PICASSO: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

PICASSO (S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target.
(S//SI) Target Data via SMS:

• Incoming call numbers
• Outgoing call numbers
• Recently registered networks
• Recent Location Area Codes (LAC)
• Cell power and Timing Advance information (GEO)
• Recently Assigned TMSI, IMSI
• Recent network authentication challenge responses
• Recent successful PINs entered into the phone during the power-on cycle
• SW version of PICASSO implant
• 'Hot-mic' to collect Room Audio
• Panic Button sequence (sends location information to an LP Operator)
• Send Targeting Information (i.e. current IMSI and phone number when it is turned on -- in case the SIM has just been switched).
• Block call to deny target service.

(S//SI//REL) Handset Options

• Eastcom 760c+
• Samsung E600, X450
• Samsung C140
• (with Arabic keypad/language option)

(S//SI) PICASSO Operational Concept
(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic'd and has a "Panic Button" key sequence for the witting user.
Status: 2 weeks ARO (10 or less)
Unit Cost: approx $2000

Page, with graphics, is here. General information about TAO and the catalog is here.