Improving the efficiency of detecting dangerous signals using the OSCOR device based on the mapping method and peak spectrum analysis.
Aleksey Konstantinovich Lobashev,
Candidate of Technical Sciences, Associate Professor
Information Security Training Center «Maskom», Moscow,
E-mail: lak@mascom.ru
Improving the efficiency of detecting dangerous signals with the OSCOR device
based on the method of mapping and analysis of peak spectra
The article is devoted to the capabilities of software and increasing the efficiency of using the OSCOR device in combating unauthorized interception devices introduced into protected facilities. An algorithm for implementing the peak signal measurement method in combination with the mapping method is considered. The article shows the possibilities of analyzing external radio signals based on the methods under consideration and determining their location.
The development of the new OPC OSCOR 5000E 5.0 software (hereinafter referred to as the software) has significantly «enriched» the capabilities of the device, primarily for detecting memory devices with complex spectral characteristics, including pulse memory devices. At the same time, as the study of accumulated domestic and foreign experience shows, for rational and productive use of the device it is necessary to apply a very useful, from our point of view, mapping method and the peak spectrum analysis function available in the OSCOR device (10). The essence of this method for detecting a dangerous signal is based on identifying, analyzing and comparing peak spectrum data at different points in the studied space. Let us recall that the peak spectrum function records the maximum level of the studied signal and is considered one of the most widely used in the theory of spectral analysis.
For scientific substantiation and confirmation of the correctness of the above-considered method of receiving peak signals, from our point of view, the general form of the equation that describes the decrease in the HF signal received by the receiver may be of interest. This dependence can be represented as follows:
Where:
Ptx — Transmit Power
Pr — Power at Receiver
R — Range (distance)
l — Wavelength of Transmission
La — Atmospheric Loss (Propagation Medium)
This mathematical model determines changes in the received power of a radio signal from a source of radiated energy in the surface area of a sphere with changes in the radius of the sphere, absorption factors and wavelength. In this case, an assumption is made about the operation of one source, which is located in an ideal sphere. The given equation shows that with an increase in the distance from the transmitter (R), the power P pr. (and, accordingly, the magnitude of the signal received by the receiver) decreases with the square of the distance. For example, if the distance from the transmitter doubles, the power (and, accordingly, the level of the received signal) decreases fourfold. And vice versa, if the distance to the transmitter decreases twofold, the level of the received signal quadruples. Note that in an ideal open space, this model «works» without distortion. However, when conducting real surveys using the device (i.e., in an office environment), the given dependence is «distorted» due to complications, which include the following:
1. RF signal propagation through building structures causes energy loss. So metal will dramatically reduce (or completely block) the propagation of RF signal energy in a building. Concrete, brick will also cause RF signal attenuation, but it depends on the thickness of the material, reinforcement and the base of the structure. Wood will also provide some attenuation, but not as much as brick or concrete. Glass provides very little attenuation.
2. Metal structures such as reinforcement, door materials, furniture and other objects cause diffraction and scattering, which also leads to a «distortion» of the above formula. Therefore, when studying signals in a room using the OSCOR device, it should be placed in the center of the room and away from metal structures of objects that are part of the interior. When using the peak function, the «method» of storing the recorded peak signal data is important. In OSCOR, the peak signal value is entered into the device's memory buffer and «tied» to the analyzed spectrum. It can be noted that while the frequency range of the spectrum being studied is not changed, the peak signal will be «accumulated» and entered into the device's memory each time the analyzed frequency is passed. In other words, the accumulation of the peak value in OSCOR occurs all the time, except for the case when the memory buffer can be cleared (manually erased) when studying a new monitoring location.
In further analysis procedures, the maximum values of peak signals can be stored in the device data file and subsequently studied by the operator in “reference” to a specific frequency range and a specific location of the survey.
These new functional capabilities of the device in the field of peak spectrum analysis and, accordingly, analysis of dangerous signals are a significant step forward in conducting a survey and raise many different questions among users of the device regarding application tactics.
Let's consider the above-proposed method of using the OSCOR device using a specific example. The first thing that needs to be done when surveying an object is to measure and compare the values of the peak and friendly spectra. This procedure includes two steps:
Step one. Record the friendly spectrum (FS) at a distance of at least 800 m from the surveyed area (Fig. 1). Note that for reliable recording and to eliminate random radio interference, the friendly spectrum data must be recorded for at least 5 minutes.
Step two. Recording the peak spectrum (PS), which is performed in the location under study (Fig. 2). These data should be recorded for at least 5 minutes. It can be noted that recording the peak spectrum for a longer period of time increases the reliability of the recording with unstable signals (for example, in the case of cellular communications).
Then the PS and DS data values are compared and studied. The figures below show examples of DS and PS records (Fig. 3).
The friendly spectrum is shown in black (blue on the device screen), and the peak spectrum is shown in blue (red on the device screen). Note that the spectra were recorded on a frequency spectrum from 50 MHz to 1500 MHz.
Studying the data presented in Fig. 3 shows that, in general, the characteristics of the friendly and peak spectra are very close, and the differences are very weak. To identify the differences between the DS and PS, the operator must change the image scale. Fig. 4 shows a changed image scale, in which the frequency range under study is from 441 MHz to 568 MHz. When comparatively analyzing the data in this figure, we can conclude that the recorded DS signals are larger in magnitude (recall — this is black) than the PS signals (blue). This shows that no dangerous signals were noted in this frequency range.
Fig. 5 shows the results of recording the DS and PS signals in the frequency range of 680 MHz — 1030 MHz. In this range there are several signals where the value of the peak signals is greater than the friendly signals. In Fig. 5 these signals are identified and marked. The excess of peak signals was noted at frequencies of 771 MHz, 827 MHz, 914 MHz and 1013 MHz.
In order to further study the sources of the registered signals, let us consider the tactics of using the device to study the received signals using the proposed mapping method. Let us recall that the essence of this method lies in the process of taking peak spectrum data at various points (within and outside the study area) and comparing the obtained data. To implement this method, it is necessary to have a fairly detailed «map» of the study area (Fig. 6) indicating the north-south-east-west directions, where the values of the peak signal should be recorded at various points (in this example, at 4 points of the study area). In this case, the device was moved to each study point, and before each measurement of peak values, the memory was cleared of previously recorded values. Let us consider an example of such an analysis for each of the four previously identified signals.
Let's consider the measured values of the peak signals (Fig. 7) at a frequency of 771 MHz in 4 different points (rooms). By changing the image scale, we can compare the levels of this signal in different rooms and see that room 1 has the highest signal level at the frequency under study (compared to room 2, 3, and 4). Therefore, referring to Fig. 6, we can assume that the source of the signal at a frequency of 771 MHz is located in room 1 or is emitted from a source located to the east of room 1. In this case, the signal may actually be emitted from the meeting room.
Fig. 1. Placement of the device when recording a friendly spectrum
Fig. 2. Device placement when recording the peak spectrum
Fig. 3. Data of the friendly (black — blue — on the device screen)
and peak (light blue — red — on the device screen) spectra,
recorded as a result of the inspection of the object using the device
Fig. 4. Data of the signals of the friendly (black — blue — on the device screen)
and peak (blue — red — on the device screen) spectra,
recorded in the frequency range of 441 MHz — 568 MHz
Fig. 5. Data of detected signals in the frequency range of 680 MHz — 1030 MHz
when studying the peak and friendly spectrum
Fig. 6. Research map and data of detected signals
in four different rooms using the peak spectrum
Fig. 7. Data of detected signals at a frequency of 771 MHz in different rooms
Fig. 8. Data of detected signals at a frequency of 771 MHz
in different rooms (including the meeting room)
Fig. 9. Data of detected signals at a frequency of 827 MHz in different rooms
To localize the transmitter, an OSCOR (using a probe locator or OTL) survey was required. Since the source was not found in Room 1 during the localization, additional spectrum data (Figure 8) was taken just east of Room 1 in the conference room. The probe locator survey located the source of the 771 MHz signal in the conference room.
Let's consider the characteristics of the detected signal at a frequency of 827 MHz (Fig. 9). It can be noted that this signal is in the frequency band of cell phones (800-900 MHz). The reason that the signals are random (in frequency, time and location) is that the operation and (accordingly) radiation from cell phones occur according to the law of random numbers.
The detected signal at 914 MHz (Fig. 10) is a video signal with audio modulation. This can be identified by the characteristic shape of the signal, which has a wide «central frequency band» and lobes of the signal with audio modulation, located on different sides of the central frequency. As follows from Fig. 10, the magnitude of the signal received by the device can change when moving from room to room. At the same time, it follows from the figure that this signal is most significant in the 4th room and weakest in the 1st room. The conducted studies using the probe-locator determined the location of the source of the signal at 914 MHz in the 1st room.
Let us consider the characteristics of the signal at a frequency of 1013 MHz (Fig. 11). The signal at a frequency of 1013 MHz, judging by its shape (a wide central frequency band and diverging lobes of the audio spectrum), is also a video signal. The highest level of this signal recorded by the device shows that the transmitter is located in the 2nd room. Confirmation of this fact was established using a probe-locator. From the point of view of the methodology of applying cartography, it is of interest to analyze the signals received (at a frequency of 1013 MHz) in other rooms. Thus, in the 1st room the second (in terms of magnitude) signal level was recorded. In the 3rd room, the received signal is less significant than in the 1st room. Taking into account the equal distance of the 1st and 3rd rooms from the 2nd room, a natural question arises as to why the signals recorded in the 1st and 3rd rooms have differences. As the analysis shows, the main reason for this is the location of the doors of the 1st and 2nd rooms, which are in close proximity and were open during the survey, which led to an insignificant decrease in the signal. At the same time, when recording a signal in the 3rd room, there was a fairly high attenuation of the received signal due to the existing wall between the 2nd and 3rd rooms. Thus, in the course of the above analysis, signals representing potential threats were studied.
Note that within this band (from 700 MHz to 1100 MHz), signals associated with television at a video signal frequency of 734 MHz (Fig. 12) and 795 MHz (Fig. 13) were recorded. During the survey, such signals may also be of interest from the point of view of studying the parameters of external radio signals using the cartography technique.
Let's look at the details of the TV signals detected by the device. Note that each signal consists of 3 parts: video, audio (the standard NTSC television format has an audio signal 4.5 MHz higher than the video signal) and a distinctive mark of the color video signal. This characteristic form of the TV signal can be easily identified by the operator. Based on the analysis of the recorded signals, we can make the following conclusions, useful for the operator, from our point of view.
1. Considering that the relative signal values for each room are approximately the same, it is most likely that the signals are emitted from one television tower.
2. Careful examination of the signal levels received from different rooms (the most significant signal was noted in the 2nd room) shows that the television tower is most likely located to the northwest of the survey site.
Fig. 11. Data of detected signals at a frequency of 1013 MHz in different rooms
Fig. 12. Data on detected television signals in different rooms at a frequency of 734 MHz
Fig. 13. Data of detected television signals in different rooms at a frequency of 795 MHz
Thus, consideration of this material allows us to re-evaluate the capabilities of the software and increase the efficiency of using the OSCOR device. This material provides a specific practical algorithm for implementing the method of measuring peak signals in combination with mapping. Identification of dangerous signals and the presented methodology for their study allows us to study their structure and determine their location. The article shows the possibilities of analyzing external radio signals based on the considered methodology, including the probable determination of their location. Finally, mathematical models of the received power of a radio signal are considered, taking into account the distance from the radiation source and the absorbing factors of the environment. We hope that this material will allow users of the OSCOR device to use it more effectively to solve complex search problems related to information security.
Literature
- CBI «MASKOM». Catalog 2009.
- Lobashev A.K., Losev L.S. Current status and tactical possibilities of using electromagnetic radiation indicators.//Special equipment — 2004. — No. 6.
- Buzov G.A., Lobashev A.K., Shcherbakov D.A. Features of detection and identification of bugs using «OSCOR-5000».//Special equipment. — 2005. — No. 4.
- Buzov G.A., Lobashev A.K., Shcherbakov D.A. Application of «OSCORR-5000» — problems and solutions.//Information protection. Inside. — 2005. — №4.
- Buzov G.A., Lobashev A.K. Practice of application of universal technical means for prevention of acoustic information leakage from premises.//Special equipment. — 2005. — №5.
- Lobashev A.K. Modern software (OPC-5000 version 5.0) of OSCOR 5.0 device and its real capabilities.//Special equipment. — 2008. — №3-4. — P.34-42.
- Lobashev A.K. Differentiation of Search Approaches to Detection of Bug Devices by Security Services.//Information Security. Inside. — 2006. — №5.
- Lobashev A.K. Features of the OSCOR Device in Automatic Mode (Exchange of Experience).//Information Security. Inside. — 2008. — №1.
- Lobashev A.K. Information Protection from Leaks via Technical Channels MTspec. — 2008. — №4. Thomas H. Jones. RF Trace Analysis Primer//REI General Manager. — 2005. — 21 June.