WATERWITCH: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(S//SI) Hand held finishing tool used for geolocating targeted handsets in the field.

(S//SI) Features:

  • Split display/controller for flexible deployment capability
  • External antenna for DFing target; internal antenna for communication with active interrogator
  • Multiple technology capability based on SDR Platform; currently UMTS, with GSM and CDMA2000 under development
  • Approximate size 3" x 7.5" x 1.25" (radio), 2.5" x 5" x 0.75" (display); radio shrink in planning stages
  • Display uses E-Ink technology for low light emissions

(S//SI) Tactical Operators use WATERWITCH to locate handsets (last mile) where handset is connected to Typhon or similar equipment interrogator. WATERWITCH emits tone and gives signal strength of target handset. Directional antenna on unit allos operator to locate specific handset.

Status: Under Development. Available FY-20008
LRIP Production due August 2008

Unit Cost:

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 4, 2014 at 2:23 PM • 15 Comments


thelastonebutoneMarch 4, 2014 4:09 PM

There is definitely a logic to these codenames. WATERWITCH is used by "Tactical Operators" (commandos) for wetwork, the assassination or rendition of persons using targeted phones. It's good to know that NSA aren't entirely beholden to drone technology; as in the title of a Petri movie, "We Still Kill The Old Way".

It's also clear that 'active interrogator' is a description of a basestation that impersonates a cell tower. By controlling the timing and power of the captive phone's RF emissions, it interrogates actively. This is analogous to passive and active attacks on cryptosystems.

BenniMarch 4, 2014 4:17 PM

It's also clear that 'active interrogator' is a description of a basestation that impersonates a cell tower.

Well if I remember correctly from another device, active interrogator is air based,

so the question is, what this is. Is it a reaper or a predator drone? Or is it just the cell tower implant of the drone?

Clive RobinsonMarch 4, 2014 5:41 PM

@ Benni,

It could even be a hand held unit.

The point is GSM will "handover" to whichever is the strongest BTS it receives.

So whilst a traditional tower BTS five miles down the road might be pushing 20watts a handheld unit pushing 100mW that is less than 250yards away might well be stronger so the targets phone will handover to the handheld active interrogator...

BenniMarch 4, 2014 6:01 PM

@ Benni,
It could even be a hand held unit.

from the capabilities, certainly. But from the viewpoint that you need a proof of nsa associated with killing people, it would be interesting, if we could know on what airoplaine active interrogator is mounted.

By the way, the operation FLYING PIG was this where they impersonate google in ssl connections https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html

after apples ios, https://www.imperialviolet.org/2014/02/22/applebug.html now the open source gnutls library has a bug that omits to check the certificate http://goo.gl/8qRxLa

would be interesting, whether openssh or windows cryptoapi have similar things.....

Patrick YMarch 4, 2014 7:34 PM

Given that the display is an oddball size of e-ink, and that there are only one or two companies making e-ink displays, it seems like it would be easy to figure out (at least for people in the vending company) who is procuring the parts, and maybe unmask the company that is making the stuff for the NSA, or at least unmask a front company used for procurement.

Josh RubinMarch 4, 2014 8:45 PM

Re choice of codeword WaterWitch:

Any reader not familiar with the magical device known as a "dowsing rod" should look at this:


Dowsing is a magical technique for finding water. The name WaterWitch makes good sense if you know of this bit of folklore.

BenniMarch 6, 2014 1:50 PM

This here is an interesting view on that drone strikes:

Well i think it is safe to say, as long as it is like this, all these TAO implants must be published in the open.


Hamid Karzai was in the midst of negotiating a security agreement with the United States when he met a 4-year-old girl who had lost half her face in an American airstrike.Five months later, the Afghan president’s eyes welled with tears as he described visiting the disfigured little girl at a hospital. He took long pauses between words. Sitting behind his desk Saturday night, the man who has projected a defiant image toward the West suddenly looked frail.

That day, I wished she were dead, so she could be buried with her parents and brothers and sisters” — 14 of whom had been killed in the attack — he said.

In an unusually emotional interview, the departing Afghan president sought to explain why he has been such a harsh critic of the 12-year-old U.S. war effort here. He said he’s deeply troubled by all the casualties he has seen, including those in U.S. military operations. He feels betrayed by what he calls an insufficient U.S. focus on targeting Taliban sanctuaries in Pakistan. And he insists that public criticism was the only way to guarantee an American response to his concerns.

BenniMarch 6, 2014 2:02 PM

Karzai describes the Taliban. He describes them to be top experts in advanced drone swatting. these bastards sell their phones to families:


Of course, there other issues as well, secondary to civilian casualties. The private security firms, the parallel government structures, the contracts given to people, to individuals, causing corruption. And, of course, in a deeper way, reflecting a deeper lack of agreement between us, the way the so-called war on terror was fought. The sanctuaries were left alone outside Afghanistan and Pakistan, but the civilian villages were attacked. So when I say civilian casualties and when I say the incorrect strategy, the attack on the Afghan villages, that is exactly the crux of the difficulties.’’

RGP SecuritySeptember 30, 2014 12:31 AM

What we see here is a spectacular compromise of extremely important classified information. Enemies of the US now know a lot more about American methods and capablities than they may have known before.

One can be sure that all of these documents have been gone over with a fine-toothed comb by Moscow and Beijing.

Clive RobinsonSeptember 30, 2014 4:09 AM

@ RGP,

One can be sure that all of these documents have been gone over with a fine-toothed comb by Moscow and Beijing.

Yes, probably four or five years before Ed Snowden started collecting the info. Simple logic dictates that if Ed could gather that amount of information and the NSA did not have a clue, then their internal controls are grossly deficient to the point of uslessness.

And a study of human nature will tell you that others will have exploited such failings for profit or ideology.

As for "capabilities" nearly all of them are stolen / copied from other people in the private sector, usually without accreditation or payment.

For this TAO device go and read the 1996 book "Takedown" by Tsutomu Shimomura and journalist John Markoff.

In there you will find a description of Shimomura modifing a mobile phone into a tracking device. He is also known to have worked for and with the NSA, as well as testifing before Congress on the security --or lack there of-- cellular phones.

All of which raises the "Chicken and egg" question over this device and Shimomura... Did Shimomura think up the attack himself or was it something he saw in the NSA and copied, and then wrote up as a self promotion and in the process perform what you call "a spectacular compromise of extremely important classified information".

The simple fact is all the TAO catalogue has shown is just how far behind the curve the NSA is, and just what a bunch of idea stealing low lifes they are, and thus not due any respect what so ever.

RGP SecurityOctober 1, 2014 11:57 AM

@ Clive,

Yes, Snowden robbed the cookie jar and he got away. A series of safeguards must have failed: counter-intelligence, physical security, etc.

But one does not usually think of "NSA" and "behind the curve" in the same sentence.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.