Entries Tagged "exploit of the day"

Page 2 of 5

ENTOURAGE: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

ENTOURAGE

(S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system.

(S//SI) The ENTOURAGE application leverages the 4 Software Defined Radio (SDR) units in the HOLLOWPOINT platform. This capability provides an “Artemis-like” capability for waveforms of interest (2G,3G,others). The ENTOURAGE application works in conjunction with the NEBULA active interrogator as part of the Find/Fix/Finish capabilities of the GALAXY program.

(S//SI//REL) Features:

  • Software Defined Radio System
  • Operating range 10MHz – 4GHz
  • 4 Receive paths, all synchronized
  • 1 Transmit path
  • DF capability on GSM/UMTS/CDMA2000/FRS signals
  • Gigabit Ethernet
  • Integrated GPS
  • Highly Mobile and Deployable

(S//SI//REL) Enclosure:

  • 1.8″H x 8.0″W x 8.0″D
  • Approximately 3 lbs
  • 15 Watts
  • Passively cooled

(S//SI//REL) Future Developments:

  • WiMAX
  • WiFi
  • LTE

Status: The system is in the final testing stage and will be in production Spring 09.

Unit Cost: $70K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 26, 2014 at 2:38 PMView Comments

EBSR: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

EBSR

(S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • LxT Model: 900/1800/1900MHz
  • LxU Model: 850/1800/1900MHz
  • Pico-class (1Watt) Base station
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • SMS Capability

(S//SI//REL) Enclosure:

  • 1.9″H x 8.6″W x 6.3″D
  • Approximately 3 lbs
  • Actively cooled for extreme environments

(S//SI//REL) EBSR System Kit:

  • EBSR System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 90 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Supports Landshark/Candygram capabilities.

Status:

Unit Cost: $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 25, 2014 at 2:11 PMView Comments

CYCLONE Hx9: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

CYCLONE Hx9

(S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • EGSM 900MHz
  • Macro-class (+43dBm)
  • 32+Km Range
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • GSM Security & Encryption

(S//SI//REL) Advanced Features:

  • GPS — Supporting Typhon applications
  • GSM Handset Module — Supports auto-configuration and remote command and control features.
  • 802.11 — Supports high speed wireless LAN remote command and control

(S//SI//REL) Enclosure:

  • 3.5″H x 8.5″W x 9″D
  • Approximately 8 lbs
  • Actively cooled for extreme environments

(S//SI//REL) Cyclone Hx9 System Kit:

  • Cyclone Hx9 System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 800 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Overlay GSM cellular communications supporting up to 32 Cyclone Mx9 systems providing full mobility and utilizing a VoIP back-haul.
  • GPRS data service and associated application

Unit Cost: $70K for two months

Status: Just out of development, first production runs ongoing.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 24, 2014 at 2:44 PMView Comments

CROSSBEAM: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

CROSSBEAM

(TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board.

(TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information via connected modules or 4 different GSM data modes (GPRS, Circuit Switched Data, Data Over Voice, and DTMF) back to a secure facility. The CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized phone component, a customized software controller suite and an optional DSP (ROCKYKNOB) of using Data Over Voice to transmit data.

Status: Limited Supply Available

Unit Cost: $4k

Delivery: 90 days for most configurations

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 21, 2014 at 2:41 PMView Comments

CANDYGRAM: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

CANDYGRAM

(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station’s area of influence, the system sends out an SMS through the external network to registered watch phones.

(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.

(S//SI//REL) System HW

  • GPS processing unit
  • Tri-band BTS radio
  • Windows XP laptop and cell phone*
  • 9″ wide x 12″ long x 2″ deep
  • External power (9-30 VDC).

*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).

(S//SI//REL) SW Features

  • Configurable 200 phone number target deck.
  • Network auto-configuration
  • Area Survey Capability
  • Remote Operation Capability
  • Configurable Network emulation
  • Configurable RF power level
  • Multi-Units under single C&C
  • Remote restart
  • Remote erasure (not field recoverable)

Status: Available 8 mos ARO

Unit Cost: approx $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 20, 2014 at 2:11 PMView Comments

TOTEGHOSTLY 2.0: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

TOTEGHOSTLY 2.0

(TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture.

(TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile operating system that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. A FRIEZERAMP interface using HTTPSlink2 transport module handles encrypted communications.

(TS//SI//REL) The initial release of TOTEGHOSTLY 2.0 will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

(TS//SI//REL) TOTEGHOSTLY 2.0 will be controlled using an interface tasked through the NCC (Network Control Center) utilizing the XML based tasking and data forward scheme under the TURBULENCE architecture following the TAO GENIE Initiative.

Unit Cost: $0

Status: (U) In development

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 19, 2014 at 2:18 PMView Comments

TOTECHASER: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

TOTECHASER

(TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 handset. The Thuraya is a dual mode phone that can operate either in SAT or GSM modes. The phone also supports a GPRS data connection for Web browsing, e-mail, and MMS messages. The initial software implant capabilities include providing GPS and GSM geo-location information. Call log, contact list, and other user information can also be retrieved from the phone. Additional capabilities are being investigated.

(TS//SI//REL) TOTECHASER will use SMS messaging for the command, control, and data exfiltration path. The initial capability will use covert SMS messages to communicate with the handset. These covert messages can be transmitted in either Thuraya Satellite mode or GMS mode and will not alert the user of this activity. An alternate command and control channel using the GPRS data connection based on the TOTEGHOSTLY impant is intended for a future version.

(TS//SI//REL) Prior to deployment, the TOTECHASER handsets must be modified. Details of how the phone is modified are being developed. A remotely deployable TOTECHASER implant is being investigated. The TOTECHASER system consists of the modified target handsets and a collection system.

(TS//SI//REL) TOTECHASER will accept configuration parameters to determine how the implant operates. Configuration parameters will determine what information is recorded, when to collect that information, and when the information is exfiltrated. The configuration parameters can be set upon initial deployment and updated remotely.

Unit Cost: $

Status:

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 18, 2014 at 2:17 PMView Comments

PICASSO: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

PICASSO

(S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target.

(S//SI) Target Data via SMS:

  • Incoming call numbers
  • Outgoing call numbers
  • Recently registered networks
  • Recent Location Area Codes (LAC)
  • Cell power and Timing Advance information (GEO)
  • Recently Assigned TMSI, IMSI
  • Recent network authentication challenge responses
  • Recent successful PINs entered into the phone during the power-on cycle
  • SW version of PICASSO implant
  • ‘Hot-mic’ to collect Room Audio
  • Panic Button sequence (sends location information to an LP Operator)
  • Send Targeting Information (i.e. current IMSI and phone number when it is turned on — in case the SIM has just been switched).
  • Block call to deny target service.

(S//SI//REL) Handset Options

  • Eastcom 760c+
  • Samsung E600, X450
  • Samsung C140
  • (with Arabic keypad/language option)

(S//SI) PICASSO Operational Concept

(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic’d and has a “Panic Button” key sequence for the witting user.

Status: 2 weeks ARO (10 or less)

Unit Cost: approx $2000

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 17, 2014 at 2:20 PMView Comments

MONKEYCALENDAR: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

MONKEYCALENDAR

(TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. MONKEYCALENDAR uses STK commands to retrieve location information and to exfiltrate data via SMS. After the MONKEYCALENDAR file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider’s security configuration.

Unit Cost: $0

Status: Released, not deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 14, 2014 at 3:19 PMView Comments

GOPHERSET: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

GOPHERSET

(TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. GOPHERSET uses STK commands to retrieve the requested information and to exfiltrate data via SMS. After the GOPHERSET file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider’s security configuration.

Unit Cost: $0

Status: (U//FOUO) Released. Has not been deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 13, 2014 at 2:05 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.