SPECTRAL SECURITY: Waiting to Be Bugged

Cloud on the
Horizon

There is a little cloud on the horizon though. All 2G cellular
technologies have concentrated their signals in narrow windows
in the RF spectrum. All of them use very low-powered
transmitters, and therefore, very sensitive receivers. All of
them use omni-directional antennas, and openly announce their
operating parameters. This combination makes them extremely
fragile and very susceptible to malicious interference. As with
any other system using radio frequencies, cellular systems will
work only if they are the sole users of the band allotted to
them. And any other user of the same band will cause
interference. How susceptible is wireless telephony to malicious
interference?

Smelling big bucks,
companies have blindly invested millions in wireless media,
without a thought to the security of the media itself. Consider,
for example, a pair of copper wires passing through thick
jungle. Any prankster may cut them, tap them or feed his
information into them, because they are unguarded. And just how
secure is Ether? Unlike directed media, where information
follows specified and often secured/guarded paths, information
on Ether always passes through thick jungle, so to speak. Though
it cannot be “cut”, it can be tapped and false
information can be fed into it. Ether is unguided and unguarded,
especially in the case of cellular communications. Information
is floating around in space, waiting to be either plucked or
implanted.

What Is the
Technology Catch?

All 2G cellular systems convert voice into bit streams, and use
digital passband modulation techniques to translate these bit
streams to the allocated frequency bands. The receiver
intercepts these frequencies, extracts the bit streams, and
reconstructs the voice signals. At some stage of this process,
some bits are either corrupted by the channel or misinterpreted
by the receiver, thus distorting the voice signal. This
distortion is not usually catastrophic if the number of misread
bits is small. Voice quality is at an acceptable level if, on an
average, no more than one in a thousand bits has been corrupted.
This means that a Bit Error Rate (BER) of 10-3 or less is
acceptable. If, on an average, a malicious transmitter manages
to corrupt two out of every thousand bits, he would have
degraded voice quality to unacceptable levels. How Easy Is
It?

The next step is to determine how easy it is for the malicious
transmitter to do so.

Let us take the case of a
GSM base station receiver waiting for mobile handsets to
transmit. Let us presume that a malicious transmitter is a
simple white noise generator, bandpass filtered such that noise
exists only in the GSM uplink band. If power levels are
sufficiently high, the base station receiver will be saturated,
effectively shutting down communications in that cell, and
perhaps in the adjacent cells as well. The higher the
sensitivity of the receiver, the easier it is to saturate the
receiver.

Mobile receivers are
sensitive enough to receive signal powers as low as -90 dBm, and
still yield a BER below 10-3. Standard calculations show that
when average noise power reaches within 13 dB below the signal
power, more than one in a thousand bits are corrupted, thus
disrupting voice communication.

Considering the fact that
the signal power at the base station receiver is in the order of
micro watts, any communication man can tell you that impinging
noise that is 13 dB below this power is child’s play,
especially if directional antennae are used. The implications
are clear–a simple low-powered band limited white noise
generator with an antenna on any rooftop or window can wrest
control of the cellular spectrum.

The malicious transmitter
described above is of the “brute force” variety, and
rather crude. In the world of malicious transmissions, there
also exist some truly nasty ones, the types who are more
sophisticated. Cellular communications are synchronous, and
therefore predictable. The standards and protocols are easily
available and well understood, and therefore lend themselves to
selective disruption. Hardware and electronics is available off
the shelf, and very inexpensive. Any communications professional
can, with very little effort, work backwards and deduce all
information required to design a truly malicious transmitter.

What About
Packet Data?

So far we have been dealing with digitized voice. The case of
packet data is worse. Most packet switching systems use Layer 4
to impose reliability and the corruption of even a single bit
will be instantly detected by Layer 4 software. Layer 4 would
then request retransmission, and a lot of bits will fly before
malice is detected. A malicious transmitter which has
synchronized itself to the GSM frames will only need to transmit
a single short pulse periodically–just enough to corrupt one
bit per IP packet. TCP/IP reliability will do the rest.
Detecting, locating and neutralizing this kind of a transmitter
will tax the ingenuity of mankind.

Before long, some whiz
with criminal leanings is going to figure out that big companies
have big bucks riding on the narrow cellular spectrum, and may
be willing to shell out money to retain control over this
spectrum. Companies need to take a hard look at spectral
security before pumping in more money into wireless data. Though
spectral allocation is well regulated–both by international
bodies and local governments–spectral security is governmental
responsibility. Some legislation prohibiting unauthorized use of
the RF spectrum does exist, but the enforcement mechanism is
hazy. What should be
Done?

What the companies need to do is to design and deploy equipment
and techniques to help the authorities nail the culprit. First,
the operator will not know that one of his cells have been
compromised until he gets complaints from his clients, by which
time the miscreant would have  moved into another cell.
What is needed equipment that continuously monitors the
spectrum, and instantaneously detects suspicious activity in a
non-intrusive manner. Second, the operator needs to pinpoint the
source of mischief–an extremely difficult proposition in a
dense urban environment. Third, they need to do this within a
time-frame small enough to nail the culprit in the act. Fourth,
this may not always succeed, since most malicious transmitters
will probably be designed for remote operation detection and
location equipment will always have to be one generation ahead
of the malicious transmitters, and will be extremely
sophisticated and expensive.

Finally, cellular
techniques may have to be designed with spectral security in
mind. At present, only CDMA offers built-in resistance to
malicious transmissions. Remember that Spread Spectrum
Modulation was designed by the US military to operate in a
hostile spectral environment, and any system based on this
technique will inherit good LPI/LPJ (Low Probability of
Interception/Low Probability of Jamming) qualities.

IS – 95 CDMA uses Direct
Spreading, which is slightly inferior to Frequency Hopping in
LPI/LPJ qualities. Though CDMA was designed for efficient
bandwidth utilization, we may yet see it redesigned with
spectral security in mind.

On 14 January 2000, the
CBI arrested a group of individuals who had set up their own
satellite telephone system and local switching centre and were
trunking international calls at a fraction of VSNL rates.
Harbingers of the spectral mafia?

Leave a Reply

Your email address will not be published. Required fields are marked *