My Journey of Signal Intelligence
Disclaimer: Transmission of radio signals is prohibitive in India. Please go through the following link before performing any activity with radio signals. https://dot.gov.in/sites/default/files/NFAP%202018.pdf?download=1
This blog covers my journey of research on Signal Intelligence.
But before diving into it, it’s important to share why I started my research in Signal Intelligence (SIGINT).
Chapter 1: The Beginning
As a Cybersecurity Researcher, I was always fascinated by Wireless technologies such as RF (Radio Frequency), Wi-Fi (802.11), etc. The concept of data being transmitted over the air without any use of wires was nothing less than magic to me.
With this fascination for wireless technologies and a mindset of Security Researcher, I brought an “Alfa AWUS036ACH” and started learning about IEEE 802.11 (Wi-Fi) and its related attacks.
But Wi-Fi is just a small part of the wireless spectrum and there’s more to explore.
Chapter 2: Hacker in my mind
I decided to explore SDRs Software Defined Radios. So, I looked up RTL-SDR on the internet. All resources related to setting up RTL-SDR can be found here: https://www.rtl-sdr.com/rtl-sdr-quick-start-guide/
For quick setup, you can also follow this blog: Listening to FM using RTL-SDR and GQRX | Payatu
With this device and with no knowledge of using SDRs, listening to FM stations was a pastime for me. PS: I also learned about replay attacks in RF In 433Hz J.
Chapter 3: Realisation
One day, while doing some reconnaissance, the fact hit me that I have an RTL-SDR, which made me wonder if I can perform Wireless reconnaissance.
Again, with our good old friend (google.com) I searched the internet and came across the term “Signal Intelligence” used mainly by a state’s army and its corresponding intelligence. So, I started my research.
Not Because I wanted to be him:
I wanted to be this guy :
Research and Learnings of Signal Intelligence
Signal Intelligence for Dummies
As per the National Security Agency/Central Security Service, SIGINT is intelligence derived from electronic signals and systems used by foreign targets, such as communication systems, radars, and weapon systems, that provide a vital window for our nation into foreign adversaries’ capabilities, actions, and intentions.
At the NSA, the SIGINT mission is limited explicitly to gathering information on international terrorists and foreign powers, organizations, or persons. The NSA produces intelligence in response to formal requirements levied by those with an official need for intelligence, including all departments of the executive branch of the United States Government.
On the other hand, while I had no intentions of getting into Espionage, I got stuck here!!! L
It was because of Wikipedia I started learning more about SIGINT. I learned that SIGINT is nothing but intelligence-gathering by interception of signals, be it communications between people (communications intelligence abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence abbreviated to ELINT).
Some historical references about SIGINT can be found here: https://en.wikipedia.org/wiki/Signals_intelligence
For the time being, I kept Electronic Intelligence out-of-scope for my research. And started working on Communications Intelligence.
I started digging deeper into RF bands
Different types of Signal Modulations:
Frequency Bands and their Usages:
Problems and their Solutions
With this newly acquired knowledge, I had no idea where to start with capturing RF signals and what frequencies to use. With multiple rules and regulations regarding Radio Communications in India (Can be found here https://mib.gov.in/sites/default/files/Guidelines%202006.pdf ), it was difficult to find a foothold.
Although transmission of RF signals is a criminal offence, capturing signals in some frequency bands is not.
These bands were:
These giant jet-powered machines travel at 700kmph over 28000 feet above our heads daily. Multiple technologies are implemented on them, one of these being ADS-B.
Automatic Dependent Surveillance–Broadcast (ADS-B) is a surveillance technology and a form of electronic communication in which an aircraft determines its position via satellite navigation or other sensors and periodically broadcasts it, enabling it to be tracked. The information can be received by air traffic control ground stations as a replacement for secondary surveillance radar, as no interrogation signal is needed from the ground. It can also be transmitted and received point-to-point by other aircraft to provide situational awareness and allow self-separation. ADS-B is “automatic” in that it requires no pilot or external input. It is “dependent” as it depends on data from the aircraft’s navigation system.
Q. Can we track aeroplanes from our home?
With some reference from the following blog:
I was able to set up my own Airplane Tracking System.
Figure 1: Fixing the antenna from the window to get better signals.
Figure 2: My Beloved RTL-SDR.
Figure 3: Capturing ADS-B Signals on 1090MHz.
Figure 4: RAW data captured from an aeroplane in the air sending ADS-B signals.
Figure 5: Visualising the aircraft on the map using Virtual Radar.
The Extra Mile
Communication Intelligence is incomplete without listening to voices. So why not listen to the ATC?
ATC (Air Traffic Control), has two main frequencies, i.e., Tower and Approach. (Being an Ethical Hacker I will not share how to find these frequencies)
NOTE: Some parts of the screenshot shared below are masked for security reasons.
Figure 6: Yes, we can hear them!!!!