COTS EW Threat
Following the conclusion of the Cold war (1945 – 1990) militaries such as the UK Army have not faced a formal Electronic Warfare threat to tactical systems. This, coupled with the rise of integrated computing systems that have gateway access to the Internet have refocused threat assessments and risk mitigations toward Cyber vulnerabilities including Malware and Advanced Persistent Threats (APT) rather than the hostile act of locating, de-modulating and intercepting the communications on a wireless connection. This, however, will change with the advent and commercialisation of advanced Software Defined Radios (SDR’s).
Software Defined Radio (SDR) has its origins in work conducted by the US Department of Defence in the 1970’s with the term Software Radio established in 1984 by a team of engineers working for a division of E-Systems. This original concept gained traction with various US governmental agencies, from which modern SDR programmes have developed.
The United States of America’s Department of Defence has had several programmes to develop SDR technology towards practical use from these early days. Specifically, the SPEAKeasy programme was developed to demonstrate the practical use of SDR for the air force that could tune in a range between 2MHz to 2GHz, allowing the integration of Ground, Air, Naval and Satellite radios. Since inception, these new types of radio are beginning to be widely adopted for military and civilian use.
SDR’s themselves establish elements of the analogue radio receiver in software, allowing the designer to establish flexible radio designs. Prior to the establishment of SDR platforms, a radio (once designed) was generally fixed in function until a circuit modification was conducted to re-purpose the receiver either for a different frequency band or modulation scheme.
Relatively recent System on Chip solutions from companies such as Lime Micro Systems and Analogue Devices, offer direct Radio Frequency to digital interfaces. These chipsets provide a very wide RF front end (typically KHz – GHz) with RF bandwidth ranges of between 50 and 150MHz. These products, when integrated with a powerful Field Programmable Gate Array (FPGA) and Digital Signal Processing (DSP) produce a powerful SDR platform.
Companies such as Nuand and Ettus Research have developed commercially available implementations that can be COTS EW Threat integrated with open source software platforms such as GNU Radio and GQRX in order to provide a functioning SDR solution.
These provide a low cost and wide bandwidth capability that can be used to survey a very large portion of the electromagnetic spectrum instantaneously. The pricing of these devices range from as little as £19 up to £6000. This removes the barriers of cost for access to high performance radio receivers that previously kept this capability out of the reach of the hobbyist or hacker.
During a presentation to Defcon 21 Balint Seeber presented a comprehensive overview of the possibilities of using GNU radio along with an Ettus Research USRP SDR platform for intercepting and decoding a wide variety of radio protocols. Using GNU radio as a signals intelligence toolkit Balint was able to intercept Mode S IFF transponders, 2G GSM, 802.11agp, Automatic Identification System (AIS), Aircraft Communications, Addressing and Reporting System (ACARS) along with the automatic toll payment system FasTrak.
The presentation of this research to a wide community of security researchers and selfproclaimed Hackers, started an increased interest in what a SDR can be used for and Issue 1 what systems could be compromised via the use of traditional EW and SIGINT techniques. The presentation of these techniques and wide availability of source information via the Internet could be seen as a lowering of the technical barrier for these attacks. Since the Defcon 21 presentation, intercept software for AIS and ADSB intercept as shown in Figure 4 and Figure 5 is widely available and easy to install for an inexperienced enthusiast, allowing them to track all commercial shipping traffic within the local area, and using the Internet to identify individual vessels along with information surrounding their route and cargo.
As can be seen, modern SDR platforms are highly capable and with software such as GNU radio available, provide a very capable threat source to all wireless networks. This threat can be characterised in two distinct ways:
- Intercept – the capture and decode (by a third party) of messages transmitted between two other parties.
- Jamming – the prevention of wireless transfers either through the use of in band RF noise, swamping the Signal to Noise Ratio of the Receiver or conduct an attack at a protocol level, inhibiting the data transfer.
Most radio systems are deployed without physically testing the vulnerability of the link layer, it is probable that many wireless systems have been deployed with an inherent vulnerability due to misconfiguration. This is relevant outside of the Military domain as systems such as Vehicle to Vehicle, Vehicle to Infrastructure, Industrial Control, Security & CCTV and Critical National Infrastructure will have a common vulnerability and attack vectors due to the use of wireless and openly published protocols.
SDR’s are a threat to the RF transport layer previously thought only to be vulnerable to either a very well trained third party equipped with a large Electronic Warfare capability or a stolen radio receiver from the intended target. SDR products such as the Ettus Research E310 along with GNU radio now allow people with little Radio Frequency (RF) engineering experience (described as ‘script kiddies ’ within the hacking community) can undertake interception of complex radio platforms such as Tetra or ACARS via a download of plugins for the GNU radio platform. Largely these intercepts are achieved due to the reverse engineering of known protocols and the use of the SDR to provide a wide bandwidth and high speed receiver. This highlights vulnerability in systems that provide a portion of the UK’s Critical National Infrastructure (CNI) to intercept by a third party. Internet sources highlight this has been achieved in the UK against live TETRA systems but it is unclear what TETRA users have been targeted or how much information was retrieved from the system.
As military communication adopts a more commercial based architecture, the security of these waveforms and modulation techniques require deeper analysis. In contrast the commercial use of these waveforms and protocols need protection from Intercept as the EW threat that used to be confined to nation state actors, such as Intelligence or Military units, is now available to hobbyists and hackers alike, providing an increased likelihood of the threat.