phasenoise (phasenoise) wrote,

Play along with NSA: The RAFTER unintentional radio emissions how-to.

The revelations of secret techniques and procedures of the intelligence services are not new. Long before Snowden the written account of former spies brought to light the most secret surveillance means. These include  Philip Agee (CIA) and  Peter Wright (MI5). The latter the more similar to Snowden since before his counterintelligence work he developed his career as an MI5 scientific officer attached to the Marconi Company.

Peter Wright is noted for writing the controversial book Spycatcher: The Candid Autobiography of a Senior Intelligence Officer. Spycatcher was part memoir, part exposé of what Wright claimed were serious institutional failings in MI5 and his subsequent investigations into those.

According to Wright, he then was either responsible for MI5/GCHQ, or intimately involved with, the development of some advanced techniques of Signal Intelligence, then shared with their counterparts from the NSA for example:

  • SATYR (MI5/CIA): Forensic examination of The Thing, also known as the Great Seal bug, was one of the first covert listening devices (or "bugs") to use passive retroreflector techniques to transmit an audio signal. It was concealed inside a gift given by the Soviets to the US Ambassador to Moscow. Wright's reverse engineering led to development of a similar British system codenamed SATYR, used throughout by the British, Americans, Canadians and Australians.

  • SPECIAL FACILITY (MI5). Electronic device deployed by MI5 that was installed in a telephone to enable it to transmit sounds in the room whilst on-hook.

  • ENGULF (MI5): acoustic "TEMPEST" cryptanalysis—recording the sound of the settings of Egyptian Hagelin cipher machines allowed later decryption.

  • STOCKADE (MI5/GCHQ): analysis of compromising emanation from French cipher machine cables in 1960. They used broad band radio detection of the cables, and were actually able to read the original plain text along the low-grade cipher sequence. Surprisingly, murmurs of high-grade ciphers could sometimes be read from the same cable, which after comparison to the cable fed signal, gave a path to even that cipher's plain text leakage. From 1960 to 1963 the MI5 and GCHQ could read cipher traffic to and from the French Embassy in London.

  • RAFTER (MI5): remote detection of passive radio receivers. First used to prove beyond any doubt that the Russians were listening to MI5 Watcher (Officers of MI5's A Branch charged with visual surveillance and identification of persons presenting a security risk.) radio frequencies.

By using RAFTER Wright could also detect which broadcasts from Moscow to illegal agents in the field were being monitored.  The program eventually expanded into airborne operations, where receivers were detected from planes above london, thus giving the general area where mobile ground detection could be initiated. This was done by flooding the vicinity with vans that at best could pinpoint buildings or blocks.

Replicating RAFTER technique today is practically a child play as recently published by blog. Léo Poughon a High School student and his friend Thomas Daniel  tried to do, with the help of amateur radio near Toulouse (F6GUS) the same thing as the “RAFTER"  did  hearing at unintentional electromagnetic emissions coming from a widely-used consumer superhet receiver.

Unintentional Radio Emissions was also the subject of security researcher Melissa Elliott "Noise Floor: Exploring the world of unintentional radio emissions" talk at DEF CON security conference.

Any superheterodyne receiver (almost all consumer radio is of the superhet design i.e. listening at FM broadcast) spreads some unintentional radiations due to the local oscillator mixer. anybody with a suitable receiver (for example any rtl-sdr based dongle) can receive these emissions. Because of design in most FM radio the local oscillator (that is what the user actually tune) is tuned at the frequency he wants to listen plus 10.7 MHz. So if somebody in the close neighborhood is listening at a broadcast at 100 MHz, you will be able to “receive” its local oscillator at 110.7 MHz.

Leó also found that the LO frequency isn’t stable on most of the time the frequency of the local oscillator “follows” what the superhet receiver demodulates. Then, listening at the radio receiver local oscillator with GQRX and a $15 RTL-SDR dongle, demodulating it with “narrow FM” demodulation and adapted parameters, he could hear with the PC (and obviously with poorer quality) what the radio receiver was listening at.

Theoretically this technique also can be used against radio transceivers as used by police, EMS, taxis, etc, as the receiver part of these also often have an IF of 10.7 MHz, but thanks to be better design and electronics shielding can make their unintentional emissions more difficult to detect.

With the RTL-SDR stock antenna Léo Poughon could hear a cheap radio a dozen meters away, but with a homemade very low quality discone antenna he could receive it on another building, 60 meters away of our antenna. So using this technique you could (more or less depending on the previously cited parameters) know what a radio receiver in the neighbourhood was listening to using a cheap RTL-SDR receiver.

Tags: hacking, hamradio, sdr

Recent Posts from This Journal

Comments for this post were disabled by the author