WATERWITCH: NSA Exploit of the Day
Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:
WATERWITCH
(S//SI) Hand held finishing tool used for geolocating targeted handsets in the field.
(S//SI) Features:
- Split display/controller for flexible deployment capability
- External antenna for DFing target; internal antenna for communication with active interrogator
- Multiple technology capability based on SDR Platform; currently UMTS, with GSM and CDMA2000 under development
- Approximate size 3″ x 7.5″ x 1.25″ (radio), 2.5″ x 5″ x 0.75″ (display); radio shrink in planning stages
- Display uses E-Ink technology for low light emissions
(S//SI) Tactical Operators use WATERWITCH to locate handsets (last mile) where handset is connected to Typhon or similar equipment interrogator. WATERWITCH emits tone and gives signal strength of target handset. Directional antenna on unit allos operator to locate specific handset.
Status: Under Development. Available FY-20008
LRIP Production due August 2008Unit Cost:
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
thelastonebutone • March 4, 2014 4:09 PM
There is definitely a logic to these codenames. WATERWITCH is used by “Tactical Operators” (commandos) for wetwork, the assassination or rendition of persons using targeted phones. It’s good to know that NSA aren’t entirely beholden to drone technology; as in the title of a Petri movie, “We Still Kill The Old Way”.
It’s also clear that ‘active interrogator’ is a description of a basestation that impersonates a cell tower. By controlling the timing and power of the captive phone’s RF emissions, it interrogates actively. This is analogous to passive and active attacks on cryptosystems.