TYPHON HX: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

TYPHON HX

(S//SI//FVEY) Base Station Router - Network-In-a-Box (NIB) supporting GSM bands 850/900/1800/1900 and associated full GSM signaling and call control.

(S//SI//FVEY) Tactical SIGINT elements use this equipment to find, fix and finish targeted handset users.

(S//SI) Target GSM handset registers with BSR unit.

(S//SI) Operators are able to geolocate registered handsets, capturing the user.

(S//SI//REL) The macro-class Typhon is a Network-In-a-Box (NIB), which includes all the necessary architecture to support Mobile Station call processing and SMS messaging in a stand-alone chassis with a pre-provisioning capability.

(S//SI//REL) The Typhon system kit includes the amplified Typhon system, OAM&P Laptop, cables, antennas and AD/DC power supply.

(U//FOUO) An 800 WH LiIon Battery kit is offered separately.

(U) A bracket and mounting kit are available upon request.

(U) Status: Available 4 mos ARO

(S//SI//REL) Operational Restrictions exist for equipment deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 3, 2014 at 2:19 PM • 11 Comments

Comments

BenniMarch 3, 2014 3:26 PM

(S//SI//FVEY) Tactical SIGINT elements use this equipment to find, fix and finish targeted handset users.

(S//SI) Target GSM handset registers with BSR unit.

(S//SI) Operators are able to geolocate registered handsets, capturing the user.

capturing user, finish targeted user,sounds final.

Clive RobinsonMarch 3, 2014 5:05 PM

Hmmm,

I don't know when this bit of kit was designed but the photo of it looks like a 1950's "battle ship radio"... I suspect it may be using a modified old style TEMPEST case.

Appart from the Geolocate and 3F comments there is little or nothing to go on as to it's capabilities, and with what USD I would be expecting one truck load of capabilities (including esspresso machine and kitchen sink ;-)

Clive RobinsonMarch 3, 2014 5:12 PM

Something strikes again...

A block of text has disappeared befor the USD in my above post. It should read

and with what looks like a price of 175,800USD

Tony H.March 3, 2014 5:17 PM

(S//SI//FVEY) Base Station Router - Network-In-a-Box (NIB) supporting GSM bands 850/900/1800/1900 and associated full GSM signaling and call control.

(S//SI//FVEY) Tactical SIGINT elements use this equipment to find, fix and finish targeted handset users.

Interesting about that 850/1900 support. These bands are used exclusively in the Americas. Who are they find/fix/finishing around here? I suppose it's El Salvador and Columbia and the like - maybe Mexico. But nice to know they can conveniently finish someone in the middle of a city in the US or Canada!

SchneieronSecurityFanMarch 3, 2014 7:52 PM

" ...An 800 WH LiIon Battery kit is offered separately."


Shouldn't that read an 800 AH battery?

Chris AbbottMarch 3, 2014 9:19 PM

Somebody should modify the source code for Mortal Kombat for SNES so the guy that lost at the end of the match is holding a phone when "FINISH HIM!" pops up.

JMarch 4, 2014 1:39 AM

@SchneieronSecurityFan
No. Watt-hours are Power x Time, for total energy capacity. Amp-hours are Current x Time, for literal electric charge capacity. Finding the energy content of the battery then requires knowing its potential, which is actually a function that varies depending on the charge level. AH should never have become a common unit, since it is not actually meaningful unless all devices being compared use precisely identical battery chemistry and cell construction.

Terry ClothMarch 4, 2014 12:30 PM

To heck with the NSA: My laptop battery reads “NOM 10.8V 5.2AH”. Can I presume that means VxAH=56 WH? Where can I get one of these 800WH models, and do I need a hand truck to move it about? :-)

Clive RobinsonMarch 4, 2014 4:08 PM

@ Terry Cloth,

    SA: My laptop battery reads “NOM 10.8V 5.2AH”. Can I presume that means VxAH=56 WH?

No... but it is safe to assume the lie it's telling you is in part true.

Long story short rechargable batteries have odd properties as well as internal resistance. It is only practical to read the overal voltage of the cells (which are usually series connected). This voltage varies with load and temprature both ambient and inside the individual cells. Temprature criticaly effects just how much energy you can pull back from the cells and over what period (as energy in time gives power this makes calculations difficult). Thus in your laptop somewher (possibly in the battery) there is software with a "lookup table" that as a minimum takes total cell voltage as it's input and amp hours as it's ouput and it is at best an aproximation based on tests carried out at some point in the past to make a model of average performance.

Some batteries have their own little microcontrolers monitoring the battery cells load, tempratures, number of charge cycles and if they were full or partial, the battery age etc. This can dynamicaly update the look up table and also talk to the charging circuit in the laptop, all to wring the last little drops out of the battery performance.

Of course such a system is open to abuse by the manufactures or "in the know" attackers and thus could harbour malware etc. Or cause you to not be able to use third party batteries --even though such practices are probably illegal in Europe-- the profit in doing so is to tempting to pass up for most manufactures who often talk about warrenty liabilities to evade further enquires from authorities.

FigureitoutMarch 5, 2014 8:56 AM

which are usually series connected
Clive Robinson && Terry Cloth
--If you get a used 9V battery, cut it open and observe 6 1.5V cells that initially appear in parallel but in fact are in series. Slightly amusing/interesting.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.