(Updated: December 20, 2015)
In recently published charts from NSA's BOUNDLESSINFORMANT tool about France, Spain, Norway and Afghanistan we see the mysterious term DRTBOX. For example, the screenshot for Norway presents 33 million telephony metadata, which were collected from mobile phone networks by a facility designated US-987F and processed/analysed by DRTBOX:
Unlike what it seems, DRTBOX is not a codename, but part of a wireless surveillance system, made by a company generally known as DRT. This article will show that this company manufactures a range of sophisticated surveillance and tracking devices, used by US law enforcement and signals intelligence agencies.
- Digital Receiver Technology, Inc. - Law enforcement -
- Signals intelligence - Foreign usage -
- . - . - . - . - .-
- Signals intelligence - Foreign usage -
- . - . - . - . - .-
Digital Receiver Technology, Inc.
DRT is the abbreviation of Digital Receiver Technology, Inc. This company was formerly known as Utica Systems, Inc. and founded in 1980 in Frederick, Maryland, to produce devices for what was called the "Communications Surveillance Community". The company developed a solid reputation for communication equipment based on Digital Signal Processing (DSP).
In October 1997, the company adopted its current name and moved to a new plant in Germantown in April 1998. DRT was purchased by Boeing in December 2008 and is now a wholly-owned subsidiary of this major US military contractor. DRT continued its production of state-of-the-art DSP-based equipment and was described as a "key supplier in the growing SIGINT market" in 2009.
In 2010, Boeing also acquired Argon ST and combined with DRT this created a "SIGINT powerhouse", giving Boeing a competitive advantage in the SIGINT market, according to market analysts. In 2011, both acquisitions were consolidated into the new Electronic & Mission Systems (E&MS) division of the Boeing company.
In fall 2012, DRT moved to a new facility in the Milestone area of Germantown. This facility comprises 135,000 sq. ft. with approximately 50,000 sq. ft. dedicated to equipment manufacture, and the remainder dedicated to offices and engineering development laboratories:
The headquarters of Digital Receiver Technology, Inc. in Germantown, MD.
Currently, the company's homepage only advertises miniature multi-format wireless communications scanners to be used by the wireless industry for measurement and testing purposes. As an example, the website shows two products from the 4300-series.
But: "Due to the sensitive nature of our work, we are unable to publicly advertise many of our products". This is followed by contact information for commercial customers and for "all other" customers, which are obviously government agencies. Latter can contact DRT through a mail address and also by calling toll free: "(866) DIRTBOX" - a clear hint to the DRTBOX mentioned in the NSA screenshots.
Just like many other military contractors in recent years, DRT also removed information about national security related products from its website. Between 2003 to 2009, earlier versions of DRT's homepage frankly said:
"DRT designs and manufactures advanced electronic equipment to support the missions of the US Signals Intelligence (SIGINT) and law enforcement communities. The current product line includes a variety of portable and rack-mounted wireless communications receivers capable of processing a variety of modern wireless protocols. For more information about these products, please contact DRT."
A good example of the devices which DRT manufatures and develops for use by law enforcement agencies is given by the company itself, in trying to open new markets.
In 2010, Boeing, on behalf of its subsidiary DRT, submitted a statement (pdf) before the National Telecommunications and Information Administration (NTIA) in reaction to an inquiry regarding contraband cell phone use in prisons. The statement says that:
"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use. During this registration process calls are not disrupted. All calls, including 911 calls, are released, including those made from the contraband cell phones. The DRT device identifies cell phones as “not of interest” or “of interest” (i.e., the contraband cell phones).
Cell phones not of interest, such as those belonging to prison personnel or commercial users in the area, are returned to their local network. Cell phones of interest are forced to transmit so that the DRT device can locate them by calculating a line of bearing.
In one mode of operation, the DRT device then returns the cell phone to its network, permitting it to send and receive calls. In another mode of operation designed for use by federal law enforcement entities, the cell phone can be locked onto the DRT device, preventing its contraband use."
Boeing wanted NTIA to recommend to Congress that the Communications Act of 1934 should be modified in order to allow prison officials and state and local law enforcement to use these kinds of cell phone management, prevention or location technologies. Currently, only federal agencies, like the FBI, are allowed to use devices that jam or block wireless communications. Federal Communications Commission (FCC) licensing should also apply, for which Boeing delivered a similar statement in 2012.
A similar device (also known as IMSI Catcher, Cell-site Simulator or Digital Analyzer) used by American law enforcement agencies for tracking and intercepting cell phones is called StingRay, which is manufactured by the Harris Corp. The price of a StingRay device is between 60.000,- and 175.000,- USD. Harris also provides related equipment under the nicknames AmberJack, KingFish, TriggerFish and LoggerHead.
In December 2010, DRT participated in a pilot at the Maryland Correctional Institution-Jessup (MCIJ). After sensors were placed, DRT collected data showing when cell phones were turned off, turned on and registered with the nearest cell phone tower. Data were send to a laptop used to record the data and the company then analyzed the time and length of messages over the course of the pilot. A portable sensor was used to identify particular cells that had a high probability of cell phone usage within.
In 2012, DRT was selected to develop and implement a Managed Access System (MAS) for the California State Prison system. A MAS is used to allow authorized cell phones to connect to the standard carrier networks, while preventing unauthorized cell phones (like from inmates) from connecting to the carrier networks.
The aforementioned Boeing statement claimed that DRT's cell phone management, prevention and location technologies could also provide important benefits in a wide variety of law enforcement situations outside the prison context. For example, Special Weapons and Tactics (SWAT) teams and other paramilitary tactical units could effectively control wireless communications by suspects in a building during a raid.
Boeing carefully described only those future applications for which regulations have to be changed - trying not to admit that DRT systems are already used at the federal level for decades. They provide agencies like FBI with some powerful tools (DRT devices can be used to perform a man-in-the-middle attack), although they are expensive and must be operated by highly trained law enforcement personnel.
At the FBI, the DRT systems are likely operated by the Data Intercept Technology Unit (DITU), which is a highly secretive division specialised in intercept technology. DITU is also responsible for collecting data from US internet companies under NSA's PRISM program. For these federal agencies, a presentation about DRT devices was given at the 10th FED TECH Interagency Technical Training Conference, held in San Diego in January 2010:
In this schedule we see "DRT Box" again, but apart from a LinkedIn-profile, this term is rarely found and therefore it's not really clear what it stands for. At first glance it seems that DRTBox simply refers to box-like surveillance devices, but if we look at the BOUNDLESSINFORMANT screenshots, we see that the actual data collection is done by facilities designated by SIGADs and that DRTBOX is in the same section as for example XKEYSCORE, which means DRTBOX is probably an integrated indexing and analysing system for wireless communications data, just like XKEYSCORE is for internet data.
On November 13, 2014, the Wall Street Journal broke a story saying that since 2007, the Technical Operations Group of the US Marshals uses "dirtboxes" aboard Cessna aircraft operating from at least five metropolitan-area airports. The DRTBoxes mimic cell towers and trick cellphones to collect identity and location information on cell phone users, this in order to track and catch criminals like drug-traffickers.
The FBI is apparently using the similar Stingray devices only to collect phone metadata, not content, for which individual warrants would be required.
Where the FBI uses systems from Digital Receiver Technology domestically, the NSA is most likely the main customer for use abroad. On a website for Signals Intelligence (SIGINT) and Electronic Warfare (EW), DRT is listed as a provider of:
- SIGINT Design Engineering Services
- SIGINT Consulting Services
- Communications ESM Systems
- COMINT Systems
- RF Receivers
DRT products for signals intelligence missions include high performance Software Definable Receiver (SDR) and transceiver products, including multi-channel platforms for man-portable, mobile and airborne applications, aboard RC-135 Rivet Joint, Combat Sent or Cobra Ball aircraft.
From various public job descriptions it becomes clear that DRT devices are widely used in tactical ground operations, where they are part of the equipment used by SIGINT/EW collection teams assigned to field deployed Special Forces Groups. These are so-called Low Level Voice Intercept (LLVI) devices.
DRT systems are also used as remote controlled collection systems, with the surveillance devices installed at fixed locations, like in areas where there's widespread hostile cell phone or radio use. The collected data go to ONEROOF, which is NSA's main tactical SIGINT database, containing raw and unfiltered intercepts.
Low Level Voice Intercept equipment being used during a field operation.
It's not clear whether the device in the video is from DRT,
but it's certainly very similar.
DRT SIGINT products
A job description for a SIGINT Systems Engineer (job location: Fort Meade) requires "experience working with SIGINT systems, especially on systems utilizing Digital Receiver Technology (DRT) Series 1000 and 2000 equipment" and also familiarity "with the software used to control the DRT systems". Software used for the 1000 series product line is called Alaska.
More specific designations of DRT devices from the 1000-series can be found in various other job resumes, reading like "SIGINT/EW collection and exploitation systems, to include the DRT-1101A/1301B/1501, MINI-EXPIATION, HIDRAH, LOGGERHEAD, Harris Suite (STINGRAY, KINGFISH, BLACKFIN, GOSSAMER), AR-8200, Explorer/Scout, and the PRD-13v2/ISSMS".
The DRT 1101A was a second generation wireless communications receiver developed by DRT around the year 2000. DRT's former website described the device as follows:
"The DRT 1101A provides a compact, yet powerful, test and measurement capability for a variety of first and second generation wireless standards. The system also possesses the capability to detect and extract cellular FAX signals. The system is based on an industry-standard bus format, and uses the latest in digital signal processing (DSP) and microprocessor technology."
Another device from the 1000-series is the DRT 1301C, which is used by Special Operations Forces:
"The DRT 1301C, manufactured by Digital Receiver Technology, Inc., is a portable, ruggedized radio designed for operations in tactical and/or harsh environments. It provides a miniature yet powerful surveillance capability. The radio has a frequency range of 20-3000 MHz and operates against a variety of analog and digital wireless standards. The transmitter has a power output range of <1 W (standby) to 75 W (48 channels, 3 tuners); it weighs 10.5 lb and measures 3 in. (H) by 8.5 in. (W) by 11.2 in. (D)."
An example of a DRT device from the 2000-series is the DRT 2101A, which was described as:
"a compact wideband tuner system consisting of up to eight wideband tuner modules, each covering the 0.5 MHz to 3 GHz frequency band. Each tuner module has a 30-MHz instantaneous bandwidth and can be operated in either an independently or coherently tuned mode under software control. The tuner module is factory configured to provide a high-level analog baseband output."The Internet Archive also contains this picture of the DRT 2101A device as it looked in 2003:
A close look at the device shows that it consists of separate modules (here in a vertical position) which can be added depending on the specific needs. See for example this description of the Wireless Processor Module 2 (WPM2).
The Military Intelligence School's System Training Plan (pdf) from October 2013 about the Prophet Electronic Support System says that DRT devices are used in the Prophet Sensor vehicles, which are the ground-based tactical SIGINT collection components of the Prophet system:
- A DRT 1201B receiver is in the Prophet Spiral 1 Sensor (military designation: AN/MLQ-40(V)4), which is a M1102 tactical trailer, pulled by a M1165 B3 three-seat, fully armored High-Mobility Multipurpose Wheeled Vehicle (HMMWV or Humvee). Two Panasonic Toughbooks CF29 or CF30, running mission and communications software packages, control the DRT 1201B and enable the reporting and processing of intelligence. An AN/VRC-99 line-of-site radio provides data access to NSANET.
- A second DRT 1301C receiver-processor for man-packable operations is in the Prophet Enhanced Sensor.
- A DRT 1201 receiver is in the fixed-site version of the Prophet Enhanced Sensor, which also contains a BAT-1214 SATCOM terminal and a DF90/DF80/MS Antenna, among other equipment.
- A DRT 1301C is in the Mobile-At-the-Halt configuration, along with a DF90 antenna, and BAT-750 SATCOM terminal. Here, the DRT 1301C can also be reused in a man-packed configuration.
- A DRT 1201C replaces the DRT 1201B in a fourth variant of the Prophet Enhanced Sensor in stationary fixed-site configuration. The DRT 1201C device is described as a next generation receiver-processor that increases collection capability and enables future upgrades.
(similar SIGINT equipment for the Prophet system is developed by the Linkabit division of L-3 Communications)
The tactical deployed DRT systems are mainly used for operations in Iraq and Afghanistan, but it's very well possible that the equipment was also used at the joint NSA-CIA Special Collection Service (SCS) unit in the US embassy in Berlin, which intercepted the mobile phone of German chancellor Merkel.
On May 5, 2015, the website The Intercept published a 2006 NSA presentation about the RT10 collection effort, which was part of the Real Time-Regional Gateway (RT-RG) for Iraq, and later also for Afghanistan. This presentation includes a slide which shows that DRT (like MATTERHORN and EXPIATION) is used for the tactical interception of wireless GSM traffic:
Diagram showing tactical and national interception efforts for GSM communications
In the bottom left corner DRT is mentioned as one of the tactical systems
(JUG = JUGGERNAUT, a cell phone network interception system)
(G-Box = GARUDA, an airborne geo-location system for GSM)
(Click to enlarge)
On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment. Included are illustrated entries for six different DRT devices: DRT 1101B, 1183B, 1201C, 1301C, 1301B3 and 4411B. Some of them are able to intercept and record of up to 24 voice channels and support target lists of up to 10.000 entries. Their price ranges from 40.000,- to 100.000,- USD. According to The Intercept, these DRT boxes can "track more than 200 phones over a wider range than the Stingray".
The DRT 1101B device for direction-finding and interception and
recording of up to 16 voice channels (with modules in a horizontal position)
(photo from the surveillance catalogue)
Of course not only American agencies are using this kind of interception equipment. The FBI reportedly removed from several cell phone towers in the Washington DC area transmitters that fed all data to wire rooms at foreign embassies.*
On December 13, 2014, it was reported that DRT-like cell phone interception devices were found near important government offices and buildings in the city center of the Norwegian capital Oslo. In March 2015, it came out that these devices were actually placed by the Norwegian police and the Police Security Service PST, without properly informing the country’s National Communications Authority.
Besides by DRT and Harris, IMSI-catchers are also manufactured by some foreign companies, like for example the German high-tech firm Rohde & Schwarz (which patented such equipment in 2003), and the Israeli company Ability, which openly advertises their IMSI-catchers.
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- Gizmodo.com: Here Is the Spy Equipment That Powers the FBI's Secret Dragnet
- Harvard Law review article: Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy
- Heise.de: Solange keiner meckert - Wie IMSI-Catcher unauffällig legalisiert wurden
- Matt Blaze: How Law Enforcement Tracks Cellular Phones
- WaPo.com: New documents show how the NSA infers relationships based on mobile location data
- USAToday.com: NSA Phone Tracking
- Volkskrant.nl: De DRT2101A: het apparaat waarmee de NSA telefoons afluistert
- List of 217 part numbers from Digital Receiver Technology, Inc.
- Presentation about Digital receiver technology for RWR, ESM and ELINT applications (pdf)
- Washington Institute: Stabilizing Iraq: Intelligence Lessons for Afghanistan
- Journal of Electronic Defense: What's New in SIGINT software?
- Overview: Toward a Universal Radio Frequency System for Special Operations Forces (pdf)