PICASSO: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target.

(S//SI) Target Data via SMS:

  • Incoming call numbers
  • Outgoing call numbers
  • Recently registered networks
  • Recent Location Area Codes (LAC)
  • Cell power and Timing Advance information (GEO)
  • Recently Assigned TMSI, IMSI
  • Recent network authentication challenge responses
  • Recent successful PINs entered into the phone during the power-on cycle
  • SW version of PICASSO implant
  • ‘Hot-mic’ to collect Room Audio
  • Panic Button sequence (sends location information to an LP Operator)
  • Send Targeting Information (i.e. current IMSI and phone number when it is turned on—in case the SIM has just been switched).
  • Block call to deny target service.

(S//SI//REL) Handset Options

  • Eastcom 760c+
  • Samsung E600, X450
  • Samsung C140
  • (with Arabic keypad/language option)

(S//SI) PICASSO Operational Concept

(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic’d and has a “Panic Button” key sequence for the witting user.

Status: 2 weeks ARO (10 or less)

Unit Cost: approx $2000

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 17, 2014 at 2:20 PM16 Comments


James Sutherland February 17, 2014 3:20 PM

Interesting that this one carries a lower classification level (Secret, as opposed to Top Secret like the other catalog entries featured recently) – also interesting they’re harvesting things like GSM network authentication responses, not just the location/content/audio which have obvious uses. Maybe useful for targets who might be using private GSM cells, like government sites?

Clive Robinson February 17, 2014 4:36 PM

@ Gridlock,

    “for the witting user” made me laugh

You could call it an “undercover agent phone” and the undercover agent is the witting user, it’s the others they are spying on etc who are the pottential “unwitting” targets.

In a lot of under cover operations the best way into a target group and rise to the top is to be a supplier/quatermaster who has the contacts to get equipment and supplies as needed.

Once trusted handing out phones with this implant is a good way of not having to ask to many questions and thus become a suspicious person.

As I’ve mentioned before mobile phones with a “bug mode” are faily easily detected with quite simple equipment. GSM phones especialy make a “buzzing” noise when close to cheap unscreened audio amplifiers in portable radios / CD players etc.

Which is why a more uptodate implant is likely to not continuously transmit but use a background data service such as GPRS in burst mode with the audio data suitably compressed and stored within the phone. The length of data bursts and the frequency they occure is related to the data service bandwidth available storage on the phone and acceptable latency. In many cases the storage and latency requirments might mean that an hour or so of “talk recording” might not be sent for a day or so…

0day February 17, 2014 6:37 PM

@Chris Bronk
But it has no small kaboom feature like the Yahya Ayyash phone.

I was wondering about those cases (predominantly in India) where users reported that they had received a message that caused the display turn all red moments before the phone exploded.

Figureitout February 17, 2014 8:49 PM

I tested for the panic sequence and it checks out, multiple times. And in comes the backup, ID them and move on.

No Such Anonymous February 17, 2014 9:58 PM

@Clive Robinson

This is a 6 year old piece of hardware that does not take into account subsequent research to come out of outfits like the CASL, nor the recent advances in GPGPU architecture.

24/7 exfil in burst transmissions of higher level information as plaintext on more modern units can easily be accomplished by running SR and MASINT software on the handset, or using mesh networked handsets to share local data processing.

The need to exfil full audio data for backend processing is no longer necessary in most cases. You can use phone’s built-in processing capabilities to reduce most audio signatures down to text for burst exfil.

I’d imagine the lowest hanging fruit here would be gunshot and blast detection, that’s a rudimentary task for embedded MASINT software.

What I suspect some more recent VRK documents Snowden never had access to likely say is that the NSA has been attempting to introduce always on mass-MASINT and SR technology at a manufacturer level in every new phone via covert channels

Alex February 18, 2014 1:43 PM

And this is why we have our own cell towers / repeaters / femtocells at our offices. The phone may try to deceive you, but there’s no way (that I’m aware of) getting around the blinking ethernet Activity lights.

It’s the same reason our switches / routers live in the IT guy’s office and have a monitor showing real-time stats above them. Anything abnormal will hopefully be seen.

SchneieronSecurityFan February 18, 2014 10:56 PM

I wonder if this type of technology can be used by a law enforcement organization in place of “a wire” for an undercover officer or informant?

keith A February 19, 2014 7:57 AM


Did you mean to imply ‘under warrent (and usable as evidence in court)’?

SchneieronSecurityFan February 19, 2014 5:32 PM

Yes, of course, a warrant. An undercover officer would carry this instead of “a wire”. Places where this could be used could be a resort or beach area, a coffee shop or a bar.

I wonder if that’s been done?

Adlai February 20, 2014 12:46 PM


They’ll get the intel, but if the method wasn’t warranted, they’ll still need to find some way to legitimize their knowledge.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.