Sunday, February 23, 2014

PICASSO: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:
PICASSO (S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target.
(S//SI) Target Data via SMS:
  • Incoming call numbers
  • Outgoing call numbers
  • Recently registered networks
  • Recent Location Area Codes (LAC)
  • Cell power and Timing Advance information (GEO)
  • Recently Assigned TMSI, IMSI
  • Recent network authentication challenge responses
  • Recent successful PINs entered into the phone during the power-on cycle
  • SW version of PICASSO implant
  • 'Hot-mic' to collect Room Audio
  • Panic Button sequence (sends location information to an LP Operator)
  • Send Targeting Information (i.e. current IMSI and phone number when it is turned on -- in case the SIM has just been switched).
  • Block call to deny target service.
(S//SI//REL) Handset Options
  • Eastcom 760c+
  • Samsung E600, X450
  • Samsung C140
  • (with Arabic keypad/language option)
(S//SI) PICASSO Operational Concept
(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic'd and has a "Panic Button" key sequence for the witting user.
Status: 2 weeks ARO (10 or less)
Unit Cost: approx $2000
Page, with graphics, is here. General information about TAO and the catalog is here.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.