Packet
transmission over cellular me dia is about to usher in an
explosion in the use of wireless data. Of the 400 million mobile
subscribers world-wide, about 12 million (3 percent) already use
data services over wireless media.
According
to one estimate, the number of mobile subscribers, as well as
the percentage of them using wireless data services, is set to
provide business worth $ 69.1 billion by 2002. With that kind of
lucre providing momentum, it seems as though nothing can stop
voice and data over wireless from forging ahead. Brave words,
spoken too early.
Cloud on the
Horizon
There is a little cloud on the horizon though. All 2G cellular
technologies have concentrated their signals in narrow windows
in the RF spectrum. All of them use very low-powered
transmitters, and therefore, very sensitive receivers. All of
them use omni-directional antennas, and openly announce their
operating parameters. This combination makes them extremely
fragile and very susceptible to malicious interference. Though
cellular companies have addressed the issue of information
security by providing encryption, they have been strangely
silent on the issue of spectral security. As with any other
system using radio frequencies, cellular systems will work only
if they are the sole users of the band allotted to them. And any
other user of the same band will cause interference. How
susceptible is wireless telephony to malicious interference?
Smelling big bucks,
companies have blindly invested millions in wireless media,
without a thought to the security of the media itself. Consider,
for example, a pair of copper wires passing through thick
jungle. Any prankster/criminal may cut them, tap them or feed
his information into them, because they are unguarded. And just
how secure is Ether? Unlike directed media, where information
follows specified and often secured/guarded paths, information
on Ether always passes through thick jungle, so to speak. Though
it cannot be "cut", it can be tapped and false
information can be fed into it. Ether is unguided and unguarded,
especially in the case of cellular communications. Information
is floating around in space, waiting to be either plucked or
implanted. The succeeding paragraphs will show how fragile the
whole system is.
What Is the
Technology Catch?
All 2G cellular systems convert voice into bit streams, and use
digital passband modulation techniques to translate these bit
streams to the allocated frequency bands. The receiver
intercepts these frequencies, extracts the bit streams, and
reconstructs the voice signals. At some stage of this process,
some bits are either corrupted by the channel or misinterpreted
by the receiver, thus distorting the voice signal. This
distortion is not usually catastrophic if the number of misread
bits is small. Voice quality is at an acceptable level if, on an
average, no more than one in a thousand bits has been corrupted.
This means that a Bit Error Rate (BER) of 10-3 or less is
acceptable. If, on an average, a malicious transmitter manages
to corrupt two out of every thousand bits, he would have
degraded voice quality to unacceptable levels.
It?
The next step is to determine how easy it is for the malicious
transmitter to do so.
Let us take the case of a
GSM base station receiver waiting for mobile handsets to
transmit. Let us presume that a malicious transmitter is a
simple white noise generator, bandpass filtered such that noise
exists only in the GSM uplink band. If power levels are
sufficiently high, the base station receiver will be saturated,
effectively shutting down communications in that cell, and
perhaps in the adjacent cells as well. The higher the
sensitivity of the receiver, the easier it is to saturate the
receiver.
Mobile receivers are
sensitive enough to receive signal powers as low as -90 dBm, and
still yield a BER below 10-3. Standard calculations show that
when average noise power reaches within 13 dB below the signal
power, more than one in a thousand bits are corrupted, thus
disrupting voice communications. In plain language, any
transmitter that radiates energy that is at least one-twentieth
the power of the mobile handset can cause prohibitive
interference.
Considering the fact that
the signal power at the base station receiver is in the order of
micro watts, any communication man can tell you that impinging
noise that is 13 dB below this power is child’s play,
especially if directional antennae are used. The implications
are clear–a simple low-powered band limited white noise
generator with an antenna on any rooftop or window can wrest
control of the cellular spectrum.
The malicious transmitter described above is of the ‘brute
force’ variety, and rather crude. In the world of malicious
transmissions, there exist some truly nasty ones, whose
sophistication is such that one may not even realize that one’s
information is being corrupted. The cellular world is
particularly vulnerable to this kind of ‘smart’ disruption.
Cellular communications are synchronous, and therefore
predictable. The standards and protocols are easily available
and well understood, and therefore lend themselves to selective
disruption. Hardware and electronics is available off the shelf,
and very inexpensive. Any communications professional can, with
very little effort, work backwards and deduce all information
required to design a truly malicious transmitter, one that is
very difficult to detect, and extremely efficient in disrupting
communications. This point is illustrated with the following
example.
Everybody knows that GSM
uses Gaussian MSK modulation at the passband. Any communication
expert can tell you that MSK can also be viewed as a specific
case of Continuous Phase FSK (CPFSK). CPFSK uses two frequencies–one
for transmitting a binary zero (say f0), and the other for
transmitting a binary one (say f1). Any standard book on GSM can
tell you that the first uplink channel of GSM occupies the
frequency range from 935.2 to 935.4 MHz, and, therefore, f0 and
f1 must lie within this range. From the fact that MSK is based
on minimal orthogonality, the exact values of f0 and f1 can
easily be ascertained. Now if a transmitter continuously
radiates frequency f1 towards the base station receiver (with
sufficient power), the base station will always receive a binary
one in the time slot allotted to the user of this channel, no
matter what the user actually transmits. Though there is more to
it than this, suffice it to say that the transmitter can impose
its own bit pattern on the base station, thus laying the
groundwork for a very dangerous information implant.
Packet Data?
So far we have been dealing with digitized voice. The case of
packet data is worse. Most packet switching systems use Layer 4
to impose reliability and the corruption of even a single bit
will be instantly detected by Layer 4 software. Layer 4 would
then request retransmission, and a lot of bits will fly before
malice is detected. A malicious transmitter which has
synchronized itself to the GSM frames will only need to transmit
a single short pulse periodically–just enough to corrupt one
bit per IP packet. TCP/IP reliability will do the rest.
Detecting, locating and neutralizing this kind of a transmitter
will tax the ingenuity of mankind.
Before long, some whiz
with criminal leanings is going to figure out that big companies
have big bucks riding on the narrow cellular spectrum, and may
be willing to shell out money to retain control over this
spectrum. Spectral extortion sounds fancy, but I think companies
need to take a hard look at spectral security before pumping in
more money into wireless data. Though spectral allocation is
well regulated–both by international bodies and local
governments–spectral security is governmental responsibility.
Some legislation prohibiting unauthorized use of the RF spectrum
does exist, but the enforcement mechanism is hazy.
The entire cellular system
is so vulnerable to interference that it may well prove
impossible to prevent interference unless the companies
themselves take an active part in spectral policing, and
petition the government into tougher legislation. Cyber
terrorism needs a TADA.
What should to
be Done?
What the companies need to do is to design and deploy equipment
and techniques to help the authorities nail the culprit. The
challenges are many. Firstly, the operator will not come to know
that one of his cells have been compromised until he gets
complaints from his clients, by which time the miscreant would
have packed up and gone home, or moved into another cell. What
we need is equipment that continuously monitors the spectrum,
and instantaneously detects suspicious activity in a
non-intrusive manner.
Secondly, even if
the operator does manage to detect that mischief is afoot, he
needs to pinpoint the source of mischief–an extremely
difficult proposition in a dense urban environment. Thirdly,
they need to do this within a time-frame small enough to nail
the culprit in the act. Fourthly, this may not always succeed,
since most malicious transmitters will probably be designed for
remote operation. Malicious transmissions may well be to the
cellular world what viruses are to the software world–on a
much larger scale, much more difficult to deal with, and
with much higher stakes.
Fifthly, it should be noted that the
criminal enjoys the twin advantages of envelopment and surprise–he
can attack any time from any direction. Detection and location
equipment will always have to be one generation ahead of the
malicious transmitters, and will be extremely sophisticated and
expensive.
Finally, cellular techniques may have to
be designed with spectral security in mind. At present, only
CDMA offers built-in resistance to malicious transmissions.
Remember that Spread Spectrum Modulation was designed by the US
military to operate in a hostile spectral environment, and any
system based on this technique will inherit good LPI/LPJ (Low
Probability of Interception/Low Probability of Jamming)
qualities. IS - 95 CDMA uses
slightly inferior to Frequency Hopping in LPI/LPJ
qualities. Though CDMA was designed for efficient bandwidth
utilization, we may yet see it redesigned with spectral security
in mind. If malicious transmissions become widespread, then
robust techniques, good burst error correction codes, high
transmitter powers, sophisticated detection and location
equipment, tough legislation and public awareness may be the
only answer.
On 14 Jan 2000, the CBI
arrested a group of individuals who had set up their own
satellite telephone system and local switching centre and were
trunking international calls at a fraction of VSNL rates.
Harbingers of the spectral Mafia?