Author: Ata Yurt
Project Contributors: Berk Cem Göksel & Erdoğan Yağız Şahin

What is SIGINT and what are its applications?

SIGINT is the abbreviation of Signal Intelligence and is actively being used by governments, military establishments, intelligence agencies and many more organizations.

One can process signals in various mediums and gather information, or in this case, intelligence. Thus the name Signal Intelligence. Within SIGINT, there are many exploitation methods.

For example, the uses of SIGINT is listed by the CIA in the publicly available document “Signals Intelligence Activities” but are not limited to;

• Threats to the United States and its interests from terrorism;
• Cybersecurity threats;
• Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes identified in the section on “Use of SIGINT Collection in Bulk.”

SIGINT with Mechanical Waves

When SIGINT is mentioned the first thing that usually comes to mind is electromagnetic waves. However, mechanical waves are also used for intelligence gathering. Mechanical Waves are not limited to just sound waves, any wave pattern that can travel through a medium such as the atmosphere or a solid object is a mechanical wave.

• Stealing keyboard inputs using a phone with an accelerometer,

*The vibrations made by typing, registered by the phone / dl.packetstormsecurity.net/papers/general/traynor-ccs11.pdf*

• Using a high framerate camera to look at an aluminum foil, bag of chips or etc. to reconstruct sound in an isolated environment,
• Eavesdropping on a room with an IR laser that is pointed at a window and being reflected onto a photoresistor(LDR),
• Stealing keypad inputs with a commercially available IR heat sensor,

*The finger leaves a heat signature on the keypad / Youtube – Mark Rober*

are just a few uses of mechanical waves for the purpose of SIGINT.

Electronic Warfare

Planes and jets that mask their radar signature by absorbing radar waves, new jam-resistant GPS protocols, frequency hopping and encrypted communication systems are a product of Electronic Warfare.

The RQ-170 Sentinel drone that Iran captured using GPS spoofing back in 2011 is a perfect reason why SIGINT has an extremely important part in the field of Electronic Warfare.

With the commercially available Software Defined Radios(SDR) the need for the classic, band-specific receivers(RX) has died. The hardware inside radios which consists of a Detector, an Audio Frequency Amplifier and a Recorder are completely replaced by software that you can tune and manipulate for all your RF needs. Other than the SDR and the software part, you can use external hardware to improve your SDR’s RX capabilities for specific bands.

*RTL-SDR v3 by rtl-sdr.com*

*Airspy R2 by Airspy SDRs*

The most common SDRs available to non-military customers are HackRF, RTL-SDR, AirSpy and USRP. The use of RTL-SDR and AirSpy are not illegal since they are only RX capable. Even though they are not able to transmit(TX) any signals, the legality of owning radio hardware depends on your country’s laws and guidelines. For TX capable radios, you may be legally obligated to get an amateur radio license and a callsign. That being said, the global consensus on listening to different bands is that RF Spectrum does not belong to anyone or any organization, and recognized as Public Intellectual Property. Always check your country’s laws before buying one of these. For example in Germany and the UK, it might be illegal to listen to transmissions “that are not intended for you,” which is a silly and flexible law.

Some of the other hardware extensions you can use are Upconverters, LNA and of course antennas. Upconverted devices like Ham-It-Up, convert LF, Short Wave and HF Bands(3KHz – 30MHz) to higher frequencies so that your SDR can process the signals better.

*Ham-It-Up v1.3 by Nooelec*

Low Noise Amplifiers like LNA4ALL by 9A4QV are attached between the Receivers and antennas. These devices improve signal gain without changing the frequency. LNAs are useful for weak signals received from long distances depending on the frequency.

*LNA4ALL by 9A4QV*

As you might have already guessed, antennas are the most important parts of any radio hardware. If you’re using an antenna suitable for your specific bands(HF, VHF, L Band, S Band etc.) or purposes(directional/omni-directional) you might not even need an upconverter or an LNA. Most common directional antennas you will see in daily life are Biquad, V-Dipole, Yagi-Uda. As for omni-directional antennas, Cloverleaf and rubber duck aerial antennas are the go-to industry standards.

*5.8GHz Cloverleaf antennas made by myself for amateur drones*

Coverage of HF Bands

Once a signal’s frequency is over the FM band(~100MHz) the distance it can travel is pretty much limited to ground-waves or line-of-sight propagation. This is because the distance a signal can travel decreases inversely-proportional to its frequency. You might be able to hear an HF radio station which transmits on the other side of the world if the atmospheric conditions are met, with the help of atmospheric propagation. The atmosphere is heavily ionized by the sunlight between sunrise and dusk. HF waves can travel much further between dusk and dawn, since the atmosphere loses most the ionized particles in it.

*Difference in HF Reception visible on a 24-hour waterfall RF spectrum / Waterfall Image taken from http://websdr.ewi.utwente.nl:8901*

RF Bands

*Band Plan released by US Department of Commerce / https://www.ntia.doc.gov/files/ntia/publications/2003-allochrt.pdf*

Frequency allocation charts published by government organizations like US Department of Commerce(DoC) and Information and Communication Technologies Authority(ICTA) in Turkey are a good guideline to identify which devices work on what bands or vice versa. You can also lookup a specific bands on fccid.io and see which devices have been approved to be used for different purposes and even access their RF safety tests.

Exploitation Methods and Various Protocols

OOK or On-Off-Keying is often used as a means of sending data in both analog and digital protocols. Garage keys, remote car keys and even keyless entry systems use OOK and are all exploitable 🙂 If the signal is digital (made of 0s and 1s) you can even analyze the data package on a signal processing application like Audacity. Car keys use a method called rolling code and are relatively harder to reverse engineer than garage keys. Still very much doable, don’t leave your car keys around! Morse code can be considered to be OOK but we’ll come back to that later.

*Binary code is hardware-coded into the key*

*Packets transmitted are visible on SDR#*

*A visual analysis of our garage key signal. Once you zoom into the individual packets of the data sent, binary code is visible.*

Data packages sent by wifi routers and access points which usually work at 2.4GHz and 5.8GHz are observable by SDR devices with a wide bandwidth like HackRF.

Tempest attack is one of the more crazy exploits. The monitors and projectors we use radiate a spurious emission during the conversion of video signal from analog/digital(VGA/HDMI) protocols to scan-lines on the display. If the resolution and the refresh rate is known/searched, we can capture these emissions and reconstruct the image completely remotely, albeit low-quality. Higher quality can be achieved with a better antenna and a more specialized hardware.

*What’s on the display is visible on Tempest*

Commercial/non-reconnaissance Military planes are obligated to use ADSB which consists of information like position, altitude, airspeed, callsign. Flightradar24 service works based on ADSB information. Although some military flights are filtered and not published on Flightradar24 because of security reasons. You might be able to view these flights on SDRs, specifically the RTL-1090 software.

*A comparison of the output from RTL-1090 to flightradar24*

Low/High Resolution Picture Transmission(LRPT/HRPT) signals are transmitted by various weather and atmosphere analysis satellites in real time. The American NOAA 15, 18, 19, 20 satellites, GOES program, Russian Meteor-M N2 satellites are in orbit for this purpose. Even though the signals are relatively weak, you can capture the satellite imagery along with telemetry data if a band-specific directional antenna is used. The signals are processed by a software called WXtoIMG.

*WXtoIMG, Thermal Projection. NOAA18*

Analog TV signals work just like LRPT and are easily captured by SDRs. Amateur drones, RC planes, even local TV stations work using analog TV technology. Even though protocols like PAL and NTSC are dated, some so-called CCTV security cameras and baby monitors use this technology with an audio(usually NFM) channel next to the video signal. This obviously creates a huge security vulnerability.

*A TV signal captured during one of our workshops :)*

Common Protocols Used In HF Bands

If you see a signal and have no idea what it might be, you can take a look at sigidwiki.com and try to identify the signal based on what the signal sounds like, waterfall image or frequency.

STANAG 4285: NATO has a STANdardization AGreement that outlines a set of standards such as ammunition, defense systems or communication protocols. STANAG 4285 is used for digital text transmission, these signals might be encrypted and look like garbage on hobby-level decoding software. STANAG 4285 is used by amateur radio enthusiasts(HAMs), Maritime and military organizations and Short Wave radio stations.

CW/Morse Code: Continuous Wave or Morse Code is known for its simplistic design, very easy to decode using software or nothing but the operator’s skills. It’s used worldwide for maritime, military and amateur radio purposes. Even though CW is an example of OOK, people usually think it’s binary because there’s one short(dot) and one long signal(dash). Although the time between these signals might be 3 or 5 dots/dashes for each letter and sentence, thus we can’t call it binary.

RTTY: Radio Teletype is one of the most historical RF protocols still in use. It was invented in 1874 and improved until World War 2. Interesting thing about RTTY is that back when it was first invented it was fully processed in analog and mechanical devices. Surprisingly it’s still used by HAMs, military organizations and supposedly intelligence agencies due to its simple design. Over time its baud rate increased with the invention of computers and it became a very efficient protocol.

SSB – Single Side Band: Used for voice communication for a ton of different purposes. SSB is basically an AM voice signal but in a single side channel instead of double. Mostly used by amateur radio stations and aircraft communication including AWOS or Automated Weather Observing Systems. Very easy to capture with an SDR.

SSB is unencryptable due to its design but there are ways around this. For example, Skyking or Emergency Action Messages from USAF bases and/or US military/intelligence agencies transmit using SSB but the message itself narrated in the NATO phonetic alphabet is encrypted, followed by a 2 letter authentication code at the end.

Jammers and Radars: With a somewhat trained ear you’ll be able to hear radar signals all over the RF spectrum. Radars transmit signals that “scan” a specific bandwidth and observe the reflected waves to identify aircraft. Radar signals might also have the capability of jamming other signals since it’s a very strong transmission. Although this property makes it easy to identify radar ground elements using Anti Radiation Missiles.

On lower frequencies like HF, you can hear radars from all around the globe. These OTH or Over The Horizon radars work using atmospheric propagation and can spot aircraft thousands of kilometers away.

Disclaimer: All of the information included in this article is publicly available. ALWAYS check your country’s laws and guidelines for the legality of RF activities. What is being said in this article may not be legal in different countries. All exploitation methods listed in this article were conducted on personal devices/vehicles under our security research group at Bilkent University.

Asymmetric Cryptography

What is cryptography?

Cryptography is the set of mathematical methods that work to ensure authentication, confidentiality and integrity of data.

What is encryption?

Encryption is an important concept in cryptography. Encryption is the method that provides end-to-end protection of data transmitted between networks and converts a readable message into an unreadable form where only the person with the required key can make the message meaningful again.

Encryption algorithms are divided into two categories as symmetric and asymmetric.

Symmetric Encryption

In symmetric encryption, both parties exchanging messages use the same private key. The sender encrypts the message with the private key and the receiving party decrypts it using the same private key.

AES, RC4, DES, RC5 and RC6 are examples of symmetric encryption.

The key distribution problem in symmetric encryption has brought up asymmetric encryption. In this article I will talk about asymmetric encryption.

Asymmetric Encryption

Whitfield Diffie and Martin Hellman, researchers at the Stanford University, first proposed asymmetric encryption to solve the key deployment problem in their 1977 article.

Asymmetric encryption, also known as public key encryption, has two keys: the public key and the private key. Public key is used for encryption and authentication and is open to access. The private key is personal and it’s used for decryption and digital signing.

A message encrypted with the public key of X can only be decrypted with the X’s private key.

Public keys are put into digital certificates with the use of Public Key Infrastructure (PKI). This certificate is sent to the party to be contacted and the public key distribution is fulfilled.

Asymmetric encryption makes protocols such as SSL/TLS, SMTP, NTP, FTP etc. secure.

Diffie–Hellman key exchange method
Based on the difficulty of the discrete logarithm problem, the Diffie–Hellman key exchange method allows two parties that don’t have any prior knowledge about each other to create a common secret key over an unsafe channel. With this key, the traffic between the two parties is encrypted.

How does the Diffie–Hellman key exchange method work? Let’s explain with an example.

Alice and Bob initially agree on a large prime number “p” and an integer “g” that is not zero. The p and g values determined by Alice and Bob are public information.

Then Alice and Bob determine secret integers for themselves (x and y) and they do the following calculation:

$Alice: g^x modp$
$Bob: g^y modp$

They send these values to each other and make another calculation:

$Alice: k = (g^y)^x = g^{xy} modp$
$Bob: k = (g^x)^y = g^{xy} modp$

These identical values they obtained are the shared secret. They use this key to encrypt traffic between them.

The Diffie–Hellman Problem (DHP) is the problem of calculating the $g^{ab} modp$ value from the known values of $g^a modp$ and $g^b modp$. The security of Alice and Bob’s shared key depends on the difficulty of the following potential problems:

• Discrete logarithm (DL) problem: It’s hard to find the a value from the given $g^a modp$.
• Computational Diffie–Hellman (CDH) problem: With the given $g^a$ and $g^b$ values, it’s hard to compute the $g^{ab} modp$ value unless a or b is known
• Decisional Diffie–Hellman problem: Given $g^a$ and $g^b$, it’s hard to tell the difference between $g^{ab} modp$ and $g^r modp$ (r is a random number)

It should be noted that Diffie–Hellman key exchange does not provide authentication by itself.

RSA Encryption Algorithm

The RSA algorithm based on the Euler Totient function is used for asymmetric encryption.

First we need to know the Euler Totient function (ϕ(n))

• Where n≥1, ϕ(n) is the number of integers in the range [1,n] which are relatively prime with n.

For example, let n = 24. In the [1,24] range, integers that are relatively prime with 24 are {1, 5, 7, 11, 13, 17, 19, 23}. So, ϕ(24)=8

Key generation with RSA:

• 1024 or 2048 bit p and q prime numbers are generated
• n=pq and ϕ(n)=(p-1)(q-1) are computed
• A small number e is selected that is relatively prime with ϕ(n)
• Compute a unique d value where ed ≡ 1 mod ϕ(n)
• Modular inverse d ≡ e-1 mod ϕ(n)
• Public key = (e,n); Private key= (d,n)
• encrypting message m: c = me mod n
• decrypting message c: cd mod n = (me)d mod n = m

Author: Mahiye Büşra Gökce