TAWDRYYARD: NSA Exploit of the Day Back in December, Der Spiegel published a lot of information about the NSA's Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software "implants." Because there were so many items in the catalog, the individual items didn't get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that. Today's item: TAWDRYYARD (TS//SI//REL TO USA,FVEY) Beacon RF retro-reflector. Provides return when illuminated with radar to provide rough positional location. (U) Capabilities (TS//SI//REL TO USA,FVEY) TAWDRYYARD is used as a beacon, typically to assist in locating and identifying deployed RAGEMASTER units. Current design allos it to be detected and located quite easily within a 50' radius of the radar system being used to illuminate it. TAWDRYYARD draws as 8 mu;A at 2.5V (20mu;W) allowing a standard lithium coin cell to power it for months or years. The simplicity of the dsign allows the form factor to be tailored for specific operational requirements. Future capabilities being considered are return of GPS coordinates and a unique target identifier and automatic processing to scan a target area for presence of TWDRYYARDs. All components are COTS and so are non-attributable to NSA. Concept of Operation (TS//SI//REL TO USA,FVEY) The board generates a square wave operating at a preset frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal, the illuminating signal is amplitude-modulated (AM) with the square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the clock signal. Typically, the fundamental is used to indicate the unit's presence, and is simply displayed on a low frequency spectrum analyzer. TAWDRYYARD is part of the ANGRYNEIGHBOR family of radar retro-reflectors. Unit Cost: $30 Status: End processing still in development. Page, with graphics, is here. General information about TAO and the catalog is here. In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.