(S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfill is done from a laptop and regular phone via SMS – (Short Message Service), without alerting the target.


(S//SI) Target Data via SMS:
• Incoming call numbers
• Outgoing call numbers
• Recently registered networks
• Recent Location Area Codes (LAC)
• Cell power and Timing Advance information (GEO)
• Recently Assigned TMSI, IMSI
• Recent network authentication challenge responses
• Recent successful PINs entered into the phone during the power-on cycle
• SW version of PICASSO implant
• ‘Hot-mic’ to collect Room Audio
• Panic Button sequence (sends location information to an LP Operator)
• Send Targeting Information (i.e. current IMSI and phone number when it is turned on – in case the SIM has just been switched).
• Block call to deny target service.


(S//SI) PICASSO Operational Concept
(S//SI//REL) Uses include asset validation and tracking and target templating. Phone can be hot mic`d and has a “Panic Button” key sequence for the witting user.


(S//SI//REL) Handset Options
• Eastcom 760c+
• Samsung E600, X450
• Samsung C140
• (With Arabic keypad/language option)


Status: 2 weeks ARO (10 or less)
Unit Cost: approx $2000


Thank you for taking the time to read this article! As always keep the faith!
The NSA’s original documentation on PICASSO



The following two tabs change content below.
Preston Hood
Hello, my name is Preston Hood. I am the owner of PJHoodsCo, an Information Technology Service Provider (ITSP). I am also a freelance writer and information security researcher.
Preston Hood

Latest posts by Preston Hood (see all)

Categories: Information Technology, IT Security, and Preston Hood.


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>