Wireless Waffle - A whole spectrum of radio related rubbish
Come Spy With Mesignal strength
Thursday 23 July, 2009, 08:00 - Radio Randomness
Posted by Administrator
It may come as a surprise to the more ICT literate that in this day and age, short-wave radio is still being used for secret communications from various security organisations to their field agents. No encrypted e-mails or messages hidden on web-pages, no images hidden in jpeg files or microdots or secret domain extensions. Nope, many agencies transmit messages over short-wave using standard AM modulation which can be received on every day, off-the-shelf radios.

You may have even heard these transmissions and not known what they were. Known as 'numbers stations', the transmissions consist of a series of numbers being read out in a mechanical fashion, often repeated several times and often preceded by a specific piece of music. The numbers are usually in English, German, Spanish, Arabic or a slavic language (eg Russian) which may give an indication of the source of the signals (though it is known, for example, that some of the transmissions in English are from the Israeli secret service, Mossad).

Unlike most short-wave transmissions, the source of these signals is often elusive and as such, receiving any kind of acknowledgement of their reception is nigh on impossible. This does not stop, though, a band of enthusiasts monitoring and recording these signals and exchanging information between likeminded individuals. Probably the largest such group is known as 'Enigma 2000' who publish a regular monthly newsletter which can, thankfully, be obtained for those who are interested without the need to join the group (which has strict membership criteria) from the Numbers and Oddities site.

A typical numbers transmission consists of the following elements:

* A piece of music or other 'tuning signal' to enable the transmissions to be easily identified
* A set of numbers or letters to identify which agent the message is addressed to
* A message identifier (so that the agent knows whether this is a new message or one already received)
* The encryption key (page in the one time pad - see below)
* The message itself

It might end up looking something like this:

131 1 445 137
40169 89117 20298 35013 41171 11312 63536 93396 46878 16093
29358 33200 82800 62186 11396 84614 82364 31802 82184 13856
76542 20793 72496 02687 56367 66812 18736 23959 33356 29647
21272 04668 08563 59079 71771 45056 59223 74346 70438 99776
45393 22483 06897 74008 87564 11186 28378 86003 16942 77970
000 000

one time padSo how does the agent decode this message? It is suggested by those in the know, that they are unravelled using something called a 'one time pad'. The agent looks up the page in his book of one time pads which has a set of figures which allows the numbers to be translated into letters or words to decode the message. Once decoded, the page in the pad is burnt, eaten or otherwise destroyed. Without access to the pad, the message cannot be decrypted (eg by opposing security agencies) which makes it singularly secure. If the agent is captured and his pad falls into enemy hands, as long as the HQ is aware, they can stop sending messages to that agent. As each agent's pads are different, they cannot decode messages sent to other agents.

That such messaging systems are still used is, perhaps, not that surprising. That they should still rely on short-wave radio to send these messages to agents perhaps is. An e-mail could do the same job much more quickly and for less money. The advantage, however, of short-wave is that no specialist equipment is required to get hold of the message (short-wave radios are available in markets and bazaars around the world for a handful of dollars) and has the real advantage that the location and identity of the agent are not revealed by the transmission as they might be if an e-mail was traced by the authorities.

ukranian spy neighbourHearing these transmissions is relatively easy. Mossad in particular seems to pepper the airwaves with transmissions, usually in the hours of darkness in Europe when local propagation is more straightforward (and presumably when agents are not out doing their day job!) Common frequencies include (though these change seasonally) 3840, 4270, 4880, 5435, 6840 and 9130 kHz from around 1800 GMT to at least 2000 GMT and later.

So, if you catch your Ukranian neighbour sunning herself in the garden whilst listening to seemingly random sets of numbers being read out on the radio, thanks to Wireless Waffle you now know exactly what is going on!
1 comment ( 1430 views )   |  0 trackbacks   |  permalink   |   ( 2.7 / 5909 )

SatJacking, Brazilian stylesignal strength
Saturday 13 June, 2009, 14:53 - Radio Randomness
Posted by Administrator
ufo fltsatcomOK, so Wireless Waffle was wrong about the real story behind the Brazilian use of the US FLTSATCOM military satellites (and their sister satellites, the UFO series). We thought it might all be innocent but it appears that there are groups of Brazilian truckers and similar using the satellites as their own personal CB radio. Calling the satellites 'Bolinho' (small ball), their activities have recently been brought to the fore by a raid by the Brazilian authorities on around 70 suspected 'hijackers'.

The story has been reported on various web-sites and it seems that the equipment being used by the Brazilian pirates was relatively widely available and manufactured from standard PMR radios. The transmitters, it is claimed, were normal 144 - 174 MHz VHF devices with their transmitter outputs run through (varactor diode) frequency doublers to produce outputs in the range 288 - 348 MHz which ties in with the uplink frequencies of the satellites which are in the range 292 - 317 MHz. A simple downconverter can then be used to receive the signals.

brazilian birdsThe US spectrum regulatory authorities (the NTIA and FCC) clearly put pressure on the Brazilian spectrum authority (Anatel) to force them to act. Legally speaking, the Bolinho hijackers are guilty of operating a radio transmitter without a licence but whether or not they can be charged with any additional crime resulting from their use of the US satellites is unclear. It is unlikely that the use of the satllites represents any further crime in Brazil as the satellites are not Brazilian owned.

Various of the news stories which have covered the raids have suggested that the US satellites are now abandoned and are only in orbit in the case of emergencies and even go on to purport that the US may now decommission the satellites to put paid to any future Brazilian (or indeed other - it is known that there was some interference to the satellites from a radio station in the Philippines) piracy. This may be true but there are plenty of recent recordings of military traffic from these satellites. These might just be exercises but clearly the US military do still use the Bolinho Birds, despite claiming they are only used in emergencies. Then again, would you admit that your multi-million dollar military space hardware had been attacked by a group of mischievous miscreants using modest modified machinery?

P.S. The idea of a graphic depicting what is commonly known as 'a Brazilian' did cross our minds but that is, perhaps, cutting it too fine...!
add comment ( 1379 views )   |  0 trackbacks   |  permalink   |   ( 3 / 11259 )

Don't Wave Goodbye to Short-Wavesignal strength
Tuesday 28 April, 2009, 07:22 - Radio Randomness
Posted by Administrator
wave goodbye to shortwaveThe threat to short-wave reception caused by PLT (a.k.a. BPL) devices is something that has been covered on Wireless Waffle on numerous previous occasions.

Whilst it hasn't reached the point of naked protestors parading along the streets of London just yet, a while ago the technical group trying to curb the spread of these devices petitioned the UK Government to do something about it. The Government's response was rather lacklustre:
As with all electrical and electronic products sold in the UK, Power Line Technology (PLT) equipment is required to meet the relevant regulations before it can be placed on the market. In particular, it must comply with the Electromagnetic Compatibility Regulations 2006 (the EMC Regulations) ... and any person who places such products on the market ... must ensure that the products comply and apply the ‘CE’ mark.

The Department for Business Enterprise and Regulatory Reform (BERR) is responsible for the EMC Regulations. Enforcement powers are delegated to local Trading Standards offices, and to Ofcom where there is a radio spectrum protection or management issue. Ofcom estimates there are around 500,000 pieces of PLT equipment in use in the UK. Ofcom have received around 84 individual complaints of interference attributed to PLT equipment. All of these complaints are in the process of being investigated or have been successfully resolved. Each complaint is investigated on its own merits. We do not believe an outright ban of all powerline adaptors is justified.

A lot of buck-passing with the end result that nothing happened. But not to let a roaring lion lie, the good people at UKQRM have submitted a second petition:
We the undersigned petition the Prime Minister to require the relevant regulatory authority namely Ofcom to take active and speedy measures to test samples of all makes and types of PLT device and to remove from the UK market all those devices where the sample is found to be non compliant with the requirements of the Electromagnetic Compatibility Regulations 2006. And to take all practicable and necessary steps to prevent anyone placing non compliant PLT devices on the UK market now and in the future.

Wireless Waffle believes that the spread of PLT devices is something which needs to be checked and that the more cage rattling that is done, the better the chances of some real action being taken.

If you are a UK radio user, listener or someone who depends upon the radio spectrum for your profession or livelihood in the UK, whether you are interested in short-wave or not, we would urge you to sign the petition. The slow march of PLT devices represents what will no doubt be the first of many attacks on the precious raw material which underpins so many UK jobs and with the credit crunch already hitting people's employment, anything which protects future generations has to be good.

Please go and sign the petition at http://petitions.number10.gov.uk/SaveShortwave2/ and add your name and voice to ensure that future voices will be able to hear each other!

Let nation (be able to continue to) speak peace unto nation... as someone once said.
add comment ( 1776 views )   |  0 trackbacks   |  permalink   |   ( 3 / 5660 )

Comtrend-ulations and Jubliationssignal strength
Wednesday 1 April, 2009, 05:30 - Radio Randomness
Posted by Administrator
For some time, there has been software available on the internet which would allow anyone with enough brains and patience to hack into a 'WEP' encrypted WiFi link. 'WPA' encrypted links are more secure but even they are open to hacking. The basic problem with such devices is that they transmit the data freely across the ether and if a miscreant within range has the right equipment and software they can intercept the radio signal and decode it. Be sure though that it takes a lot of effort, someone would really have to be serious in order to bother having a go at WPA and WPA2.

trypingBut regardless of the encryption technology used, the key problem with any WiFi network is that the signal is purposefully transmitted over a wide area. Obviously running a direct wired connection between two points is much more secure. Surprise, therefore, may be expressed at the realisation that even the radiation from computer keyboards can be sufficient to allow 'snooping' on your computing activities from a distance.

Two Swiss scientists have proven that this can be done, even through a wall, despite the fact that the levels of radiation coming from the keyboard are very small indeed.

But what about the new PLT (power line telecoms) or BPL (broadband over power line) technologies. These devices send your precious data over electrical cables which, any number of studies have shown, leak the signal hither and thither, causing both radio interference over a wide area and opening up the opportunity for someone to intercept the signal.

Some PLT/BPL devices have been received at over 500 metres from the building in which they are installed, which is, in most cases, further away than it would be possible to receive an equivalent WiFi signal. Wireless Waffle therefore decided to follow in the footsteps of the hitherto mentioned Swiss scientists and see whether or not it was possible to intercept and decode emissions from these devices in order to try and ascertain how secure they are or aren't.

devil slop 2The devices which seem to send out the greatest signal are those manufactured by a company called Comtrend, and which use the chipset from another company, DS2. The first thing to do, therefore, was to get hold of a Comtrend device and modify the circuitry to make a seperate antenna input rather than the device looking for the signal on the mains cable to which it is attached.

A suitable Comtrend device was purchased from the web's best know outlet of all things slightly dodgy which was then dismantled to see where the signal input is. It turns out that the device sniffs the signal from the mains through a couple of high voltage capacitors. It is a straightforward job, therefore, to lift these capacitors from the circuit board and attach an alternative signal feed.

Making a wideband antenna capable of receiving the whole HF frequency range (2 - 28 MHz) used by these devices is not necessarily straightforward, however a short whip (1m or so long) connected directly to the input of a high-impedance FET amplifier does a pretty good job and whilst the response isn't necessarily flat across the HF range it does a reasonable job of receiving something at all frequencies. And, let's face it, the frequency response of the mains cabling to which the devices are normally connected is not flat either so a bit of loss here and there shouldn't be anything to worry about.

So, armed with an inverter (to provide the Comtrend device with 240V from the DC power outlet in a car which was felt easier than supplying it with the various DC voltages it needed), a laptop with which to connect to the modified device and a whip antenna, the intrepid Wireless Waffle team set off to see whether or not it is possible to intercept data being sent over electrical mains wiring and thereby spy on local internet activity.

The first test was to set up a couple of devices in a known configuration and then put the 'interception' kit inside the house in which the devices were installed. This gives the set-up the maximum possible chance of receiving the data as the signal received on the antenna within the house as pretty much as strong as it is on the mains wiring itself!

Not surprisingly, in such an 'ideal' test set-up it was a piece of cake to read the data passing over the mains cabling.

inconspicuous antennaNext, the interceptor was moved to a car parked outside the house with a suitably covert antenna placed secretly on the roof. Again, it was easy to receive and read the data being sent over the mains cabling. If it were me using these devices in my house, this is the point that I would begin to realise that the devices are not even as secure as WiFi, and would get rather nervous. The car was then driven 100 metres away from the house under test whilst keeping the system turned-on. At this distance, the signal from the house had fallen significantly (though was still perfectly audible on a test receiver).

covert spy girlAt this distance, the simple interceptor spy-tool-device struggled to read the signal, however with some judicious placing of the receiving aerial, some of the data could be read. With such a simple set-up, not a great deal was really expected, however the tests proved PLT/BPL devices to be significantly less secure than WiFi being easy to intercept at distances of up to 100 metres from a house in which they are installed using very simple equipment.

Unlike WiFi, however, it is not as easy to make a 2-way connection: whilst intercepting or spying on data is possible, completely hacking the connection and being able to use it, for example to connect to the internet or into a home network, is much more difficult. Generating enough transmitter power to put a strong signal on the internal mains wiring from 100 metres away would be no mean feat. That doesn't mean that it's not worth trying though...
1 comment ( 2595 views )   |  0 trackbacks   |  permalink   |   ( 2.6 / 7585 )

<<First <Back | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | Next> Last>>