|
Cryptome DVDs. Donate
$25 for two DVDs of the Cryptome collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John
Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost. |
|
25 June 1998
To: cypherpunks[at]cyberpass.net
Subject: cell phone COMINT
Date: Wed, 24 Jun 98 20:30:03 -0700
From: "Vladimir Z. Nuri" <vznuri[at]netcom.com
------- Forwarded Message
Date: Wed, 24 Jun 1998 13:02:09 -0500
To: believer[at]telepath.com
From: believer[at]telepath.com
Subject: IP: "COMINT Goes to Cell Hell"
Source: Journal of Electronic Defense, June 1998 issue
http://www.jedefense.com (Registration is free)
COMINT Goes to Cell Hell
by Zachary Lum
Modern wireless communications - the cell phone especially - pose unique
problems for military COMINT. (File photo)
Wireless communications may soon achieve everyday household status,
worldwide. For the communications-intelligence (COMINT) trade, this could
be one of the greatest boons borne of the commercial telecommunications
revolution. Or it could be one of the greatest banes. Or it could be both.
Opinion seems to vary from expert to expert.
Paradox and uncertainty are perhaps to be expected in the tumult of an
information revolution, with its as yet unknown fallout for intelligence
collection. The mobile cellular telephone, the most widespread wireless
system, is a crossover technology. It originated in the civilian
mass-communications marketplace, but it is spreading inexorably to
applications of interest to the national or military intelligence
community: criminal and terrorist uses, battlefield C3 and strategic comms.
Compared to the standard FM radio, the cellular radio (technically the more
correct term for a cell "phone," since it broadcasts its signal through the
air) is cheaper, easier to acquire and more difficult to monitor, which
makes it a popular choice for, for instance, criminal organizations in need
of mobile communications - and makes it a headache for the law-enforcement
organizations conducting surveillance against them.
As a form of general telephony, however, wireless media (and cellular
communications systems in particular) are quite vulnerable when compared to
old-fashioned telephone land lines. The explosion in wireless networks has
actually created a new and fertile frontier for COMINT exploitation. This
frontier will only grow as new, digital cellular standards become
commonplace, and as remote or underdeveloped parts of the world see rapid
penetration by cellular and eventually satellite communications. Today, the
world's airwaves are already crisscrossed with millions of conversations,
ripe for the picking. Just a few years ago, many of these transmissions
would have stayed snugly in insulated telephone wires.
Had they done so, the world would not have been privy to the infamous
"squidgey" tapes, the 1993 mobile-phone dalliance of Britain's Prince
Charles and his mistress, which was intercepted, transcribed and published
in the London tabloids. Neither would someone have been able to intercept
and distribute the contents of a 1997 telephone conference held by US House
Speaker Newt Gingrich.
Of course, there's COMINT and then there's COMINT. A cellular network can
present different levels of difficulty, depending on the interceptor's
objectives and the type of wireless system under scrutiny. The hobbyist
interested in scanning the cellular frequencies in search of random
conversations could probably find the necessay equipment at the local
electronics mart. An NSA-type organization that intends to capture, track
and sift through the entire cellular traffic of, say, a major urban area,
in search of a particular target, faces very different equipment
requirements - the kind that tend to be unpublishable in the open press.
THE ABCs OF CELLULAR
Fig. 1 A typical cellular communications network. COMINT is usually applied
between the mobile station and the base station transmitter. (Thomson-CSF
Communications photo)
The cellular telephone network consists of three basic components (see
Figure 1): the mobile telephone switching office (MTSO), the base station
system and the mobile station (the actual cellular "phone" unit).
The MTSO is the network's brain, the central computer that controls the
hundreds of thousands of communications occurring within its service area
(delineated by a cluster of base stations). The MTSO allocates frequency
and power use among base stations and mobile units, and it switches calls
within the cellular system and between the system and the public switched
telephone network. Its databases contain subscriber location information
and interface with other systems to identify and validate users attempting
to access the network.
The MTSO connects to its outlying base station systems through telephone
lines. Each base station system is itself a controller connected via wire
interface to several cellular transmission sites, or cell sites. Basically
a microwave transmitter/receiver with antennas mounted atop a steel tower,
the base station cell site is the end of the line - as in telephone line -
for the traveling signal. Communications between the cell site and the end
user, the mobile unit, are high-frequency, low-power (100 W maximum),
low-power line-of-sight radio transmissions; cellular frequencies range
between 824 and 960 MHz, depending on the system and the country. Each
site is responsible for a designated area of geographic coverage, usually
a radius of no more than 12.5 mi (the typical limit of a line-of-site
transmitter mounted on a 100-ft tower). These areas overlap, however, to
provide continuous communications coverage across the service provider's
entire domain. In contrast to typical radio operation, then, where a
central high-power transmitter broadcasts over a large territory, the
cellular system parcels its territory into a series of small, interlocking
"cells." Different cellular systems can in turn connect with each other to
provide region- or even country-wide coverage, as is happening in the US
today.
One of the principal advantages of a cell-based layout is its ability to
accommodate an ever growing number of users. The US cellular standard, the
Advanced Mobile Phone Service (AMPS), makes available some 660 different RF
frequencies, or channels. The MTSO will assign each of its cell sites some
subset of this total. In a densely populated urban area, however, the
number of cell-phone users could easily exceed 660 at any given time. To
handle the demand, the system must "reuse" frequencies within its pattern
of cells. In areas of heavy phone traffic, the service provider will opt
for smaller but more numerous cells, in effect increasing the number of
channels available. The caveat to this strategy is that cells sharing the
same frequencies must have enough geographic separation to prevent
co-channel interference, which occurs when a mobile station simultaneously
receives communications from two cell sites. The result is static or even
the intrusion of another conversation.
Frequency reuse is thus not possible in adjacent cells. This fact sets the
stage for the most athletic aspect of cellular operations: the "handoff."
When a mobile phone is turned on, its transceiver surveys the different
control channels (the MTSO reserves some of the cellular frequencies to
transmit command, identification and location information), locks onto the
cell site with the strongest signal and registers itself with that base
station. Using a control message, which is essentially a
frequency-modulated signal containing directive-laden data pulses, the MTSO
will assign the phone one of the available voice channels at the cell site.
As the mobile user moves from one cell to a neighboring cell, the MTSO
detects the transition and hands the phone off to a new frequency within
the new cell site.
HOW COMINT STACKS UP
AST's Model 235 is designed specifically for cellular DF. (Applied Signal
Technology photo)
The cellular system's frequency handoff characteristics, which might be
termed "slow frequency hopping," and its specialized protocols for control,
which create a kind of communications system within a communications
system, establish it as a "fairly complicated communications system," said
Brian Bedrosian, manager of narrowband communications at Applied Signal
Technology (AST), "so you need a smart [COMINT] system as opposed to just
sticking up an antenna and putting a regular receiver onto the problem."
Conducting COMINT against a cellular network invariably means targeting the
"air interface," the airbound transmissions between the microwave towers
and the roving phones. This is usually the only naked connection in the
network (although not always), as well as the only segment of the system
where it makes sense to perform intercept for the purposes of direction
finding (DF). Intercepting the signal is not the hurdle in cellular COMINT,
however, because most cellular networks in use today are analog systems,
like the US AMPS and the UK TACS standards. Their transmissions are
unextraordinary FM-type signals, which a commercially available scanning
receiver, with some simple FM demodulating, could capture quite easily.
But interception alone does not even begin to solve the cellular COMINT
challenge. The amateur electronic sleuth can buy a cheap receiver and
listen randomly to the chatter that flits through it, but that receiver
will not be able to follow any particular call as it moves from cell to
cell, frequency to frequency. Such a tracking function requires an
additional frieze of sophistication, like canny demodulation techniques to
decode the embedded control signals, thus revealing the handoff frequencies
that the receivers must follow.
With a cell phone, a computer, a few dollars' worth of parts and some
technical savvy, the individual tinkerer can indeed construct a device that
will track another cell phone, said Jim Atkinson of the Granite Island
Group (Gloucester, MA), a COMINT consulting firm and subsystems supplier.
Atkinson, a former communications engineer with the Defense Intelligence
Agency, described encounters with cellular intercept systems "that were
literally a telephone...turned it into what's called a 'vampire'.....Every
time the target's phone would ring or he'd use his phone, it would
automatically lock onto it and start a recorder going. And [the engineers]
were just using a phone [with] about $50 worth of extra circuitry on it,
and it's a piece of cake."
In basic terms, tracking requires two receivers: one to pick up the audio,
the other to divert the part of the audio path containing the control
signals, probably through the use of a frequency-shift demodulator.
What's all the rage with today's cellular pirates, Atkinson continued, is
modifying the cellular modem of a PCMCIA card with a slight, downward
frequency shift below the voice channel, and into the audio range of the
control tones. The software for doing this is available on the internet.
Plugged into a laptop, the device will scroll handoff data, control codes
and security information right across the screen, while the modem digitizes
the audio and stores it in the hard drive. "They don't even need a tape
recorder anymore," he said, "just a hard drive with a couple of gigs."
A few steps up the technology ladder are the actual name-brand
manufacturers of COMINT equipment. The marketplace is replete with systems
touted for cellular intercept, monitoring and DF. To some degree, the
commercial boom in cellular communications has helped widen the field of
anticellular intelligence-product suppliers. Joining the ranks of the
established military COMINT houses (the ASTs, Rockwells, Rohdes, Thomsons,
Marconis, Rafaels, Watkins-Johnsons and so on) are a number of peripheral
manufacturers - companies like Bartec, of Hollywood, CA; DTC
Communications, of Nashua, NH; and GCOM Technologies, based in Ireland -
who target subtactical users, like law-enforcement agencies and
telecommunications-service providers. Taking advantage of commercial
software and signal-processing technologies, these companies generally
produce briefcase-sized systems that can monitor several channels and track
a couple of calls simultaneously. The New York-based Law Enforcement
Equipment Corp., for instance, advertises a Cellular Telephone Monitoring
System that monitors 19 channels and tracks three telephone conversations
simultaneously. Electronic Countermeasures Inc., a Canadian firm, offers
the Cellular Analysis System 8000, a PC-controlled, attaché-case-based
system that can employ up to 24 receivers to monitor AMPS and D-AMPS (a
new, digital version of the old standard) voice and control channels.
For the customer with more robust intelligence requirements, the military
contractors mentioned above produce the high end of cellular COMINT. A good
example is AST's standard product, the Model 1235 Multi-Channel Digital
Receiving System. The 1235 is armed with 60 independent digital receivers,
each of which can switch among FM demodulation (analog voice signals), FSK
demodulation (control data signals) and other modes as needed. Using twin
Texas Instruments digital signal processors (DSPs), the system performs all
its processing "in software," a flexibility necessary for handling new
cellular standards as they come on line. Being digital, these receivers are
naturally adept at retuning to track cellular signals on frequency
handoffs.
NEW WRINKLES
Intercepting and monitoring cellular and PCS communications is a serious
internal-security concern for many governments. A number of small SIGINT
aircraft, like this F406 Vigilant, are oriented toward this threat.
(Thomson-CSF Communications photo)
In this big league of cellular intercept and DF, known euphemistically as
"national-level" intelligence, where some systems are monitoring hundreds
of channels over a radius of maybe 200 miles, COMINT operators are
encountering some challenges they haven't seen before.
The first is sheer volume. Wartime operators may complain about the dense
communications environment on the battlefield, but they haven't seen
anything until they've encountered a large city networked for cellular
communications. The technology has proliferated across the globe, to the
extent that it is more economical to list the countries that lack wireless
standards than the ones that have them. There are more than 50 million cell
phones in use in the US alone. Even so, Finland, Australia and Japan rank
ahead of the US in terms of cellular phone usage as a percentage of total
population.
Finding and picking out the signals of interest, whether they originate
with a local drug lord or a foreign government minister, can be quite
problematical, since the targets all use the same Motorola, Ericsson or
Nokia cell phones, and their conversations all find their way into the
telephonic cacophony of these enormous civilian networks.
The problem is exacerbated by the phenomenon of co-channel interference,
which was defined earlier. For example, an airborne SIGINT platform
orbiting a city and monitoring its cellular traffic will receive the
transmissions from the various base stations at roughly equal power. Since
the frequency reuse principle is at play among the transmit sites, the
SIGINT collector will be inundated with multiple signals at each frequency,
which complicates both monitoring and DF.
Fortunately, some COMINT companies have already made headway in combatting
this obstacle. AST is marketing several products that feature adaptive
beamforming and "interference cancellation" on mobile radio control and
traffic channels. Israel's Rafael Electronic Systems Division has
introduced a super-resolution DF system that, while not explicitly claiming
a cellular orientation, emphasizes immunity to co-channel interference as a
selling point.
GETTING "DIGI" WITH IT
Fig. 2 One proposed technique for monitoring digital wireless networks is
to create a "virtual" base station, spoofing the mobile users. (Thomson-CSF
Communications photo)
Traditional cellular communications may throw a few new twists into COMINT
operations, but what truly fills the intelligence professional with dread
is the advent of digital wireless communications. Digital cellular phone
standards are already in place in the US (Digital AMPS, which is actually
backward-compatible with the analog AMPS), Western Europe (GSM, or Global
System for Mobile Communications) and Japan (NTT). They are more properly
characterized as personal communications systems (PCSs), since they can
also perform paging and data transmission.
Although they operate in the same basic frequency ranges as traditional
cellular phones, digital wireless systems use much more complex signals and
usually have built-in security features, like encryption. The three
existing digital standards are Time Division Multiple Access systems, which
means they squeeze three conversations onto the same channel that one
analog call used to occupy, by transmitting them in sequence in time. This
makes the COMINT system's job three times as hard.
Another digital standard, Code Division Multiple Access, would add to
network capacity by using spread-spectrum techniques, which are also
inherently low-probability-of-detection techniques. In fact, few
communications techniques are as inimical to the COMINT profession as
spread spectrum.
To date, COMINT suppliers have yet to find an adequate solution to digital
wireless communications, although these protocols are the ones for which
customers are clamoring with increasing insistency. For instance, Zeta's
ZS-2015 integrated COMINT/DF workstation, which flies aboard the Swiss
Pilatus PC-12 turboprop reconnaissance aircraft and a King Air-based
reconnaissance bird for an undisclosed South American customer, can
intercept and DF PCS-type signals, but not monitor them. Responding to the
strident demand for anti-PCS COMINT in the regions in which it has
marketed, the company is currently working on an upgrade that will allow
the system to correlate the data or encrypted voice into a text message as
it pursues the call from cell to cell (see "Airborne Surveillance, Big and
Small" in the December 1997 JED,).
Thomson-CSF Communications, meanwhile, has devised an interesting concept
for intercepting and monitoring encrypted GSM-type signals. Using the
publicly available GSM protocols, the company would build a "virtual" base
station, carried in a van perhaps, which could insinuate itself into the
cell system, preempting and capturing the communications of nearby mobile
units. Having taken control of the units, the system could then instruct
them to turn off their cipher modes (Figure 2).
DON'T BELIEVE THE HYPE?
"Handoff" and frequency reuse make the cellular signal more elusive than
regular FM tactical radio. (Thomson-CSF Communications photo)
Is the digital threat really as menacing as the EW alarmists have
proclaimed? Some have scoffed at the notion that anything emerging from the
civilian world should be cause for distress. As seen by Atkinson, "It is
actually easier today than it has ever been to intercept cellular telephone
communications. And it doesn't matter if it's PCS, if it's GSM or if it's
just ordinary analog cellular telephone, or digital. It's incredibly
simple. You just have to have the right equipment to do it, and you have to
have a technical person who knows what they're doing to put the whole
system together."
What about encryption? According to Atkinson, "there's a difference between
encryption and randomization. Most of the phones out there that claim to be
digitally encrypted are actually randomized with a known
algorithm....There's very few real encryption devices out there."
The same holds true for commercial spread spectrum. What commercial phones
advertise as spread spectrum is actually a form of scrambling, a
pseudorandom code that many users might share, "so it's obscenely easy to
monitor," he said.
The basic rule of thumb, according to this tack, is that "it's impossible
to build good security into anything that's cheap."
Of course, it may not be long before military users begin introducing
wireless nets with STU-style encryption, true spread spectrum and other
"expensive" security features. Then no one will laugh at the COMINT world's
worries.
- -----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only.
- -----------------------
**********************************************
To subscribe or unsubscribe, email:
majordomo[at]majordomo.pobox.com
with the message:
(un)subscribe ignition-point email[at]address
**********************************************
www.telepath.com/believer
**********************************************
------- End of Forwarded Message