|
20 January 1998: Add messages on locating receivers
17 January 1998
To: cypherpunks@toad.com Subject: Locating radio receivers Date: Sat, 17 Jan 1998 17:17:25 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> Kay Ping wrote on 1998-01-16 22:02 UTC: > Radio links are perfect for hiding the location of receivers. Actually, this is only true for extremely carefully shielded military receivers and not for normal radios. Every receiver contains a local oscillator to bring the signal down to intermediate frequency (IF), which is emitting EM waves itself. In addition, the IF signal is emitted as well. As Peter Wright reported in his autobiography[*], British counterintelligence (MI5) used vans and planes already in the 1950s to detect spys while they received radio communication messages from Moscow and to protocol, which frequency bands the embassies were monitoring (operation RAFTER). Efficient receiver detection is an active process: You send out short bursts of a wideband jamming signal and try to find the downtransformed intermediate frequency equivalent of your burst in the compromising emanations of the receiver. This way, you get not only the location of the receiver, but also the precise frequency to which it is tuned. Locating radio receivers within a radius of many hundred meters this way was already state of the art in the spook community over 40 years ago, so you can safely assume that with digital signal processing, the performance parameters of modern systems have been increased significantly. Sending out spread-spectrum style pseudo-noise signals in the active probing bursts could give you in modern receiver detectors a considerable signal gain. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/> [* The Spycatchers]
From: Caspar Bowden <Caspar.Bowden@qualia.co.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Top-secret encoder is stolen Date: Sat, 17 Jan 1998 22:13:16 -0000 Anyone offered such an item by a man in a sheepskin jacket in a pub, kindly contact the MI5 freephone number......... ---------------------------------------------------------------------------- from http://www.the-times.co.uk/news/pages/Times/frontpage.html?1046120 [See Britain, News in Brief] Top-secret encoder is stolen A computer code encrypter for sending secret messages to the Prime Minister and the Security Services has been stolen from Whitehall. The machine was taken from the Cabinet Office, next to 10 Downing Street, despite the tight security in the area. Officers from Charing Cross police station are investigating. The machine is thought to be used to scramble and unscramble telephone calls from the Prime Minister, MI5, MI6 and friendly powers. It is also used to communicate in safety with Cabinet ministers when they are abroad. -- Caspar Bowden - Director, Qualia Internet Consultants 41 Great Percy Street, London WC1X 9RA Tel: +44(0)171 837 8706, Fax: +44(0)171 827 6534
Date: Tue, 20 Jan 1998 01:50:07 -0500 From: Dave Emery <die@die.com> To: Eric Blossom <eb@comsec.com> Cc: cypherpunks@toad.com Subject: Re: Locating radio receivers On Mon, Jan 19, 1998 at 01:55:55PM -0800, Eric Blossom wrote: > > Hi, > > I talked to some RF guys about the RAFTER attack about a year ago. > Their opinion was that since modern receivers have GaAs FET mixers, > they don't leak the LO or IF out the antenna like the old fashioned > inductor based mixers did. > > This should be trivial to confirm with a spectrum analyzer. > > Eric This varies a great deal. Generally cheap vhf/uhf scanners and the like radiate quite a bit of energy and can be easily seen on a spectrum analyzer at hundreds of feet (with no special effort). A good bit of energy escapes many scanners through the cheap and poorly shielded plastic case and power cords rather than leaving via the antenna, so even if a good broadband preamp is used between the antenna and the input of the scanner - which should effectively eliminate LO radiation from going out the antenna because the preamp is going to have to have a great deal of loss for energy routed through it backwards (output to input) or it would be unstable and oscillate - the signals radiated from the radio itself and the power cord will give it away. First local oscillator energy is the most easily seen radiation from scanners - IF radiation is much lower in level in most modern gear because of the very short lead lengths and comparitively low signal levels and good decoupling from the antenna - IF frequencies (save the first IF on many scanners) are low enough so the component leads don't act like a very good antenna because they are such a tiny fraction of a wavelength. High grade military/spook class receivers are much better shielded, some in fact to TEMPEST level specs, and don't have the problems that most cheap scanners for hobbiests have. If used with a good preamp ahead of them they are very hard to detect if the shielding is intact and undamaged (which may or may not be the case for a unit that has been kicked around for years and carelessly repaired and modified). But a fair number of modern HF (2-30 mhz) communications receivers and transcievers use no or very little RF amplification before the first mixer in order to maximize dynamic range and third order intercept and their 1st LO's (usually in the low VHF range) are not as well isolated from the antenna. However, most modern receivers use synthesized local oscillators phase locked to a local crystal oscillator and the LO is not as likely to be detectably modulated by the audio the receiver is receiving as was the case with the vacuum tube era communications receivers in the RAFTER era that used free running LC tuned oscillators. Power supply regulation and decoupling is much better in modern gear, and this combined with the use of phase locked synthesized oscillators means that while it may be possible to detect radiation from the receiver LO, it is not as easy to detect fm and am sidebands coming from the receiver audio which was the basis of a lot of RAFTER work. But sensitive spectrum analyzers are available and not uncommon these days, so anyone who is trying to operate an undetected receiver for any serious purpose now has the tools to determine just how much his gear is radiating. Of course the detection gear has gotten better too, but careful shielding up to and including faraday cages, use of good preamps and circulators and use of spectrum analyzers to check for stray radiation makes it less likely that someone will easily find a carefully hidden receiver than in the past. But a plastic cased consumer grade scanner from Radio Shack may be detectable a half mile away... or more... -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18