Wednesday 1 April, 2009, 05:30 - Radio RandomnessFor some time, there has been software available on the internet which would allow anyone with enough brains and patience to hack into a 'WEP' encrypted WiFi link. 'WPA' encrypted links are more secure but even they are open to hacking. The basic problem with such devices is that they transmit the data freely across the ether and if a miscreant within range has the right equipment and software they can intercept the radio signal and decode it. Be sure though that it takes a lot of effort, someone would really have to be serious in order to bother having a go at WPA and WPA2.
Posted by Administrator
Posted by Administrator
But regardless of the encryption technology used, the key problem with any WiFi network is that the signal is purposefully transmitted over a wide area. Obviously running a direct wired connection between two points is much more secure. Surprise, therefore, may be expressed at the realisation that even the radiation from computer keyboards can be sufficient to allow 'snooping' on your computing activities from a distance.
Two Swiss scientists have proven that this can be done, even through a wall, despite the fact that the levels of radiation coming from the keyboard are very small indeed.
But what about the new PLT (power line telecoms) or BPL (broadband over power line) technologies. These devices send your precious data over electrical cables which, any number of studies have shown, leak the signal hither and thither, causing both radio interference over a wide area and opening up the opportunity for someone to intercept the signal.
Some PLT/BPL devices have been received at over 500 metres from the building in which they are installed, which is, in most cases, further away than it would be possible to receive an equivalent WiFi signal. Wireless Waffle therefore decided to follow in the footsteps of the hitherto mentioned Swiss scientists and see whether or not it was possible to intercept and decode emissions from these devices in order to try and ascertain how secure they are or aren't.
The devices which seem to send out the greatest signal are those manufactured by a company called Comtrend, and which use the chipset from another company, DS2. The first thing to do, therefore, was to get hold of a Comtrend device and modify the circuitry to make a seperate antenna input rather than the device looking for the signal on the mains cable to which it is attached.
A suitable Comtrend device was purchased from the web's best know outlet of all things slightly dodgy which was then dismantled to see where the signal input is. It turns out that the device sniffs the signal from the mains through a couple of high voltage capacitors. It is a straightforward job, therefore, to lift these capacitors from the circuit board and attach an alternative signal feed.
Making a wideband antenna capable of receiving the whole HF frequency range (2 - 28 MHz) used by these devices is not necessarily straightforward, however a short whip (1m or so long) connected directly to the input of a high-impedance FET amplifier does a pretty good job and whilst the response isn't necessarily flat across the HF range it does a reasonable job of receiving something at all frequencies. And, let's face it, the frequency response of the mains cabling to which the devices are normally connected is not flat either so a bit of loss here and there shouldn't be anything to worry about.
So, armed with an inverter (to provide the Comtrend device with 240V from the DC power outlet in a car which was felt easier than supplying it with the various DC voltages it needed), a laptop with which to connect to the modified device and a whip antenna, the intrepid Wireless Waffle team set off to see whether or not it is possible to intercept data being sent over electrical mains wiring and thereby spy on local internet activity.
The first test was to set up a couple of devices in a known configuration and then put the 'interception' kit inside the house in which the devices were installed. This gives the set-up the maximum possible chance of receiving the data as the signal received on the antenna within the house as pretty much as strong as it is on the mains wiring itself!
Not surprisingly, in such an 'ideal' test set-up it was a piece of cake to read the data passing over the mains cabling.
Next, the interceptor was moved to a car parked outside the house with a suitably covert antenna placed secretly on the roof. Again, it was easy to receive and read the data being sent over the mains cabling. If it were me using these devices in my house, this is the point that I would begin to realise that the devices are not even as secure as WiFi, and would get rather nervous. The car was then driven 100 metres away from the house under test whilst keeping the system turned-on. At this distance, the signal from the house had fallen significantly (though was still perfectly audible on a test receiver).
At this distance, the simple interceptor spy-tool-device struggled to read the signal, however with some judicious placing of the receiving aerial, some of the data could be read. With such a simple set-up, not a great deal was really expected, however the tests proved PLT/BPL devices to be significantly less secure than WiFi being easy to intercept at distances of up to 100 metres from a house in which they are installed using very simple equipment.
Unlike WiFi, however, it is not as easy to make a 2-way connection: whilst intercepting or spying on data is possible, completely hacking the connection and being able to use it, for example to connect to the internet or into a home network, is much more difficult. Generating enough transmitter power to put a strong signal on the internal mains wiring from 100 metres away would be no mean feat. That doesn't mean that it's not worth trying though...