TOTEGHOSTLY 2.0: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture.

(TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile operating system that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. A FRIEZERAMP interface using HTTPSlink2 transport module handles encrypted communications.

(TS//SI//REL) The initial release of TOTEGHOSTLY 2.0 will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

(TS//SI//REL) TOTEGHOSTLY 2.0 will be controlled using an interface tasked through the NCC (Network Control Center) utilizing the XML based tasking and data forward scheme under the TURBULENCE architecture following the TAO GENIE Initiative.

Unit Cost: $0

Status: (U) In development

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 19, 2014 at 2:18 PM9 Comments


NobodySpecial February 19, 2014 9:59 PM

@justin – that’s because the NSA wouldn’t spy on decent Americans who all have iPhones. Obviously only foreign terrorists use windows CE

Clive Robinson February 19, 2014 11:39 PM

@ Justin, NobodySpecial,

    Wow, I don’t known a single human being that is using a Windows phone.

It’s an observation that is ripe for a “conspiracy nut” to work on 😉

Here as they say –in the UK [1]– “is a starter for ten”,

We know MS entry into mobile market was a very expensive disaster, with journalists saying things like it was so bad “you couldn’t give it away” (I gather MS did try to give it away but it had hiden hooks so it got few bites, so they simply enginered the take over of a mobile phone manufacturer in more recent times).

Now it could be argued that in order to try to make it less of a disaster MS gave the source code etc to the NSA in the hope they would do an Obamaberry with it or say it was OK for USG use (which it’s cearly not !).

Or even argued that MS developed the hooks for this attack vector deliberatly and “gifted them” to the NSA to try and get a USG “benevolance”.

! ie circular argument logic – it’s got a flaw that enabled this attack vector, therefor it could be attacked by USG hostile entities (such is the joy of conspiracy theory argument).

[1] It comes from a UK quiz show “University Challenge” compared by Jermy Paxman, who also compares a news&politics show and is fairly famous for the way he takes bites out of Political representatives and several others. He appears to not suffer fools gladly and is known to make public things that vex him like “M&S underware for men” being significantly ungenerous in it’s cut to be shall we say a bit of a let down at inconveniant times…

SchneieronSecurityFan February 20, 2014 12:31 AM

Am I correct in assuming that a Windows Mobile attack such as this one will not work on a Windows Phone device?

But, I do believe that some of the earlier Windows CE attacks will work on Windows Mobile devices.

Earlier this year I saw my first Windows Phone, a Nokia. I though it was good. I can see why the tiles are considered an improvement over the iOS home screen icons. Apple’s chief designer Jonathan Ive praised it.

@NobodySpecial – A Symbian OS attack would probably be developed for non-U.S. use. I’ve never seen a Symbian OS device.

Nick P February 20, 2014 1:14 AM

@ Schneieronsecurityfan

You can assume they upgrade these regularly. Remember the stories on the “offensive security” companies that find 0-days and make malware kits for huge cash? They haven’t been sitting on their hands since 2008. Any upgrade that makes their “product” useless means losses in six to seven digit range. They’d find a way to make their product work on the next version of the target. It’s only natural.

renke February 20, 2014 8:37 AM

@Justin Andrusk

You saw the “in 2008”? 😛

According to Gartner MS Windows Mobile had a smartphone market share of 12 % in 2nd quarter of 2008 (3rd place after Symbian and RIM).

I’m quite sure the next leak with more current TAO implants will include something like PUTRIDFRUIT targeting Apple devices.

Nick P February 20, 2014 12:36 PM

@ renke

Haha. Or an implant called BLADERUNNER targeting Androids.

Of course, we know they updated their catalog because it said so in one of the leaks Bruce reported on. They specifically mentioned Apple, Android and Blackberry. They also likened Steve Jobs to Big Brother and Apple users to zombies. I liked that last part.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.