplished by running SR and MASINT software on the handset, or using mesh networked handsets to share local data processing.
The need to exfil full audio data for backend processing is no longer necessary in most cases. You can use phone's built-in processing capabilities to reduce most audio signatures down to text for burst exfil.
I'd imagine the lowest hanging fruit here would be gunshot and blast detection, that's a rudimentary task for embedded MASINT software.
What I suspect some more recent VRK documents Snowden never had access to likely say is that the NSA has been attempting to introduce always on mass-MASINT and SR technology at a manufacturer level in every new phone via covert channels
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.