Drexel 2012 signal analysis using low cost tools - masint v3
description
Transcript of Drexel 2012 signal analysis using low cost tools - masint v3
Agenda
The Challenge
Current Threat Landscape
Emerging Threats
What is MASINT/(TSCM)
Low Cost MASINT
Practical Applications
What’s next
Q&A
Manager Security Operations - Philadelphia Federal Reserve
Board Member & Officer for Philadelphia InfraGard Chapter
SANS Institute Instructor / Advisory Board / Content provider
2010 Gold Medal Recipient – Excellence in Government Service
Author / Writer / Presenter
Consultant – FBI, DCIS, DHS, USSS, MITRE
Numerous Certs - CISSP, GCIA, GCIH, GCFA, OSCP
I can sum things up for you in a word…..
Who am I
The Challenge
Business Plans Business Plans
Corporate Strategy
Corporate Strategy
Physical Security (Personnel)
Physical Security (Personnel)
Wireless Networks Wireless Networks
Financial Assets Financial Assets
Mobile Devices Mobile Devices
Financial Data Financial Data
Trade Secrets Trade Secrets
Employee Information Employee
Information
Customer Information Customer
Information
Reputation
& Credibility
Networks Networks Workstations Workstations
The Current Threat Landscape
The information Security Industry is in the late stages of a complete paradigm shift.
Motives are shifting – Site defacements are a thing of the past
Compromises are more frequently driven by financial and/or political agenda
Hackers for hire are becoming more prevalent
0 day exploits and “Targeted” exploits earn real money
Current Threat Landscape
Exploit developers are selling to the highest bidder
Purchaser can take advantage of various developers exploits to develop unique and difficult to detect attacks
Exploits against varying types of technology and hardware
Nation states are becoming more brazen in their attacks
Corporate and Industrial espionage increasing rapidly
Scope and vector of attacks is shifting to more blended attack methodologies (hardware & software) Real world examples and frameworks are being build
Teensy, FunCube, KillerBee, Bus Pirate, GoodFet, etc.
Attackers are more frequently using a blend of physical, embedded electronics and systems attacks to compromise their targets - Stuxnet a perfect example
We continue to see a proliferation of wireless technologies Zigbee(802.15.4), Bluetooth(802.15.1), RF link devices, etc.
Medical, industrial, corporate, etc.
Current Threat Landscape
Traditional wireless attacks – Decreasing
Other types wireless attacks – Increasing (FAST)
Embedded devices – Everything has a computer in it!
Embedded devices control the physical world
Unique wireless solutions are become more common
Emerging Threats Cont…..
What is MASINT ?
Measurement & Signature Intelligence
Collection of unintended emissions or byproducts of devices
All devices generate unique unintended trans. artifacts
Discrete intelligence gathering process
DoD - Officially adopted as a Intelligence discipline in the 80s
Often aggregated with other intelligence sources
(ELINT, SIGINT, HUMINT, ETC.)
MASINT – (Tactical and Strategic Sensors)
Electro / Electronic
Nuclear / Explosives
Geospatial / Materials
Radio Frequency / Electromagnetic fields*
MASINT - Primer
The cost and complexity of utilizing MASINT functionality in the corporate environment are dimensioning
Could be used by competitors for reverse engineering of products in certain industries
Could be used for corporate espionage and intelligence gathering by competing companies
There is a general lack of understanding of the risks associated with MASINT capabilities
Information Security Professionals are typically not trained or skilled in this area of Information Security
Other considerations MASINT is being used today to support Law Enforcement
Legalities of the use of MASINT capabilities haven’t been challenged
MASINT – What’s the concern
Traditional communications are frequently encrypted
Can’t easily be decrypted in real time
MASINT focuses on the information about a signal not it’s contents
Derive data from metadata & characteristics
Gather Actionable Intelligence
How does it work
Lots of passive Intelligence to be had!
Frequency, Origin and strength – (SOI)
Unique hardware / radio frequency signature
Characteristics of the signal
Track movements and habits via RDF
Other useful intelligence
Hardware capabilities / Transmission range / Frequencies
Identify patterns & Weakness
Naturally occurring / Very difficult to spoof*
RF MASINT – What does it do? Cont…
Detection mechanism against emerging wireless (RF) attacks
Identify spurious transmissions
Identify and Isolation jamming activity
Add MASINT components to pen testing capabilities
Uniquely identify equipment by its RF signature
Tracking of RF emitting devices
Develop Technical Surveillance & Counter Measures Capabilities
Testing of reverse engineering counter measures
Perform reverse engineering of parts
MASINT – Practical Applications
Spectrum Analyzer
(SDR) Search Receiver &
Antenna System
Signal Collection Analysis & Signature
Generation
Signature Analysis, Tracking, Intel
RF MASINT – Lets Build It!
Spectrum Analyzers – Lots of Choices but….. Generally very expensive! ($10K-$60K)
Typically not designed to provide MASINT or TSCM functionality
Limited frequency range
Difficult to get data out of in raw form
Restrictive antenna capabilities
Some “friendly” models exist (SpecTran, Anritsu, TekTronix, etc.)
Device of choice – Signal Hound (USB-SA44B) Software defined / USB connected / easily interfaced
Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)
API available / scripting friendly
Low cost $300 - $400 used
1Hz to 4.4GHz / fast sweep times*
Good Sensitivity / built-in Preamp / Attenuators*
Calibration capabilities
Let’s build it!!! – Equipment
Signatures structure Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)
RF Signature recorded over (3) secs with a Span of 10Khz
Unique Signature created using Amplitude (Max & Min) per/Hz
Aprox. Distance 10ft – no faraday enclosure used
Let’s build it!!! – Spectral collection
Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW)
445.994986 1.51E-09 1.51E-09
445.995015 1.53E-09 1.53E-09
445.995045 1.17E-09 1.17E-09
445.995075 7.27E-10 7.27E-10
445.995104 4.87E-10 4.87E-10
445.995134 1.91E-10 1.91E-10
445.995164 1.66E-10 1.66E-10
445.995193 2.63E-10 2.63E-10
445.995223 4.61E-10 4.61E-10
445.995253 5.80E-10 5.80E-10
445.995282 3.29E-10 3.29E-10
445.995312 1.12E-10 1.12E-10
445.995342 6.12E-10 6.12E-10
Motorola XTS3000 model3
Finding unique RF characteristics All electronic devices will generate unique “Artifacts” in near-field
Filtering Ambient noise with 10db attenuation
Measuring mW at the SRD antennas
Collecting Amplitude
Max/Mins
RF span 10Khz
3+ sec measurement
340 Points of Interest
0.e-14 sensitivity
.CSV file output
User defined Max
Amplitude
Let’s build it!!! – SOI Signature Collection
Signal of Interest (SOI)
Ambient Noise Floor (ANF)
Attenuation to reduce ANF
Unique Artifacts / (POIs)
Signature Creation Scripts – Python & .NET Signature Generator & Signature Compare
Let’s build it!!! – SOI Signature Creation
Signature Comparing No two signatures will come back 100% same
Script provides a configurable tolerance
Tolerance does not sway results significantly because of the ranges
Negative hits increase as you move away from center
Let’s build it!!! – SOI Signature Compare
Let’s build it!!! – Signature Compare Contin…
Lots of things can throw off your Signals of Interest (SOI) Changing antennas, RF noise, Physical structures, atmospheric, etc.
Spread spectrum signals can be missed in a simple full spectrum sweep
Lower output devices require a closer (near field) range Some devices have too low of output in standby mode to detect cleanly
Antennas are extremely important RDF – requires both attenuators and directional antennas (Yagi)
96” Discone and a collection of whip antenna worked well (YMMV)
Sweep speeds become really important when looking at TSCM 20secs is very fast for low cost units. OSCAR devices are probably better
Caveats…..
Lots more work to be done….
Develop database of manufacturer signatures
Develop traditional TSCM – capabilities Automatic Discrete Signal Searching
Threat Detection Algorithm ( TDA)
VLF – digital recorders / other recording devices
Spread Spectrum and infrared detection
Infrared (between 850nm & 1070nm) Optical
MASINT / TSCM portal Antenna Array
Triangulation / Ranging capabilities
Programmatic Attenuation
Multiple Device Configuration / Triangulation
What’s Next?
Information security is going through a paradigm shift
Blended hardware and software attacks are an emerging threat
Risks associated with Insider threats and espionage are driving the adoption of MASINT and TSCM capabilities
RF MASINT / TSCM capabilities can be developed using relatively low cost SDR equipment and code
Both offensive and defensive capabilities exist
Traditional Information Security and TSCM industries are overlapping and merging
Broader training is required for Information Security management and staff to mitigate emerging threats
To Surmise…..
Contact information : Brad Bowers [email protected]
THANK YOU!!!