Illegally operating transmitters. Search algorithms, equipment requirements.

Illegally operating transmitters. Search algorithms, equipment requirements.

Krivtsun Alexander Vitalievich,
chief specialist of
ZAO «Zashity Group-UTTA»

Illegally operating transmitters.
Search algorithms, equipment requirements

In today's high-tech world, searching for radio channels of covert data collection devices is complicated by several factors. Firstly, developers of covert data collection devices are using increasingly complex methods and algorithms to conceal the radiation of their products. Special masking methods are also used at the stage of installing bugs, for example, a channel for collecting information is created taking into account the radiation of legal devices operating near the object that interfere with the operation of search equipment.

Secondly, the use of radio airwaves for organizing communications, transmitting data and control commands continues to increase; now almost the entire radio frequency spectrum is used for the operation of legal radio transmitters. This complicates the airwaves, especially in large cities. For example, in Moscow, in the range of up to 3000 MHz, depending on the area and reception conditions, over 4000 radio signals can be detected.

Before talking about the requirements for equipment for searching channels of illegally operating transmitters, let's briefly consider the methods of concealing their operation used in the development of such devices. Let's immediately note that at present it is much easier to make a digital transmitter using the modern element base of standard communication means than to design and debug an «analog» bug on a transistor with positive feedback. Therefore, modern and prospective requirements for complexes for searching illegally operating transmitters follow from the analysis of the capabilities of modern digital data transmission means. Thus, modern radio bugs can use the following methods of concealing the data transmission channel:

• methods of accumulating information and its discrete transmission over short intervals of time (up to several milliseconds);
• methods of accumulating information over a sufficiently long period of time with subsequent transmission at the appointed time or upon receipt of an external command;
• periodic or chaotic restructuring of the emission channel frequency;
• use of broadband signals, when the signal energy is distributed over a wide frequency band and the signal does not have a pronounced excess over noise;
• implementation of noise-like bookmarks that use special coding algorithms that allow stable reception of information with a negative signal-to-noise ratio at the location of the receiver;
• selection of the radiation frequency near strong sources of legal signals that overload the receiving paths of search equipment with insufficient dynamic range or are masked by the spectrum of the legal signal with insufficiently low phase noise of the radio paths of search complexes;
• masking as standard communication channels and/or operation of narrow-band emissions within the spectrum of legal broadband signals;
• use of standard communication channels such as GSM, CDMA, WiFi, BlueTooth.

The methods used can be combined with each other. For example, the use of signals with an ultra-wide band of occupied frequencies can be combined with the method of accumulation of information and its discrete transmission, etc.

By analyzing the above methods of hiding the data transmission channel, it is possible to determine the requirements for algorithms for searching for bugs.

Modern radio bugs that use methods of data accumulation and discrete transmission, frequency tuning and remote control can be reliably identified only by unmasking features in the amplitude-frequency-time space. No matter how complex the algorithms for hiding the data transmission channel are used in bugs, they still unmask themselves by a certain pattern (periodicity) of going on the air and/or using a limited frequency range (limited number of channels). These unmasking features of radio bugs are detected by the operator when performing a time analysis of the radio frequency spectrum. It is the frequency-time pattern that distinguishes bugs from random bursts of industrial noise in the air, which an inexperienced operator can mistake for a bug.

When searching for such radio bugs, we are not talking about their instant detection. For their reliable detection, radio monitoring is required for a long time: up to a day or more with subsequent analysis of all measured panoramas in the time plane in the spectrogram («waterfall») representation. Based on these considerations, requirements are imposed on the algorithms that must be implemented in the software of the complex.

Regarding the detection of ultra-wideband and noise-like bugs, we note the following: the method of their detection is based on the fact that in the near zone the signal/noise ratio even for such transmitters will be above zero, therefore an increase in the noise level in certain frequency ranges may indicate the operation of such means.

From this, we can formulate the requirements for the receiving equipment of radio monitoring systems: in order to track changes in the noise level against the background of strong signals, the receiving equipment must have good sensitivity and a wide dynamic range (at least 80-90 dB). The thesis that the dynamic range in radio monitoring systems is not so important, since the bugs in the near zone have a high signal power and therefore it is possible to use an attenuator, is unacceptable in the case of searching for ultra-wideband and noise-like signals. The situation when a legal means of communication operates together with a bug in the preselector band, the signal level of which exceeds the level of the bug by 70-90 dB, is currently not uncommon.

The level of 70-90 dB is a very high signal level, which can overload many radio receiving equipment. If the signal exceeds the level of the dynamic range of the receiving path, then the signal panorama will display many false side and combination signals, which are extremely unstable in frequency, amplitude and time. Bitter experience of acquaintance with a number of radio monitoring systems presented on the market, with formal compliance of the parameters of their dynamic range with the search requirements, revealed that they are easily overloaded by a simple transmitter of the «Walkie-Talkie» type operating nearby. Naturally, with a large number of false signals, it is impossible to talk about high-quality search for bugs.

To search for «smart» bugs that disguise themselves as legal signals or to search for narrow-band signals that can hide in the spectrum of legal signals, the radio monitoring complex must have means for detailed study of signal spectra with a resolution of Hertz. Undoubtedly, the operator's experience and intuition are of decisive importance here. Nevertheless, the equipment and software of the complex must allow the operator to perform such tasks.

Finally, to identify the search for bugged radio devices using standard communication channels such as DECT, GSM, CDMA, WiFi, BlueTooth, in addition to identifying the operation of these transmitters by analyzing the corresponding frequency ranges, the radio monitoring complex must have additional network analysis tools that allow identifying “foreign” MAC addresses or identifying “foreign” subscriber devices for those networks for which this is possible.

Summarizing the above reasoning, we can formulate the requirements for a modern and promising radio monitoring complex.

1. A modern radio monitoring system must have high-quality analog and digital signal processing paths so that the presence of extraneous powerful signals does not prevent it from detecting ultra-wideband and noise-like signals. In the tactical and technical characteristics of radio receiving equipment, compliance with these requirements is reflected in such characteristics as sensitivity and dynamic range. It is clear that with the development of technology, these characteristics will improve. At present, the characteristics of modern measuring receivers from Rohde & Schwarz can be taken as a starting point. For example, the most modern portable measuring receiver EM100 from Rohde & Schwarz has the following characteristics: sensitivity — not less than -160 dB (1 Hz) and a dynamic range of not less than 85 dB at a frequency of 1 GHz.

2. A modern radio monitoring complex must have sufficiently high-quality and multifunctional software, which must allow, at a minimum, to perform the following functions:

• perform round-the-clock radio monitoring of specified frequency ranges and save all results of panorama measurements for their subsequent time analysis;
• ensure analysis of the amplitude-frequency-time representation of radio monitoring results in real time and in delayed mode;
• allow detailed analysis of signal spectra with a resolution of Hertz units;
• additionally examine the emissions of standard open WiFi and BlueTooth communication channels for the presence of “foreign” subscriber stations;

In addition, the software should support search methods that have already become “traditional” and widely used in practice:

• the method of spaced antennas;
• the method of comparison with a reference panorama;
• use of a selective threshold line and formation of a list of signals that have exceeded the threshold line;
• detailed analysis of the characteristics of the spectra of received signals;
• automatic recording of phonograms and low-frequency analysis of the demodulated audio signal.

The recently much-advertised method of analyzing signals using a vector diagram in the current version of its implementation in radio monitoring systems seems to the author to be very uninformative, and therefore it was not included in the above list.

The functionality and ergonomic characteristics of the software are the most relevant today, since, of course, the search for modern radio bookmarks is an intellectual struggle between the developer of such tools and the operator who searches for bookmarks. Software is a search engine tool, and the extent to which it is functional and convenient largely determines the result of the work.

Considering real radio bug search systems, it seems appropriate to offer a wide audience to get acquainted with the latest representative of the new wave of radio monitoring technology development — the «Cassandra M» system. The developers of this system were guided, first of all, by the above-mentioned reasoning about threat models and requirements for promising radio monitoring systems.

Below are some technical and functional characteristics of the system:

The complex is supplied with the most advanced software from the «RadioInspectorSoft™» package, which allows:

• perform round-the-clock radio monitoring with saving all results of signal panorama and spectrum measurements in the database;
• use an additional scanning receiver for audio control of signals without interrupting the scanning process;
• control equipment over the network, including an additional scanning receiver and transmission of a demodulated audio signal over the network, which allows the radio monitoring complex to be brought as close as possible to the monitoring object and not to use main antenna paths, and the operator to be at a remote workstation;
• perform an analysis of the amplitude-frequency-time characteristics of individual signals, a group of signals or the entire radio frequency spectrum in delayed mode (for the entire monitoring period) and in real time;
• present measurement results for analysis in the form of panoramas, signal spectra, spectrograms («waterfall») in 2D and 3D modes;
• perform a study of the spectra and time parameters of individual signals and a group of signals with a resolution of up to 8 Hz;
• use methods of comparison with a reference panorama, methods of difference of panoramas received from different antennas, use a threshold line (including an adaptive threshold line enveloping the spectra of legal signals), generate lists of signals that have exceeded the threshold and collect statistical data for signals that have exceeded the threshold;
• perform monitoring of several frequency ranges or lists of fixed frequencies, generate tasks for performing monitoring, save and load tasks, continue recording in a previously created database of panoramas for the same monitored room;
• automatically and manually record a demodulated audio signal and analyze phonogram files;
• perform automatic testing of emissions to determine whether they belong to the class of analog television signals, including those with signal encoding;
• perform other standard functions for studying frequency ranges and measuring signal parameters, documenting work results: graphs of minimums, maximums and average values, marker and cursor measurements, scaling along the time and frequency axes, adapting the user interface to the operator, documenting graphic and symbolic information in text and graphic files, Microsoft Word® and Microsoft Excel®, generating various protocols.

Separately, it is necessary to dwell on the ability to continue recording in the old panorama database. This ability provides the operator with a tool that allows him to “see” changes in the radio frequency spectrum since the last inspection of the premises or inspection of technical equipment.

The operation of the Cassandra M radio monitoring complex can involve 4 programs from the Radio-InspectorSoft™ software suite.

• RInspectorRT — performing radio monitoring, measurements and engineering analysis of emissions in real time;
• RInspectorRP — deferred expert analysis of the results of measurements of saved panoramas and signal spectra;
• RInspectorWiFiBt — analysis of WiFi and BlueTooth networks;
• IMasterDEvice — conducting radio monitoring in remote access mode.

This set of programs allows for expert analysis of control results by a highly qualified expert without visiting the control object, storing objective radio monitoring data, using reports as an appendix to the conclusion, and using data during the next inspection of the object.

As for the advantages of the Cassandra M complex, not noted above, the most significant are the mass and size characteristics of the complex. As follows from the technical characteristics and as can be seen from the figure, the entire complex, including the computer, antennas and antenna cables fits into a laptop bag.

In this form, one of the most important conditions for the functional use of such complexes is fulfilled — the fact that work is being carried out is not unmasked.

Another important consequence of the small weight and size characteristics is the simplification of the procedure for localizing the radiation source on the controlled object. Without using long feeder lines, which are inconvenient when moving the antenna and introduce additional attenuation of the signal, it is possible to search for signs of the near signal zone by moving the autonomously operating complex.

The serially produced model of the complex was presented at the exhibition «Security Technologies 2010» and aroused keen interest among specialists.

Conclusion:

The radio monitoring complex «Kassandra M» continues the line of the most advanced and technologically advanced solutions in the field of radio monitoring. The complex provides wide possibilities for detection and identification of signal sources, working with it allows to significantly improve the quality of tasks performed on detection of illegally operating transmitters, control of radio frequency spectrum and performance of other actions related to the study of radio signals.

Group of companies

«IKMC-1»
ZAO «Zashchity Group-UTTA»
Tel./fax: (495) 647-21-13; 788-77-32
107589, Moscow, Krasnoyarskaya st., 1, bldg. 1
http://detektor.ru
e-mail: stt@detektor.ru