November 27, 2013

DRTBOX and the DRT surveillance systems

(Updated: January 28, 2014)

In recently published screenshots from NSA's BOUNDLESSINFORMANT tool about France, Spain, Norway and Afghanistan we see the mysterious term DRTBOX. For example, the screenshot for Norway presents 33 million telephony metadata, which were collected from mobile phone networks by a facility designated US-987F and processed/analysed by DRTBOX:



(Click for a bigger version)


Unlike what it seems, DRTBOX is not a codename, but part of a wireless surveillance system, made by a company generally known as DRT. This article will show that this company manufactures a range of sophisticated surveillance and tracking devices, used by US law enforcement and signals intelligence agencies.



Digital Receiver Technology, Inc.

DRT is the abbreviation of Digital Receiver Technology, Inc. This company was formerly known as Utica Systems, Inc. and founded in 1980 in Frederick, Maryland, to produce devices for what was called the "Communications Surveillance Community". The company developed a solid reputation for communication equipment based on Digital Signal Processing (DSP).

In October 1997, the company adopted its current name and moved to a new plant in Germantown in April 1998. DRT was purchased by Boeing in December 2008 and is now a wholly-owned subsidiary of this major US military contractor. DRT continued its production of state-of-the-art DSP-based equipment and was described as a "key supplier in the growing SIGINT market" in 2009.

In 2010, Boeing also acquired Argon ST and combined with DRT this created a "SIGINT powerhouse", giving Boeing a competitive advantage in the SIGINT market, according to market analysts. In 2011, both acquisitions were consolidated into the new Electronic & Mission Systems (E&MS) division of the Boeing company.

In fall 2012, DRT moved to a new facility in the Milestone area of Germantown. This facility comprises 135,000 sq. ft. with approximately 50,000 sq. ft. dedicated to equipment manufacture, and the remainder dedicated to offices and engineering development laboratories:



The headquarters of Digital Receiver Technology, Inc. in Germantown, MD.
(photo: www.drti.com)


Currently, the company's homepage only advertises miniature multi-format wireless communications scanners to be used by the wireless industry for measurement and testing purposes. As an example, the website shows two products from the 4300-series.

But: "Due to the sensitive nature of our work, we are unable to publicly advertise many of our products". This is followed by contact information for commercial customers and for "all other" customers, which are obviously government agencies. Latter can contact DRT through a mail address and also by calling toll free: "(866) DIRTBOX" - a clear hint to the DRTBOX mentioned in the NSA screenshots.

Just like many other military contractors in recent years, DRT also removed information about national security related products from its website. Between 2003 to 2009, earlier versions of DRT's homepage frankly said:
"DRT designs and manufactures advanced electronic equipment to support the missions of the US Signals Intelligence (SIGINT) and law enforcement communities. The current product line includes a variety of portable and rack-mounted wireless communications receivers capable of processing a variety of modern wireless protocols. For more information about these products, please contact DRT."



Law enforcement

A good example of the devices which DRT manufatures and develops for use by law enforcement agencies is given by the company itself, in trying to open new markets.

In 2010, Boeing, on behalf of its subsidiary DRT, submitted a statement (pdf) before the National Telecommunications and Information Administration (NTIA) in reaction to an inquiry regarding contraband cell phone use in prisons. The statement says that:
"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use. During this registration process calls are not disrupted. All calls, including 911 calls, are released, including those made from the contraband cell phones. The DRT device identifies cell phones as “not of interest” or “of interest” (i.e., the contraband cell phones).

Cell phones not of interest, such as those belonging to prison personnel or commercial users in the area, are returned to their local network. Cell phones of interest are forced to transmit so that the DRT device can locate them by calculating a line of bearing.

In one mode of operation, the DRT device then returns the cell phone to its network, permitting it to send and receive calls. In another mode of operation designed for use by federal law enforcement entities, the cell phone can be locked onto the DRT device, preventing its contraband use."

Boeing wanted NTIA to recommend to Congress that the Communications Act of 1934 should be modified in order to allow prison officials and state and local law enforcement to use these kinds of cell phone management, prevention or location technologies. Currently, only federal agencies, like the FBI, are allowed to use devices that jam or block wireless communications. Federal Communications Commission (FCC) licensing should also apply, for which Boeing delivered a similar statement in 2012.


A similar device (also known as IMSI Catcher, Cell-site Simulator or Digital Analyzer) used by American law enforcement agencies for tracking and intercepting cell phones is called StingRay, which is manufactured by the Harris Corp. The price of a StingRay device is between 60.000,- and 175.000,- USD. Harris also provides related equipment under the nicknames AmberJack, KingFish, TriggerFish and LoggerHead.


Prison pilots

In December 2010, DRT participated in a pilot at the Maryland Correctional Institution-Jessup (MCIJ). After sensors were placed, DRT collected data showing when cell phones were turned off, turned on and registered with the nearest cell phone tower. Data were send to a laptop used to record the data and the company then analyzed the time and length of messages over the course of the pilot. A portable sensor was used to identify particular cells that had a high probability of cell phone usage within.

In 2012, DRT was selected to develop and implement a Managed Access System (MAS) for the California State Prison system. A MAS is used to allow authorized cell phones to connect to the standard carrier networks, while preventing unauthorized cell phones (like from inmates) from connecting to the carrier networks.


Other usage

The aforementioned Boeing statement claimed that DRT's cell phone management, prevention and location technologies could also provide important benefits in a wide variety of law enforcement situations outside the prison context. For example, Special Weapons and Tactics (SWAT) teams and other paramilitary tactical units could effectively control wireless communications by suspects in a building during a raid.

Boeing carefully described only those future applications for which regulations have to be changed - trying not to admit that DRT systems are already used at the federal level for decades. They provide agencies like FBI with some powerful tools (DRT devices can be used to perform a man-in-the-middle attack), although they are expensive and must be operated by highly trained law enforcement personnel.

At the FBI, the DRT systems are likely operated by the Data Intercept Technology Unit (DITU), which is a highly secretive division specialised in intercept technology. DITU is also responsible for collecting data from US internet companies under NSA's PRISM program. For these federal agencies, a presentation about DRT devices was given at the 10th FED TECH Interagency Technical Training Conference, held in San Diego in January 2010:



In this schedule we see "DRT Box" again, but apart from a LinkedIn-profile, this term is rarely found and therefore it's not really clear what it stands for. At first glance it seems that DRTBox simply refers to box-like surveillance devices, but if we look at the BOUNDLESSINFORMANT screenshots, we see that the actual data collection is done by facilities designated by SIGADs and that DRTBOX is in the same section as for example XKEYSCORE, which means DRTBOX is probably an integrated indexing and analysing system for wireless communications data, just like XKEYSCORE is for internet data.



Signals Intelligence

Where the FBI uses systems from Digital Receiver Technology domestically, the NSA is most likely the main customer for use abroad. On a website for Signals Intelligence (SIGINT) and Electronic Warfare (EW), DRT is listed as a provider of:
- SIGINT Design Engineering Services
- SIGINT Consulting Services
- Communications ESM Systems
- COMINT Systems
- RF Receivers

DRT products for signals intelligence missions include high performance Software Definable Receiver (SDR) and transceiver products, including multi-channel platforms for man-portable, mobile and airborne applications, aboard RC-135 Rivet Joint, Combat Sent or Cobra Ball aircraft.

From various public job descriptions it becomes clear that DRT devices are widely used in tactical ground operations, where they are part of the equipment used by SIGINT/EW collection teams assigned to field deployed Special Forces Groups. These are so-called Low Level Voice Intercept (LLVI) devices.

DRT systems are also used as remote controlled collection systems, with the surveillance devices installed at fixed locations, like in areas where there's widespread hostile cell phone or radio use. The collected data go to ONEROOF, which is NSA's main tactical SIGINT database, containing raw and unfiltered intercepts.



Low Level Voice Intercept equipment being used during a field operation.
It's not clear whether the device in the video is from DRT,
but it's certainly very similar.


DRT SIGINT products

A job description for a SIGINT Systems Engineer (job location: Fort Meade) requires "experience working with SIGINT systems, especially on systems utilizing Digital Receiver Technology (DRT) Series 1000 and 2000 equipment" and also familiarity "with the software used to control the DRT systems". Software used for the 1000 series product line is called Alaska.

More specific designations of DRT devices from the 1000-series can be found in various other job resumes, reading like "SIGINT/EW collection and exploitation systems, to include the DRT-1101A/1301B/1501, MINI-EXPIATION, HIDRAH, LOGGERHEAD, Harris Suite (STINGRAY, KINGFISH, BLACKFIN, GOSSAMER), AR-8200, Explorer/Scout, and the PRD-13v2/ISSMS".

The DRT 1101A was a second generation wireless communications receiver developed by DRT around the year 2000. DRT's former website described the device as follows:
"The DRT 1101A provides a compact, yet powerful, test and measurement capability for a variety of first and second generation wireless standards. The system also possesses the capability to detect and extract cellular FAX signals. The system is based on an industry-standard bus format, and uses the latest in digital signal processing (DSP) and microprocessor technology."

Another device from the 1000-series is the DRT 1301C, which is used by Special Operations Forces:
"The DRT 1301C, manufactured by Digital Receiver Technology, Inc., is a portable, ruggedized radio designed for operations in tactical and/or harsh environments. It provides a miniature yet powerful surveillance capability. The radio has a frequency range of 20-3000 MHz and operates against a variety of analog and digital wireless standards. The transmitter has a power output range of <1 W (standby) to 75 W (48 channels, 3 tuners); it weighs 10.5 lb and measures 3 in. (H) by 8.5 in. (W) by 11.2 in. (D)."

An example of a DRT device from the 2000-series is the DRT 2101A, which was described as:
"a compact wideband tuner system consisting of up to eight wideband tuner modules, each covering the 0.5 MHz to 3 GHz frequency band. Each tuner module has a 30-MHz instantaneous bandwidth and can be operated in either an independently or coherently tuned mode under software control. The tuner module is factory configured to provide a high-level analog baseband output."
The Internet Archive also contained this picture of the DRT 2101A device:



See also the description and the picture of DRT's Wireless Processor Module 2 (WPM2) in the Internet Archive.


UPDATE:
The Mil Intelligence School's System Training Plan (pdf) from October 2013 about the Prophet Electronic Support System says that DRT devices are used in the Prophet Sensor vehicles, which are the ground-based tactical SIGINT collection components of the Prophet system:
- A DRT 1201B receiver is in the Prophet Spiral 1 Sensor (military designation: AN/MLQ-40(V)4), which is a M1102 tactical trailer, pulled by a M1165 B3 three-seat, fully armored High-Mobility Multipurpose Wheeled Vehicle (HMMWV or Humvee). Two Panasonic Toughbooks CF29 or CF30, running mission and communications software packages, control the DRT 1201B and enable the reporting and processing of intelligence. An AN/VRC-99 line-of-site radio provides data access to NSANET.
- A second DRT 1301C receiver-processor for man-packable operations is in the Prophet Enhanced Sensor.
- A DRT 1201 receiver is in the fixed-site version of the Prophet Enhanced Sensor, which also contains a BAT-1214 SATCOM terminal and a DF90/DF80/MS Antenna, among other equipment.
- A DRT 1301C is in the Mobile-At-the-Halt configuration, along with a DF90 antenna, and BAT-750 SATCOM terminal. Here, the DRT 1301C can also be reused in a man-packed configuration.
- A DRT 1201C replaces the DRT 1201B in a fourth variant of the Prophet Enhanced Sensor in stationary fixed-site configuration. The DRT 1201C device is described as a next generation receiver-processor that increases collection capability and enables future upgrades.
(similar SIGINT equipment for the Prophet system is developed by the Linkabit division of L-3 Communications)


A Prophet Spiral M1165 Humvee


The tactical deployed DRT systems are mainly used for operations in Iraq and Afghanistan, but it's very well possible that the equipment was also used at the joint NSA-CIA Special Collection Service (SCS) unit in the US embassy in Berlin, which intercepted the mobile phone of German chancellor Merkel.

Of course not only American agencies are using this kind of interception equipment. The FBI reportedly removed from several cell phone towers in the Washington DC area transmitters that fed all data to wire rooms at foreign embassies.*



Links
- Heise.de: Solange keiner meckert - Wie IMSI-Catcher unauffällig legalisiert wurden
- Matt Blaze: How Law Enforcement Tracks Cellular Phones
- WaPo.com: New documents show how the NSA infers relationships based on mobile location data
- USAToday.com: NSA Phone Tracking
- Volkskrant.nl: De DRT2101A: het apparaat waarmee de NSA telefoons afluistert
- List of 217 part numbers from Digital Receiver Technology, Inc.
- Presentation about Digital receiver technology for RWR, ESM and ELINT applications (pdf)
- Washington Institute: Stabilizing Iraq: Intelligence Lessons for Afghanistan
- Journal of Electronic Defense: What's New in SIGINT software?
- Overview: Toward a Universal Radio Frequency System for Special Operations Forces (pdf)

11 comments:

Bruce Hammerson said...

Digital Receiver Technology is doing awesome work. It helps FBI and other intelligence services. It is very good.


Regards,
Komatsu Parts

fmulder@ditu.fbi.gov.us said...

Have you inquired about WHITEBOX which is often mentioned in the same boundless informant breath as DRT technology?

More broadly, it would be instructive to pool all the SIGINT profiles recoverable from LinkedIn and job boards in terms of word associations with DRTBOX.

Beyond this, there is an interesting class of slash, hyphen and parenthetic associations, such as ANCHORY/MAUI, PINWALE/UIS, AMHS (M3), Enhanced WEALTHYCLUSTER (EWC), NORMALRUN/CHEWSTICK/FALLENORACLE, SCORPIOFORE/CPE, HIGHTIDE/SKYWRITER, YELLOWSTONE/SPLITGLASS, AIRGAP/COZEN and so forth.

However I've not seen WHITEBOX in any of them. Israel intelligence posted a remark about it just being the white cube observed on the top of so many American embassies. Like the one in the Netherlands. It seems like these may be a collection of these SIGADs, a component that extracts phone metadata.

Meanwhile ... the jobseekers/job offers are starting to go dark:
http://clearedconnections.com/

Anonymous said...

Wondering if you spotted this:

"Description: Item No. 001 DRT 1301C+/TRS Portable Receiving System: consisting, buggerdized laptop computer, DRT1301C+Wireless Receiver, carrying case, cables, antenna, manual, and embedded/GUI software for all supported formats. DRT1301C includes three RF tuners and 48 channels of processing. The 1301C+ is air cooled with internal fans. A two year warranty is also included. Qty: 2 ea Item No. 0002 DF20C 400 MHz-2GHz Complete DF System. Includes: DF antenna (with nine 3-inch antenna elements and four 12-inch antenna elements); DRT DF Software; Pinpoint Geolocation Software; DF Manual; GPS Antenna; 25- ft cable Qty: 2 ea Item No. 0003 DF20C/EFR-2 30 MHz-300MHz, Enables DF20C to conduct DF against lower frequencies. Includes: Six long antenna elements; tripod mount; cables; SMA cable interface box; Qty: 2 ea This acquisition incorporates the following FAR clauses: 52.212-1 Instructions to Offerors-Commercial Items, 52.212-3 Offeror Representations and Certifications- ..."


https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=05fc805e57934b06f219ecf013928870



"Conducted ground Signals Intelligence (SIGINT) collection operations using low-level voice intercept (LLVI) equipment to include, but not limited to DRT 1301C, ..."

http://www.linkedin.com/pub/edwin-cunanan/51/4a4/783

P/K said...

@ fmulder:
WHITEBOX is actually only mentioned alongside DRTBOX in the screenshot about France. I also couldn't find more about it, indeed it isn't mentioned in other sources like the job descriptions. The only thing we know about WHITEBOX is that it seems to collect data from the Public Switched Telephone Network. I am afraid we need more sources before we can say more.

The slash associations are interesting, some of them make sense: MAUI is the Multimedia Access User Interface - apparently used to access the ANCHORY database, and UIS is the User Interface Services, which is used for accessing the PINWALE database.

@ Anonymous:
No, I didn't found those two descriptions, thank you for posting!

DRT 1301C+ seems to be a modified version of the DRT1301C mentioned in my text, apparently the air cooling by internal fans were added in this version of the device.

tom said...

MAUI, the web interface for textual keyword queries (powered by commercial software BRS/Search) to the old but still in use ANCHORY database of full text reports from NSA, CIA, DIA, the State and Foreign Broadcast Information System, Reuters, Cryptologic Intelligence Reports and precis of hard copy reports (all known from a document returned to a FOIA request).

At LinkedIn, people sometimes write this wrongly as ANCHORY/MAUI whereas it should be MAUI/ANCHORY. Here MAUI is an acronym for Multimedia Access User Interface. See https://www.muckrock.com/news/archives/2013/jul/25/anchory-documents-offer-glimpse-90s-era-nsa-intell/

This is similar to PROTON/CRISSCROSS. PROTON is a cross-platform JAVA software that provides front-end web access, analysis and reporting tool to anyone on the JWICS to a huge database called CRISSCROSS (telephone metadata only, no content). Confusion arises as the word PROTON is used interchangeably for agency program, agency office, the ingest processes, software, software plus associated database, or just the database itself. PROTON is a joint project of the CIA, DOJ and DOD.

This is bad practice but we see it all the time. Note the software resides on agent computers and even phones, whereas the database itself is not software but resides in a fixed physical location (likely corporate-hosted) on the network under a distinct name, CRISSCROSS. In help-wanted ads from defense contractors, we see a better practice: PROTON/CRISSCROSS for tool/database association.

tom said...

PROTON is a little more elaborate package than MAUI. It includes various graphing, geospatial mapping, data visualization, statistical products such as heat maps, and display tools for social network centricity or hang-arounds to digest the results of queries. Output can then be exported into pdf and IBM's Analyst Notebook format .anb for ease of sharing by email attachment or be imported in other social network association software such as Palantir.

PROTON, or rather CRISSCROSS, consists of telecom metadata selector fields (eg telephone numbers, email addresses, hexadecimal sat phone ids, cell IMEI) classified as TS/SI/FISA/ORCON/NOFORN to control distribution (not to FVEY or even UK). Foreign organizations and NGOs are included in addition to individuals The ingests to PROTON come from Special Collection Service (a joint NSA-CIA program) of a terabyte per month (last ten years), Computer Network Exploitation (CNE) data provided by Tailored Access Office (TAO), other metadata collected under FISA authority, CALEA domestic collection legal under Title III, scanned phonebooks from Europe and Asia, plus an enormous amount of purchased corporate data, plus business cards and meeting brochures sent to the PROTON office (which has the software resources to put unordered data into fields and otherwise make raw data ingestible. PROTON users can add and edit CRISSCROSS data directly, say to enter the the identity of a previously unidentified selector, as well as leave notes for other users.

PROTON definitely contains American citizens metadata selectors or AMCITS -- the writer once queried a Maryland area code and a partial prefix, obtaining a huge return from PROTON. While these USPER numbers were partly masked providing only only area code and prefix (the unknown four digits allow 10,000 phones), the PROTON user can simply email the NSA with a pro forma justification request to get the number -- it's in the CRISSCROSS database, just needs to be unblocked. (Voice cuts of content are not part of PROTON but available through a similar request process.)

The architecture of CRISSCROSS presumably consists of individual flatfile ingested databases organized as a relational database with the phone number of the calling device as indexing field. Here a row or record consists of a telephone call from that device, regardless of ingest source. However each ingested database may have some unique fields of its own. The name of minor software processing differently formatted ingests to standard PROTON-queryable format is not known but is probably housed or contracted out by the PROTON Program Office at the CIA who co-manage the effort along with NSA and DOJ.

PROTON is reportedy getting to high a profile and efforts are being made to walk it back into a compartment, not necessarily an ECI but one requiring additional levels of clearance. See http://cryptome.org/2013/08/proton-clearwater-lexis-nexis.htm

Terry A Davis said...

Dirt? I view it like this. Some people worry about public opinion, others worry about Gods. I'm very happy with the situation. If you want more public opinion, that probably give me more God's opinion.

Terry A Davis said...

But cleave unto the LORD your God, as you have done unto this day.


Shoot the hostages every fucken time. And laugh as you cling to the lord.

Paul Keck? Yeah, his ass was interesting. Might have been cute on a woman.

Ya like that? You lose points with God.

Anonymous said...

Former LLVI. DRTi is that small little unknown US company that rocks. Their products are rock solid. Even better their "customer" support is beyond world class. These guys will literally give a soldier a million dollars of equipment on a paper receipt if needed for a mission.
I can not say what or how their customers are using the equipment, but my team and I was under very strong laws(USSIDs).

The soldier in the video was not using DRT equipment. It was a simple iCom radio and an AR8200 with a simple DF head.

simran patra said...
This comment has been removed by a blog administrator.
Cameron Wieght said...
This comment has been removed by a blog administrator.