--------------------------------------------------------------------------
How to Monitor Microwave Telecommunication Links
(Telephone Channels) With an Ordinary TVRO
Transcribed to the electronic media for you by Thallion of WUFO MCMXCIV.
--------------------------------------------------------------------------
Now that Congress has decided to patch a massive hole in the
security of U.S. Communications, with a law that neither requires nor
encourages carriers to increase security, I thought I would re-post an
article I wrote a year ago about a major aspect of the problem. By doing so
I hope to remind everyone that, even with draconian laws in place, it is
still very easy to intercept many regular telephone calls and circuits:
Nothing in the Electronic Communications Privacy Act of 1986 requires or
even particularly encourages carriers to increase the security of radio or
satellite links. In short, listeners who get caught can be punished, but
nothing anti-Constitutional has been done to make listening any harder.
The kinds of interception I describe here are illegal under the new
law, but the equipment required is very widely available and has legitimate
use which make a ban on sale or possession very unlikely. The act of
interception could be carried out in total secrecy and would be nearly
impossible to detect from a distance. Plus, the Justice Department has
stated that it does not intend to vigorously enforce the radio portions of
the Law, most of which are generally regarded as unenforceable (even by the
Bill's sponsors). So the Law, while fairly severe, really won't have much
of a deterrent effect on even the most casual eavesdroppers. And casual
listeners are not the real problem, anyway.
Yes it is possible and not very difficult: Some years ago it was
pointed out that 68% of all long distance trunks were carried by
ground-based microwave. And while long distance carriers have been working
(under some pressure from the NSA and the White House) to convert these
circuits to optical fibers, or at least coaxial cable, there are still many
routes that use microwave or satellite "hops." I don't know an exact
figure, but I think it would be reasonable to guess that at least 40% - 50%
of all long distance trunks include a micro wave or satellite hop.
Approximately 75% of all long haul microwave relays use the 3.7 -
4.2 GHz band, which is readily receivable by a TVRO.
Most long haul microwave systems use FM modulation and frequency
division multiplexing (FDM) of single sideband suppressed carrier voice
channels. Some satellite systems also use this modulation. Unfortunately,
FM/FDM/SSB is quite easy to receive with simple and widely available
equipment. Recovering the activity of a specific channel is very easy,
which opens up the possibility of monitoring random phone calls to a
specific group of destinations, or monitoring specific private line data or
voice circuits (which are assigned to a multiplex slot for long periods of
time).
The question of whether a TVRO could be used to monitor phone
conversations has been raised: The answer is, with the addition of a
stable, general coverage, single sideband receiver (such as an ICOM R71, or
a KENWOOD R2000, or the receiver section of a modem transceiver) connected
to unfiltered and unclamped video outputs (provided for connecting stereo
adapters and descramblers), a TVRO can be used to listen to FM-FDM
multiplexed telephone signals from both celestial and ground-based sources.
Further, with a stable down-block converter that converts to the
UHF-TV band and one of the scanner type receivers designed to cover this
band, one may also receive some of the Single Channel Per Carrier (SCPC)
signals that carry telephone circuits to more remote places, along with
network radio feds, Muzak and various broadcast data services, such as the
AP and UPI news services. (Some signals are dithered and require some form
of closed loop AFC to receive them.) This vulnerability has been known to
telecommunications security specialists for many years. But as the number
of TVRO systems has increased to well over two million, the problem assumes
a somewhat different perspective: In 1976, Mitre (the Mitre Corporation)
estimated that it would cost $50,000.00+ to intercept microwave telephone
calls, and would require a 10' dish.
In that era, a 10' dish would attract much attention. Today,
however, anyone can buy a TVRO system with a 75k LNA and an 8' - 12' dish
for S1,000 - $1,500. And almost nobody would give the system a second
glance, because TVROs have become quite commonplace. A 751 LNA beats the 10
- 12 db receiver noise figure that the Mitre Corporation based its
calculation on by a substantial margin. And the current generation of
computer controllable, general coverage SSB receivers are much more cost
effective de-multiplexing devices than are the synthesizer and selective
voltmeter which seemed necessary back in 1976.
The existence of these millions of receivers, which can pick up
both celestial and ground-based telephone signals, means one should not
ever presume that a long distance telephone call is private. More
important, because they are much easier to find in FDM complexes, one
should not assume that a private leased line is secure unless the long
distance carrier has specially routed it via lightwave (much more secure)
or coaxial cable (only somewhat more secure) for its entire path.
(Obviously, conventional wiretaps must also be considered if there
is reason to believe that some individual or organization has sufficient
interest in your communications to risk imposing a physical tap on a
telephone line.)
MULTI-CHANNEL SYSTEMS
1: FDMA/PSK/DMA/PCM: Used on a number of transponders on 4 and 12 GHz
satellites. Heavily used by private business for tie lines and other
leased line services. Sometimes mixed with data. Quite secure if
encrypted. Not easily intercepted by private individuals.
2: TDMA/PSK/TDM/PCM: Used on SBS (12 GHz) satellites as the principal
accessing technique. Therefore, SBS Skyline services and some MCI
services (both are now owned by IBM) are protected with this technique.
Also used on some 4 GHz transponders. Very difficult for private
individuals to intercept, even if un-encrypted. Some circuits are
encrypted, some are not. TDMA is believed to be the heavy-use satellite
access technique of the future, as it offers very efficient use of
transponder power and dynamic allocation of system capacity to those
links which are currently active. When combined with encryption, it is
quite secure.
3: FDMA/FM/FDM/SSB: Standard modulation used on almost all terrestrial
long-haul telephone microwave circuits. Used on several 4 GHz DOMSAT
transponders and most older multi-channel INTELSAT links. Wideband
FM/FDM signals may be readily received by standard TVRO receivers, and
an individual channel may easily be picked out of the multiplex signal
with a garden variety, general coverage SSB communications receiver.
Very easy for private individuals to intercept.
SINGLE CHANNEL SYSTEMS
5: FDMA/FM: (Also known as SCPC/FM) Single Channel Per Carrier is used to
transmit one single FM telephone channel between two points. A
transponder carries many such FM carriers at one time. Frequencies used
are often coordinated by a central station when the call is set up, and
may be used only for the duration of the call. This technique is used
for communications with remote places that rarely need more than a few
circuits at once. May be intercepted by a wide band scanner connected to
a very stable block down-converter. Easy for private individuals to
intercept.
6: FDMA/PCM: (Also known as SCPC/PCM, or SPADE) This technique is the
international standard INTELSAT method of establishing telephone
connections between places which do not have sufficient traffic to
warrant permanently assigned FDM trunks. Each direction of each
telephone call is assigned a channel by the central control station.
These stations transmit a PSK keyed carrier on that channel for the
duration of the call. Each carrier contains one 9 KHz sampled PCM
bitstream, along with some error correction and synchronizing bits. As
far as I know, encryption is not used. The signal may be intercepted by
a sophisticated individual. But intercepting it requires a rather large
dish, because the effective radiated power per carrier is very much less
than DOMSAT carriers use. A few domestic SATCOM SCPC users use PCM,
probably with some form of encryption. Hard for a private individual to
intercept.
7: FM/FDM-FM: (Subcarriers on video feeds) As most TVRO owners discover,
many video feeds contain additional subcarriers which many unrelated or
tangentially related material. Included among these are cue and
coordination channels which may occasionally carry telephone-like
conversations. There are no regular telephone circuits in video
subcarriers, however. These subcarriers are extremely easy to intercept,
as most TVROs have tunable audio demodulation.
ON FM/FDM/SSB
All it takes to recover FM/FDM/SSB signals is a suitable wideband
FM receiver connected to a stable, general coverage SSB receiver which
tunes the frequency range used for the baseband. TVRO receivers have the
correct bandwidth for many such signals. They often incorporate provisions
for IF filters, which may be used to better adapt receivers to the narrow
band signals found on some transponders. Modem general coverage SSB
receivers, transceiver sections with synthesized tuning, digital frequency
display and narrow IF filters are well suited to recovering the audio on a
particular channel.
Listening to FM/FDM/SSB signals may be accomplished by tuning the
TVRO receiver to either a satellite transponder that carries an FM/FDM/SSB
signal (which may involve restricting the IF bandwidth with a filter,
because some transponders carry more than one FDM/FM signal, or by pointing
the antenna at a nearby terrestrial microwave transmitter and tuning the
receiver for maximum signal.
Once the FDM/FM signal has been tuned in, the SSB receiver may be
used to search the baseband (typically .3 MHz to 6 or 8 MHz) for telephone
conversations, data transmissions and other private line circuits.
Individual channels will appear as USB or LSB signals at precise 4 KHz
intervals. In fact, the whole baseband is organize,d into 12 channel
groups, 60 channel subgroups and 600 channel master-groups, according to a
standard frequency plan. (The AT&T) plan, as usual, is different from the
CCITT plan used internationally.)
Most channels have completely suppressed carriers, but certain
channels will appear to have a (slightly off frequency) carrier in them,
which is called a pilot tone. This tone is used to monitor circuit
continuity and control overall gain. Depending on how archaic the equipment
is on a particular telephone trunk, there may be a 2600 Hz SF signaling
tone in the channel when it is idle. But the tone is dropped when the
channel is occupied with a call. Trunks that use SF signaling often use
MFKP (Multi-Frequency Key Pulsing - the famous blue box version of tone
dialing) to pass telephone numbers on to the destination switch.
Most modem trunks use CCIS (Common Control Inter-office Signaling),
which is a packet network replacement for the earlier and less secure
in-band method that uses separate signaling channels to carry all of the
signals for all of the trunks in a route.
A single signal usually carries only half a telephone conversation,
so it is necessary to use two receivers and two TVROs to clearly pick up
both sides of a call. Receiving both sides of a terrestrial circuit
requires a suitable location where both directions of transmission may be
picked up. This usually means a site in line with the microwave path.
Sometimes both directions of transmission from a single repeater site may
be monitored by a very nearby (less than a couple of miles) receiver.
Many telephone trunks have sufficiently low echo return loss so
that both parties may be heard even when monitoring only one direction of
transmission. So it is quite possible to listen to both sides of some
conversations with only one receiver. Both sides of a satellite FDM circuit
will sometimes be found on the same satellite, and sometimes not.
In general, particularly on terrestrial signals, all of the
channels in a 12 channel group originate and terminate at the same p1ace.
The groups and super groups that make up a master group, however, often
originate from several different places. Demodulation to baseband audio is
generally done as few times as possible on a trunk or a private line
circuit which connects two places. The 12 channels of its group are shifted
to various frequencies within the baseband of the different satellite,
microwave or coaxial cable FDM signals which carry it to its destination.
Channels within a group are assigned various functions. Some may
carry telephone trunks, some may carry private line data, some may carry
private trunks which belong to large companies, and a certain percentage
are received for use as spares. It has long been telephone company practice
to route the telephone trunks between two switching centers over several
different paths to supply redundancy in the event that one path fails. (And
also to make it harder to intercept a particular call between the two
switches.) This means any given FDM group may contain trunks from several
different trunk groups rather than all of the trunks from, for example,
Chicago to West Bend.
ON PSK/TDM
Some of these channels (often 24) are combined into a high speed
serial bit stream (often 1.554 Mb) by sending one sample from each channel
in serial form as a string of 8 bits, followed by a sample from the next
channel, and so forth. Sometimes this composite bit stream, or the bit
stream from individual channels, is encrypted with a DES chip. Error
correction and framing bits, and sometimes special control channel bits,
are added. This digital bit stream is then scrambled (so it has more
predictable transition statistics and little or no DC component) by a
linear feedback shift register sequence. The resultant bit stream is used
to PSK modulate a carrier, which is uplinked to the satellite.
Receiving these FDMA/PSK/TDM/PCM digital transmissions requires a
complex RF modem, a large enough dish to derive an acceptable SNR (and BER)
and, often, knowledge of DES encryption keys used (unless one is a
cryptographer who can break DES). While certain transmissions which are not
encrypted could be intercepted by a sophisticated individual, particularly
one who has access to the RF modem and multiplexing hard-ware used by the
actual subscribers, the required expertise is of an order of magnitude
greater than that required to intercept FM/FMD/SSB signals. Also, the
equipment required is highly specialized and not widely available.
(Decoders for TDM-PCM bit streams could be built by a skilled person from
available chips with relative ease. But the PSK high-speed RF modem
technology used would not be easy for even a skilled person with
substantial resources to duplicate.)
Presumably few (if any) casual listeners intercept TDM/PCM radio
circuits. The only listeners to such transmissions are intelligence
agencies and, perhaps, industrial spies who can afford the necessary
hardware to monitor their objective's private circuits. And more and more
users of such links are encrypting them with DES, which is relatively easy
as the information is already in a digital format.
TDMA/PSK/TDM/PCM signals are much more complex than most
FDMA/PSK/TDM/PCM signals. This is natural, since all traffic is sent by
having each station on the network transmit a burst of very high speed
(tens of Mb) data, in an assigned time slot, and in sequential fashion.
Included in The burst formats are complex and contain error correction,
status and control channels, call set-up channels and so forth. And the
bursts are scrambled just as in the continuous carrier TDM case.
Intercepting and demodulating such a signal would be a major task. It
probably is something which has been done (by intelligence agencies) by
using perverted versions of the ground station hardware and firmware used
in the system. In addition to the complexity of the task of sorting out the
digital information, and determining the right time slot from the right
burst to retrieve the channel of interest, the very high speed, fast
lock-on RF modems used to demodulate the bursts are, themselves,
non-trivial devices.
I suspect that perverting the firmware in a legitimate ground
terminal is complex enough so that no private individual could accomplish
it without access to a lot of detailed, unpublished information, such as
the source of the firmware and precise details of the protocol and burst
formats.
-------------------------------------------------------------------------