Simulation of Intense Activity, or What Radio Control Must Not Be in the XXI Century
Alexey Viktorovich Zakharov
Alexandr Vitalyevich Krivtsun
STT GROUP (Engineering-Commercial Multiprofile Centre-1 Ltd., Protection Group - UTTA JSC)
In the context of the article, as the analysis of digital communication channels, the authors mean not only the analysis of amplitude-frequency characteristics of the radiation of radio-electronic equipment (REE) operating in digital data exchange standards, but also "opening" the contents of an open technical information transfer with the release of unique identifiers.
Keywords: radio monitoring, the digital network analysis, RadioInspector, Cassandra, digital eavesdropping devices
The current technical information protection market enjoys a wide range of choice of radio control (radio monitoring) systems of various technical parameters which can be knitted together by one thing – they can only display and (at most) store panoramic views of signal spectra on air. They do not solve problems of analysis of legitimate digital communication channels at all or do it as a mere formality – just to check the box. The reasons may be various - from unsatisfactory quality of radio-receiving route and impossible connection to PC (machines like Oscor Green) to simple misunderstanding of how the existing problem can be resolved, and/or unwillingness to do it: why should we change anything if the consumer continues buying the old solutions? And in the meantime the consumer often does not know that the manufacturer offers the equipment that is unable to ensure high quality avoidance of today's threats.
Yet the problem is not at all unlikely
Let us speak about the "classic radio control" where the problems of digital communication channel analysis with respect to information protection are not solved and answer the question if such radio control is required at the present stage of development of devices for surreptitious obtaining of information. Besides, we will consider absolutely and irrespectively the problem of imaginary "digital" analysis resulting in user-disorienting substitution of notions.
To understand the situation, we should conceive what a today's typical facility that requires protection is.
We won't refer to facilities located in taiga and surrounded by a multi-kilometer alienation zone – it's a lot easier over there. If any wireless connection is prohibited at the facility then each signal that is transmitted on the air should be identified and localized including frequencies of legal communication channels. Usually such a requirement can be fulfilled under pure hypothetical conditions – for a single spherical object in the vacuum. We however will take realistic working conditions – a standard facility located in the city area, often in restrained urban conditions in places with a lot of offices, administrative and inhabited buildings which are continuously redesigned and equipped with either obsolete or the most advanced wireless communication means. Besides, we will take into consideration 2G/3G/4G mobile operators, Wi-Fi networks, analogue/digital television and radio broadcasting, service radio nets of the Ministry of Internal Affairs, EMERCOM, radio signalling systems, radio fans, aviation, etc., that are always on the airwaves.
The overall complexity of the modern radio monitoring with regard to information protection is that modern eavesdropping devices transmitting data via radio channel use in increasing frequency the same standards as legal devices. We have already discussed this topic in the article  in the section concerning the Wi-Fi standard . Let us see now what an operator can do with a radio control system without solving the problems of analysis of digital communication channels. Here are some examples.
A question for practicing searching experts: what would you do if you found a spectrum like the one shown in fig. 1?
How can you discover an eavesdropping device operating at the facility that transmits DECT signals if, according to the standard description, 24 devices – 12 bases and 12 handsets - can simultaneously operate at each frequency? There are 10 of such frequencies within 1880–1900 MHz, and experience shows that nearly always all the 10 channels in large business centres or administrative buildings are busy and operating continuously. We used to discover more than 240 base stations working at the same time while staying on the 16th floor of a residence building.
Fig. 2 shows actually revealed 135 operating DECT bases.
An experienced operator will say: "To reveal and localize eventual eavesdropping devices I will switch off my base and control signal levels". All correct, but how can we switch off the handset and the base in the adjacent room that does not belong to your company or to a company that you control, or the secretary's phone that is ringing its head off? In some offices we have seen constantly moving employees continuously speaking over DECT phones. Signal levels under such conditions are always changing – a real paradise to successfully hide an eavesdropping device, isn`t it? Yet during the night the situation will not change a lot: DECT bases operate continuously without switching off. For the moment it is hard to escape the only conclusion that if we do not analyze digital packet headers it will be quite difficult to discover a DECT eavesdropping device in rooms with actively used radio phones of this standard.
One more example – our "beloved" range of 2400–2500 MHz. Wi-Fi, ZigBee, Bluetooth, unmanned aircraft control, digital and analogue video cameras – there is no better range to conceal a working radio transmitter. Look at the diagram of maximum values collected in 3 minutes in a place not very much saturated with transmission means (fig. 3).
From the above description we can again draw the only correct conclusion – the modern radio monitoring is impossible without the analysis of digital communication channels.
In fact, it's been a long time that this conclusion has become imminent, that is why a series of solutions has been brought on the market to be exclusively used for analysis of digital communication channels. As a rule, such complexes for revealing and identification of wireless communications facilities are based on standard radio modules used in notebooks (integrated or connected via USB-ports – "dongles1").
Then the situation has gained steam resulting in a change of the conventional approach to the digital analysis because it has shown a lack of prospects of the commonly held view of radio control assuming that the radio control complex is one thing while the digital communications channel analysis is another. These products must be, at a minimum, used simultaneously, and, at a maximum, be the whole entity and operate by the same algorithm.
Go on the world-wide Interweb and enter a search request "high-power Bluetooth adaptor". After a brief search you will get a list of Bluetooth modules ensuring a signal transmission distance of 2 km. This example has been made for those readers that believe that the Bluetooth standard is not dangerous because of the entrenched myth that it is not "long-range" and a controlled area of about 20 m would be sufficient to forget about it.
What challenges is a search team operator facing with regard to revealing an eavesdropping device using Bluetooth as a channel for transmission of tapped information? At a typical facility up to 10 to 15 Bluetooth devices can easily operate simultaneously within the reliable service area during business hours. Particularly bad is the situation in the companies where the purchasing process is controlled by fans of American products of the well-known Apple. Most often they use wireless mice and keyboards with their stationary all-in-one PCs – this is so convenient. Thus, in the controlled room there might be legal devices of this standard: wireless headsets of mobile phones, notebooks, tablets, SmartTV – most likely all these devices are already available in the rooms occupied by managers of various ranks. Even modern guards can have Bluetooth headsets connected to radio stations.
You are lucky if control conditions ensure a possibility to switch off and take out all available receive\transmit devices. And what if a person in charge of control faces the problem of the situation control during a weekly meeting and nobody withdraws electronic devices from the participants? How will he distinguish the Bluetooth keyboard of the shorthand typist from an eavesdropping device? In particular, when the eavesdropping device is not located directly under the antenna of the radio control complex and transmits signal not to 100 m but to 20 - assuming that a receiver equipped with a memory is on the above floor? In this case the amplitude of its signal will not be outlined against legal devices. Plus WI-FI networks operating on the air, including those that are used during the meeting. The result is a real hell in the collected spectrum.
In view of the foregoing, it is safe to say: it is highly probable that it will not be possible to reveal any eavesdropping devices against the available legal facilities without analyzing packet headers of the operating devices and revealing their LAP-addresses.
Why LAP and not MAC-address?
Here we are coming to the substitution of notions that we have already mentioned above. To be clear: Bluetooth devices that have once been mated and are not in clear operation (for example, trying to find new devices) do not transmit their MAC-address in the air. If you see on your analyzer only a Bluetooth MAC-address, then our "congratulations": your device is doing what we have put as the article title – simulating intense activity. Most likely, this device has cost a lot of money, but this is not the worst thing: your analyzer will not see a real "combat" bug. Never.
1 Dongle – key, plug. In the modern professional slang it means a compact hardware module connected to the computer via various interfaces to extend its functionalities, e.g., external Bluetooth adapters, Wi-Fi USB modems, 4G (LTE) USB modems, etc.
Further on the things get worse. Once, while going on analyzing a signal coming from the device found during a routine search, we have discovered an amazing thing – the Bluetooth analyzer would not identify it as a Bluetooth signal. We have been saved by switching to revealing and automatic identification of signals exceeding the threshold of the Cassandra complex: the signal has been positively identified as Bluetooth. This discrepancy made us carry out a deeper study of the revealed signal. The conclusion was unexpected and very unpleasant for users of digital analyzers based on various dongles or PC-integrated Bluetooth adapters. It was simple; the radiation frequency of the analyzed product did not match the Bluetooth frequency range differing from the standard frequency by more than 100 kHz. That is why this transmitter could not be controlled by analyzers of standard digital channels. And if such bugs cannot be revealed if we cannot analyze any non-standard frequencies and see whether they comply with digital communications standards, then do not hesitate to give almost all digital analyzers to students for lab sessions.
Constantly working on improvement of the Cassandra complex based on the revealed problems, we have re-estimated the digital analyzer performances. Now we can use it in different modes: as before – using the standard frequency spectrum, applying a random frequency with a possibility to activate the hold mode of proper devices as well as a frequency spectrum with a frequency deviation possibility (fig. 4).
Take a note of the MAC-address in the middle column of the table – this is the only device that modern digital analyzers of most manufacturers can discover. In this case an Apple keyboard has been switched on. In the left-hand column there are those invisible devices that do not transmit their full MAC-address on the air – a working keyboard, a wireless headset of the mobile phone during microphone operation and one device operating beyond the standard Bluetooth frequency grid (deviation by 100 kHz). Some additional useful information to enlarge the experience of practicing search team members: LAP-address 9E:8B:33 appearing each time the active procedure is selected in the Dtest software option – this is a standard broadcast request of surrounding devices to "give back your identity". In our case this request is made by the Bluetooth adapter of the notebook of the Cassandra complex to reveal hidden devices (MAC-addresses). If you do not use the active procedure but this address appears all the same, then a Bluetooth device is operating in the reception area, which has been switched to search for other open devices (e.g., two employees decide to exchange files between their notebooks and have not connected them via Bluetooth before).
Digital analysis by spectrum?
One more hard-hitting feature of substitution of notions is wishful thinking. Some complexes used for revealing and identification of wireless communications facilities feature analysis of some digital channels only based on spectral analysis of the frequency range indicated in the Standard specification. Moreover, it very often relates to things that are so specific that they exist on paper only and have the same kind of relation to the real radio control as Cheburashka to the Red Book. We cannot clearly understand how the revealed signal may be ranged in a specific type of signals on the only basis that it operates in a certain frequency range. Let's say we observe a signal within 1920–1980 MHz and we decide that this is UMTS2100, and if it is within 3400–3700 MHz, we qualify it as Wi-Fi… Why should we be so sure?
All in all, if we follow this simplified logic, we can congratulate all users of Cassandra-К6, Cassandra-К21, Cassandra-СО, Cassandra-C6: dear colleagues, you seem to be longstanding owners of a superpower digital analyzer of any digital standards! The procedure is as follows: you set a task to control the required ranges in which the digital standards of interest operate, then you set the threshold limit and then you go and drink a cup of coffee. We guarantee that you are sure to "catch" a lot of "digital devices" even in those ranges where they exist only in theory and have never been translated into practice.
As a matter of fact, we cannot correctly range a signal in a specific standard without revealing clearly informative features – without digital processing, analysis of the type of modulation, demodulation, at least. Yet, it would be helpful if the operator would have before his eyes such a hint like a designation in the common spectrum of standardized range limits. To facilitate the operation, the recent version of the RadioInspectorRT device features a frequency range selection function displaying information about its parameters (fig. 5).
The user can fill in such a table by himself without any problem. Fig. 6 shows an example of how the filled in table looks like with a list of frequencies of a well-known digital analyzer on the PC display of Cassandra-К6.
DMR, Tetra, APCO…
In the pursuit of the formal side of the problem, "pure digital operators", when non existing standards have been added in the performances, have completely forgotten about other legal communications standards which are available behind the scenes at all facilities, i.e., about service radio communications. You may ask, where do radio stations concern the information protection? But what if the words that are being said at the guard post can be obtained by a party that keeps an eye on the facility? For example, a daily password? Or a part of the conversation of a high-ranking functionary would somehow be recorded in the period when only one security officer that has been checked multiple times, was near him.
How can this be possible when almost all users have already stopped using analogue communications and adopted digital standards? There lies a new problem. Besides pros, digital standards have also some cons, in particular in relation to information protection. The main of them is that the user does not know what possibilities the radio station manufacturer has put into their design. At present, the most actively developed in the reviewed sphere is the DMR standard which has conquered almost all the planet. It offers a lot of useful possibilities. Two groups of subscribers can use one and the same frequency for communication, including communications via repeater station, without interfering with each other. Encrypting, SMS sending, transmission of the subscriber coordinates, group or individual calls can also be provided for. Based on the individual call is the function that requires our close attention – police mode. It serves to switch on the required radio station for transmission with monitoring of environmental acoustics; besides, using the service software you can switch off any indications on the controlled radio station. In other words, its operation will not formally interfere with transmission in any way. By default you should choose this function on the controlled station, enter the password, etc. The control period can be set in the service software of Motorola from several seconds to two minutes. And now try to ask yourself: are you sure the US company has not left a back door for themselves? Just to be on the safe side. We never doubt that there is a back door. Besides, never forget the human factor impact.
Here's a small example of how the back door is implemented. There is a radio control station at the facility the operators of which have known for a long time the frequency used by the guards, and, of course, do not control it. What for if is "our" frequency? Usually both DMR timeslots are rarely used: radio traffic is being exchanged periodically, the network loading is not great, and so one slot is enough. On the other hand, the second timeslot can easily be used by an illegal intruder for transmission of information. At this point, the radio control station will, at best, notice non-standard activities such as long transmissions. But it will not know what in particular is transmitted, and most importantly – from whom to whom, without analysing the traffic by demodulation and assigning device IDs.
In this regard in the DTest option of the Cassandra complex attention is being increasingly focused on service radio communications, beginning with eventual demodulation of the Tetra, APCO-P25, DMR standards without encryption to assigning device unique identifiers. We insist that the service radio communications channels at facilities should be monitored not only to control the observance of the radio exchange rules. From our point of view a lack of possibility to analyse the whole structure of the digital radio exchange in a modern radio control complex is unacceptable.
In one article we cannot review all danger aspects lying in the rapidly advancing technical communication means. We have tried, at least partially, to answer the frequently asked questions of our customers like: "Why don't you have Wi-Fi 3500, NMT-450?" The Cassandra developers do not aim at simulating the problem solution, creating a deceptive feeling of safety, but at trying to face existential threats.
As a final note – a few words about perspectives of the Cassandra complex. At present we are busy with its scheduled in-depth modernization. In 2017 the upgraded Cassandra-К6 and Cassandra-К21 will make the buyers enjoy the scanning speed of up to 15 GHz/s without loss of qualitative characteristics of the radio-receiving route. Besides, we have arranged mass production of new series С complexes announced in 2016 which are portable amplitude DF units Cassandra С6 and Cassandra С21 featuring the digital network analysis function (ref. insert).
1. Zakharov A. V. Krivtsun A. V. Implementation of new possibilities of the radio monitoring and signal digital analysis complex Cassandra-М for detection of modern special technical devices with transmission of information via radio channel // Special Equipment. – 2011. – No. 5. – P.
2. Zakharov A. V. Requirements to a prospective Wi-Fi network analyzer // Information protection. Inside. – 2015. – No. 1. – P. 25–29.
Portable unit of amplitude direction finding of analogue and digital devices with selection of their identifiers (MAC, LAP, RFPI, etc.).
Built on base of К6 without commutator switch.
GEO option with electronic compass, GPS/GLONASS receiver, ability to load maps in real time.
Autonomous power supply – 6 h.
К21 version with 3–21 GHz frequency range.