302 lines
18 KiB
Plaintext
302 lines
18 KiB
Plaintext
--------------------------------------------------------------------------
|
||
|
||
How to Monitor Microwave Telecommunication Links
|
||
(Telephone Channels) With an Ordinary TVRO
|
||
|
||
Transcribed to the electronic media for you by Thallion of WUFO MCMXCIV.
|
||
|
||
--------------------------------------------------------------------------
|
||
|
||
Now that Congress has decided to patch a massive hole in the
|
||
security of U.S. Communications, with a law that neither requires nor
|
||
encourages carriers to increase security, I thought I would re-post an
|
||
article I wrote a year ago about a major aspect of the problem. By doing so
|
||
I hope to remind everyone that, even with draconian laws in place, it is
|
||
still very easy to intercept many regular telephone calls and circuits:
|
||
Nothing in the Electronic Communications Privacy Act of 1986 requires or
|
||
even particularly encourages carriers to increase the security of radio or
|
||
satellite links. In short, listeners who get caught can be punished, but
|
||
nothing anti-Constitutional has been done to make listening any harder.
|
||
|
||
The kinds of interception I describe here are illegal under the new
|
||
law, but the equipment required is very widely available and has legitimate
|
||
use which make a ban on sale or possession very unlikely. The act of
|
||
interception could be carried out in total secrecy and would be nearly
|
||
impossible to detect from a distance. Plus, the Justice Department has
|
||
stated that it does not intend to vigorously enforce the radio portions of
|
||
the Law, most of which are generally regarded as unenforceable (even by the
|
||
Bill's sponsors). So the Law, while fairly severe, really won't have much
|
||
of a deterrent effect on even the most casual eavesdroppers. And casual
|
||
listeners are not the real problem, anyway.
|
||
|
||
Yes it is possible and not very difficult: Some years ago it was
|
||
pointed out that 68% of all long distance trunks were carried by
|
||
ground-based microwave. And while long distance carriers have been working
|
||
(under some pressure from the NSA and the White House) to convert these
|
||
circuits to optical fibers, or at least coaxial cable, there are still many
|
||
routes that use microwave or satellite "hops." I don't know an exact
|
||
figure, but I think it would be reasonable to guess that at least 40% - 50%
|
||
of all long distance trunks include a micro wave or satellite hop.
|
||
|
||
Approximately 75% of all long haul microwave relays use the 3.7 -
|
||
4.2 GHz band, which is readily receivable by a TVRO.
|
||
|
||
Most long haul microwave systems use FM modulation and frequency
|
||
division multiplexing (FDM) of single sideband suppressed carrier voice
|
||
channels. Some satellite systems also use this modulation. Unfortunately,
|
||
FM/FDM/SSB is quite easy to receive with simple and widely available
|
||
equipment. Recovering the activity of a specific channel is very easy,
|
||
which opens up the possibility of monitoring random phone calls to a
|
||
specific group of destinations, or monitoring specific private line data or
|
||
voice circuits (which are assigned to a multiplex slot for long periods of
|
||
time).
|
||
|
||
The question of whether a TVRO could be used to monitor phone
|
||
conversations has been raised: The answer is, with the addition of a
|
||
stable, general coverage, single sideband receiver (such as an ICOM R71, or
|
||
a KENWOOD R2000, or the receiver section of a modem transceiver) connected
|
||
to unfiltered and unclamped video outputs (provided for connecting stereo
|
||
adapters and descramblers), a TVRO can be used to listen to FM-FDM
|
||
multiplexed telephone signals from both celestial and ground-based sources.
|
||
|
||
Further, with a stable down-block converter that converts to the
|
||
UHF-TV band and one of the scanner type receivers designed to cover this
|
||
band, one may also receive some of the Single Channel Per Carrier (SCPC)
|
||
signals that carry telephone circuits to more remote places, along with
|
||
network radio feds, Muzak and various broadcast data services, such as the
|
||
AP and UPI news services. (Some signals are dithered and require some form
|
||
of closed loop AFC to receive them.) This vulnerability has been known to
|
||
telecommunications security specialists for many years. But as the number
|
||
of TVRO systems has increased to well over two million, the problem assumes
|
||
a somewhat different perspective: In 1976, Mitre (the Mitre Corporation)
|
||
estimated that it would cost $50,000.00+ to intercept microwave telephone
|
||
calls, and would require a 10' dish.
|
||
|
||
In that era, a 10' dish would attract much attention. Today,
|
||
however, anyone can buy a TVRO system with a 75k LNA and an 8' - 12' dish
|
||
for S1,000 - $1,500. And almost nobody would give the system a second
|
||
glance, because TVROs have become quite commonplace. A 751 LNA beats the 10
|
||
- 12 db receiver noise figure that the Mitre Corporation based its
|
||
calculation on by a substantial margin. And the current generation of
|
||
computer controllable, general coverage SSB receivers are much more cost
|
||
effective de-multiplexing devices than are the synthesizer and selective
|
||
voltmeter which seemed necessary back in 1976.
|
||
|
||
The existence of these millions of receivers, which can pick up
|
||
both celestial and ground-based telephone signals, means one should not
|
||
ever presume that a long distance telephone call is private. More
|
||
important, because they are much easier to find in FDM complexes, one
|
||
should not assume that a private leased line is secure unless the long
|
||
distance carrier has specially routed it via lightwave (much more secure)
|
||
or coaxial cable (only somewhat more secure) for its entire path.
|
||
|
||
(Obviously, conventional wiretaps must also be considered if there
|
||
is reason to believe that some individual or organization has sufficient
|
||
interest in your communications to risk imposing a physical tap on a
|
||
telephone line.)
|
||
|
||
MULTI-CHANNEL SYSTEMS
|
||
|
||
1: FDMA/PSK/DMA/PCM: Used on a number of transponders on 4 and 12 GHz
|
||
satellites. Heavily used by private business for tie lines and other
|
||
leased line services. Sometimes mixed with data. Quite secure if
|
||
encrypted. Not easily intercepted by private individuals.
|
||
|
||
2: TDMA/PSK/TDM/PCM: Used on SBS (12 GHz) satellites as the principal
|
||
accessing technique. Therefore, SBS Skyline services and some MCI
|
||
services (both are now owned by IBM) are protected with this technique.
|
||
Also used on some 4 GHz transponders. Very difficult for private
|
||
individuals to intercept, even if un-encrypted. Some circuits are
|
||
encrypted, some are not. TDMA is believed to be the heavy-use satellite
|
||
access technique of the future, as it offers very efficient use of
|
||
transponder power and dynamic allocation of system capacity to those
|
||
links which are currently active. When combined with encryption, it is
|
||
quite secure.
|
||
|
||
3: FDMA/FM/FDM/SSB: Standard modulation used on almost all terrestrial
|
||
long-haul telephone microwave circuits. Used on several 4 GHz DOMSAT
|
||
transponders and most older multi-channel INTELSAT links. Wideband
|
||
FM/FDM signals may be readily received by standard TVRO receivers, and
|
||
an individual channel may easily be picked out of the multiplex signal
|
||
with a garden variety, general coverage SSB communications receiver.
|
||
Very easy for private individuals to intercept.
|
||
|
||
SINGLE CHANNEL SYSTEMS
|
||
|
||
5: FDMA/FM: (Also known as SCPC/FM) Single Channel Per Carrier is used to
|
||
transmit one single FM telephone channel between two points. A
|
||
transponder carries many such FM carriers at one time. Frequencies used
|
||
are often coordinated by a central station when the call is set up, and
|
||
may be used only for the duration of the call. This technique is used
|
||
for communications with remote places that rarely need more than a few
|
||
circuits at once. May be intercepted by a wide band scanner connected to
|
||
a very stable block down-converter. Easy for private individuals to
|
||
intercept.
|
||
|
||
6: FDMA/PCM: (Also known as SCPC/PCM, or SPADE) This technique is the
|
||
international standard INTELSAT method of establishing telephone
|
||
connections between places which do not have sufficient traffic to
|
||
warrant permanently assigned FDM trunks. Each direction of each
|
||
telephone call is assigned a channel by the central control station.
|
||
These stations transmit a PSK keyed carrier on that channel for the
|
||
duration of the call. Each carrier contains one 9 KHz sampled PCM
|
||
bitstream, along with some error correction and synchronizing bits. As
|
||
far as I know, encryption is not used. The signal may be intercepted by
|
||
a sophisticated individual. But intercepting it requires a rather large
|
||
dish, because the effective radiated power per carrier is very much less
|
||
than DOMSAT carriers use. A few domestic SATCOM SCPC users use PCM,
|
||
probably with some form of encryption. Hard for a private individual to
|
||
intercept.
|
||
|
||
7: FM/FDM-FM: (Subcarriers on video feeds) As most TVRO owners discover,
|
||
many video feeds contain additional subcarriers which many unrelated or
|
||
tangentially related material. Included among these are cue and
|
||
coordination channels which may occasionally carry telephone-like
|
||
conversations. There are no regular telephone circuits in video
|
||
subcarriers, however. These subcarriers are extremely easy to intercept,
|
||
as most TVROs have tunable audio demodulation.
|
||
|
||
ON FM/FDM/SSB
|
||
|
||
All it takes to recover FM/FDM/SSB signals is a suitable wideband
|
||
FM receiver connected to a stable, general coverage SSB receiver which
|
||
tunes the frequency range used for the baseband. TVRO receivers have the
|
||
correct bandwidth for many such signals. They often incorporate provisions
|
||
for IF filters, which may be used to better adapt receivers to the narrow
|
||
band signals found on some transponders. Modem general coverage SSB
|
||
receivers, transceiver sections with synthesized tuning, digital frequency
|
||
display and narrow IF filters are well suited to recovering the audio on a
|
||
particular channel.
|
||
|
||
Listening to FM/FDM/SSB signals may be accomplished by tuning the
|
||
TVRO receiver to either a satellite transponder that carries an FM/FDM/SSB
|
||
signal (which may involve restricting the IF bandwidth with a filter,
|
||
because some transponders carry more than one FDM/FM signal, or by pointing
|
||
the antenna at a nearby terrestrial microwave transmitter and tuning the
|
||
receiver for maximum signal.
|
||
|
||
Once the FDM/FM signal has been tuned in, the SSB receiver may be
|
||
used to search the baseband (typically .3 MHz to 6 or 8 MHz) for telephone
|
||
conversations, data transmissions and other private line circuits.
|
||
Individual channels will appear as USB or LSB signals at precise 4 KHz
|
||
intervals. In fact, the whole baseband is organize,d into 12 channel
|
||
groups, 60 channel subgroups and 600 channel master-groups, according to a
|
||
standard frequency plan. (The AT&T) plan, as usual, is different from the
|
||
CCITT plan used internationally.)
|
||
|
||
Most channels have completely suppressed carriers, but certain
|
||
channels will appear to have a (slightly off frequency) carrier in them,
|
||
which is called a pilot tone. This tone is used to monitor circuit
|
||
continuity and control overall gain. Depending on how archaic the equipment
|
||
is on a particular telephone trunk, there may be a 2600 Hz SF signaling
|
||
tone in the channel when it is idle. But the tone is dropped when the
|
||
channel is occupied with a call. Trunks that use SF signaling often use
|
||
MFKP (Multi-Frequency Key Pulsing - the famous blue box version of tone
|
||
dialing) to pass telephone numbers on to the destination switch.
|
||
|
||
Most modem trunks use CCIS (Common Control Inter-office Signaling),
|
||
which is a packet network replacement for the earlier and less secure
|
||
in-band method that uses separate signaling channels to carry all of the
|
||
signals for all of the trunks in a route.
|
||
|
||
A single signal usually carries only half a telephone conversation,
|
||
so it is necessary to use two receivers and two TVROs to clearly pick up
|
||
both sides of a call. Receiving both sides of a terrestrial circuit
|
||
requires a suitable location where both directions of transmission may be
|
||
picked up. This usually means a site in line with the microwave path.
|
||
Sometimes both directions of transmission from a single repeater site may
|
||
be monitored by a very nearby (less than a couple of miles) receiver.
|
||
|
||
Many telephone trunks have sufficiently low echo return loss so
|
||
that both parties may be heard even when monitoring only one direction of
|
||
transmission. So it is quite possible to listen to both sides of some
|
||
conversations with only one receiver. Both sides of a satellite FDM circuit
|
||
will sometimes be found on the same satellite, and sometimes not.
|
||
|
||
In general, particularly on terrestrial signals, all of the
|
||
channels in a 12 channel group originate and terminate at the same p1ace.
|
||
The groups and super groups that make up a master group, however, often
|
||
originate from several different places. Demodulation to baseband audio is
|
||
generally done as few times as possible on a trunk or a private line
|
||
circuit which connects two places. The 12 channels of its group are shifted
|
||
to various frequencies within the baseband of the different satellite,
|
||
microwave or coaxial cable FDM signals which carry it to its destination.
|
||
|
||
Channels within a group are assigned various functions. Some may
|
||
carry telephone trunks, some may carry private line data, some may carry
|
||
private trunks which belong to large companies, and a certain percentage
|
||
are received for use as spares. It has long been telephone company practice
|
||
to route the telephone trunks between two switching centers over several
|
||
different paths to supply redundancy in the event that one path fails. (And
|
||
also to make it harder to intercept a particular call between the two
|
||
switches.) This means any given FDM group may contain trunks from several
|
||
different trunk groups rather than all of the trunks from, for example,
|
||
Chicago to West Bend.
|
||
|
||
ON PSK/TDM
|
||
|
||
Some of these channels (often 24) are combined into a high speed
|
||
serial bit stream (often 1.554 Mb) by sending one sample from each channel
|
||
in serial form as a string of 8 bits, followed by a sample from the next
|
||
channel, and so forth. Sometimes this composite bit stream, or the bit
|
||
stream from individual channels, is encrypted with a DES chip. Error
|
||
correction and framing bits, and sometimes special control channel bits,
|
||
are added. This digital bit stream is then scrambled (so it has more
|
||
predictable transition statistics and little or no DC component) by a
|
||
linear feedback shift register sequence. The resultant bit stream is used
|
||
to PSK modulate a carrier, which is uplinked to the satellite.
|
||
|
||
Receiving these FDMA/PSK/TDM/PCM digital transmissions requires a
|
||
complex RF modem, a large enough dish to derive an acceptable SNR (and BER)
|
||
and, often, knowledge of DES encryption keys used (unless one is a
|
||
cryptographer who can break DES). While certain transmissions which are not
|
||
encrypted could be intercepted by a sophisticated individual, particularly
|
||
one who has access to the RF modem and multiplexing hard-ware used by the
|
||
actual subscribers, the required expertise is of an order of magnitude
|
||
greater than that required to intercept FM/FMD/SSB signals. Also, the
|
||
equipment required is highly specialized and not widely available.
|
||
(Decoders for TDM-PCM bit streams could be built by a skilled person from
|
||
available chips with relative ease. But the PSK high-speed RF modem
|
||
technology used would not be easy for even a skilled person with
|
||
substantial resources to duplicate.)
|
||
|
||
Presumably few (if any) casual listeners intercept TDM/PCM radio
|
||
circuits. The only listeners to such transmissions are intelligence
|
||
agencies and, perhaps, industrial spies who can afford the necessary
|
||
hardware to monitor their objective's private circuits. And more and more
|
||
users of such links are encrypting them with DES, which is relatively easy
|
||
as the information is already in a digital format.
|
||
|
||
TDMA/PSK/TDM/PCM signals are much more complex than most
|
||
FDMA/PSK/TDM/PCM signals. This is natural, since all traffic is sent by
|
||
having each station on the network transmit a burst of very high speed
|
||
(tens of Mb) data, in an assigned time slot, and in sequential fashion.
|
||
Included in The burst formats are complex and contain error correction,
|
||
status and control channels, call set-up channels and so forth. And the
|
||
bursts are scrambled just as in the continuous carrier TDM case.
|
||
Intercepting and demodulating such a signal would be a major task. It
|
||
probably is something which has been done (by intelligence agencies) by
|
||
using perverted versions of the ground station hardware and firmware used
|
||
in the system. In addition to the complexity of the task of sorting out the
|
||
digital information, and determining the right time slot from the right
|
||
burst to retrieve the channel of interest, the very high speed, fast
|
||
lock-on RF modems used to demodulate the bursts are, themselves,
|
||
non-trivial devices.
|
||
|
||
I suspect that perverting the firmware in a legitimate ground
|
||
terminal is complex enough so that no private individual could accomplish
|
||
it without access to a lot of detailed, unpublished information, such as
|
||
the source of the firmware and precise details of the protocol and burst
|
||
formats.
|
||
|
||
-------------------------------------------------------------------------
|
||
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
|
||
<20> [WHERE_INFORMATION_IS_FREE] <20>
|
||
<20> <20><><EFBFBD> <20> <20> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20> <20><><EFBFBD> <20> <20> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> |
|
||
| <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20> <20> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> :
|
||
: <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20> <20> <20><><EFBFBD><EFBFBD> <20> <20> <20> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> .
|
||
. +46-(o)16-3589o2 - 2:206/408@FidoNet - 14400 Bps, Open 24h <20>
|
||
<20> Textfiles - PC-Files - Modules - Cyber-related - P/H/A/V/C Areas
|
||
<20> Official HSi/iHA Distsite! I.N.I HQ! C.L.F SHQ!
|