The real danger of these off –the-shelf low cost/no cost SIGINT collection tools are that they create an environment where if one has access to government of civilian communications lines, or access to facilities that are secure the scenarios can be as detrimental as Wiki-Leaks style cable scandals, to the simple hijacking of someone’s secure wifi using a wifi sniffer and password cracker such as Cain and Able. These scenarios lead to the question of “How does the evolution and ability of low cost/no cost open –source civilian collections,monitoring programs and equipment threaten United States National Security?”
The sheer fact that signals gathering information is available on the open market is cause enough for alarm at the government level as the United States is still not completely prepared to defend itself against internal issues in regards to the exploitation of signals traffic within the US which has a very large private signals infrastructure as well as countless lines where governmentsignals traffic passes every second of the day.
In the realm of the development of SIGINT technologies many of America’s technology corporations lead the charge in producing effective and high-quality commercially available systems that can be deployed with various other systems in the U.S. government’s signals collection arsenal. While there are countermeasures in place for companies that produce and create such devices such as the TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions) standard. This classifies and ensures that devices will not interfere with communications of other devices, as well as classifying which devices are to be available for public consumption.TEMPEST approved devices are graded on a scale of 1-3.
“TEMPEST Approval - Type 1: A classified or controlled cryptographic equipment, assembly, component, or item endorsed by the National Security Agency (NSA) for securing telecommunications and automated information systems for the protection of classified or sensitive U.S. Government information exempted by the Warner Amendment for use by the U.S. Government and its contractors, and subject to restrictions in accordance with the International Traffic in Arms Regulation.
TEMPEST Approval - Type 2: An unclassified cryptographic equipment, assembly, component, or item endorsed by the National Security Agency for use in telecommunications and automated information systems for the protection of unclassified but sensitive information. Type 2 equipment is exempted by the Warner Amendment. Type 2 is available to U.S. Government departments, agencies, sponsored elements of state and local government, sponsored U.S. Government contractors, and sponsored private sector entities. It is subject to restrictions in accordance with the International Traffic in Arms Regulation.
TEMPEST Approval - Type 3: An unclassified cryptographic equipment, assembly, component, or item that implements an unclassified algorithm registered with the National Institute of Standards and Technology (NIST) as a FIPS for use in protecting unclassified sensitive, or commercial, information. This definition does not include Warner-Amendment-exempt equipment.”
The information above is pertinent to this study as it outlines the restrictions on devices but does not outline the details for software programs on devices that are publically consumed on the TEMPEST Type 3 level devices. While the regulations for devices are in place, that still does not mean that the market does not allow for other avenues of approach for obtain SIGINT collections equipment, devices and software that can potentially do harm to U.S. National Security and infrastructure.
Some of the key areas that can be affected by the availability of software programs that allow hackers to access private as well as public communications lines are the ones that allow access to SCADA (Supervisory Control and Data Acquisition) Systems. The vulnerabilities to these systems prove to be quite evident as highlighted in Justin Heinz’s “Water Utilities’ SCADA Systems Proven Vulnerable to Cyber Attack”, where he showcases a recent breach of a SCADA maintained water utility in South Houston by a hacker known as “Pr0f” was able to hack into the SCADA system then post screen shots of the internals of the network once inside. The interesting point made by Pr0f whom did not claim that he did the attack for malicious reasons but rather to point out that it was easy said that in regards to connecting a critical system to the internet “I don’t really like mindless vandalism.” It’s stupid and silly, pr0f wrote in a post on Pastebin, revealing his hack. ‘On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either…This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic.”
While the above illustrates that SCADA systems are indeed hack-able and that hackers do impose a threat to the security of the United States fresh water supply it is not the only area that is vulnerable due to hacking. While the SCADA hacks to not involve SIGINT hardware that is available on the open market it does illustrate how U.S. National Security can be threatened by a person utilizing open source hacking software in order to get into SCADA systems and take control.
Another vulnerability that comes to mind is the threat to aerial assets of the United States federal and local governments that are operating drone aircraft. The ability to take control of an unmanned aircraft midflight known as “Drone Hacking” is essentially horrifying to the Federal Aviation Administration as well as a gigantic national security risk. A recent example of such an event took place in the United States by a team of doctoral candidates from the University of Texas at Austin, that spent 1,000 dollars on a system from open source parts and materials that allowed them to generate a spoofing attack on a drone utilizing civilian GPS band to control the aircraft while in flight. The attack on the drone is carried out through an electronic attack called “spoofing” where the guidance system of the drone is bombarded with thousands of command signals until the right signal is registered and then control of the aircraft is available. While there will more than likely be tougher safeguards placed in effect in the future in terms of the security of drone flight controls the ability to hack into a civilian drone currently for 1000 dollars in equipment should be more than an alarm when it comes to hazards to national security.
While the ability to take over a drone in flight is available with rather inexpensive equipment, there is also the software side to drone hacking that presents another issue. The issue is the security of images and information broadcasted back to the drone control centers. An article published on 29 October 2012 entitled, “Most U.S. Drones Openly Broadcast Secret Video Feeds”, from Wired Magazine provided alarming information drones participating in combat missions were first known to have been hack in 2008 when the U.S. military discovered drone footage from combat missions on the captured laptops of Shia militants in Iraq. The report by U.S. military officials stated that the drone was able to be hacked with a 26dollar piece of software known as “Sky-Grabber” loaded onto the laptop which allowed it to intercept the unencrypted video feed from the drone.
The communications that were intercepted on the ground in Iraq were of the live feeds that are utilized by commanders in tactical operations centers and by soldiers on the ground. This form of transmission is called CDL or Common Data Link which is used sends these signals to the receivers on the ground. The main reason that the CDL was and still is hack-able on some drones that still are not upgraded to the fully encrypted version by those determined enough, is that the original specifications for the CDL did not include encryption devices on the aircraft as they were considered too heavy a payload for the aircraft.
Currently the U.S. military is retrofitting the aircraft cockpits with encryption devices for the communication feeds, however at this point in time it will take till 2014 in order to retrofit the current fleet. This means that until the current fleet is fully overhauled for security commanders will have to prioritize which drone fleet to use and when as well as be cognizant of the fact that the opposing force may be able to hack into the live feed as it unfolds on the battlefield allowing them to take greater evasive maneuvers. The danger is real and is here, the availability of software for sale on the open market like “Sky-Grabber” for under thirty USD provides the enemies of the U.S. with a very handy tool kit for low cost.
On the opposite end of the spectrum of surveillance and tactical communications are the civilian communications that citizens of the U.S. and the world take for granted every day, GSM communications. GSM stands for Global System for Mobile Communications GSM is the international network that supports mobile communications and one of the most vulnerable communications networks as it is easily hacked utilizing a variety of software and hardware tools. A January 2012 interview conducted with Peter Cox the CEO of UM Labs in the United Kingdom stated that all smart phones use GSM to communicate and for 1500GBP one can obtain a GSM Base-Station which essentially is a software program and a radio that goes with it and listen in on GSM calls. This type of kit is readily available on the internet and can listen to GSM phone calls within a three mile radius. A recent white paper from UM labs stated that the system was, “based on an open-source software project, which has built a low-cost GSM base station using a commercially available software-controlled radio system.
The radio connects to a laptop via a USB cable and the complete system is small enough to be packaged into a briefcase. To monitor a GSM call, the system is configured to operate as a base station on the appropriate network, and any nearby phones will join the base station if that station broadcasts the strongest available signal.
Again the relative low cost and mobility of the system presents a severe security issue in regards to U.S. national security. If ability to monitor GSM calls within a three mile radius is that cheap, one could be lead to believe that cash flush drug cartels that operate along U.S. borders could be monitoring cell phone calls for references to their operations as being discussed by counter-narcotics agents and police along the border areas. The implications for this ease of access to commercial communications is almost endless as wireless providers are not quite ready to tackle the severe security issues in regards to making their networks more secure. The fact of the matter is that all networks still have to support decaying infrastructure in order to keep pace with their expanding operations.
There are few alternatives to securing ones private communications, one such remedy is to use a voice over internet protocol (VoIP) in order to maintain a higher level of encryption and security during the call. However this too is vulnerable to hacking as VoIP calls are conducted over internet connections and are thus vulnerable to hacks as well. One such example that has implications for a threat to U.S. national security as well as the national security of other nations is the February 2012 account of how hacker “Anonymous” was able to hack into and listen to a VoIP call between Scotland Yard in the UK and the Federal Bureau of Investigation in the U.S. as they were actively trading leads back and forth on how they were going to catch “Anonymous”. The call was over a non-secure line, so the first mistake was a clear OpSec failure on the part of the FBI and Scotland Yard. However now that the damage is done there is now greater problem for the two agencies in securing their lines of communications.
There are a few different types of GSM/VOIP hacking software and hard ware, most are available on the internet and are open source. Here are a few examples that are readily available and in use on the market:
1) Gnu Radio- “GSM data can be recorded off the air using, for example, a programmable radio such as the USRP. Gnu Radio provides the tools to record channels while Air probe’s gsm-receiver decodes the control traffic and—in scenarios where no encryption is used or where the encryption key is known—also decodes voice traffic.”
2) Kraken-“ this software uses new, very efficient, encryption cracking tables that allow it to break A5/1 encryption much faster than before. The software is a key step toward eavesdropping on mobile phone conversations over GSM (Global System for Mobile Communications) networks. Since GSM networks are the backbone of 3G, they also provide attackers with an avenue into the new generation of handsets.”
3) Cain&Abel- “is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.”
All of the programs mentioned are available at no cost and therefore post a very significant threat to countries GSM networks especially if it were during a time of crisis. The ability for someone with general knowledge of how to operate and download one of these programs to their PC as well as with the determination to collect the information is the real threat to personal and national security as it effectively makes anyone utilizing GSM communications a target.
GSM/VoIP communications are not the only forms of communications at risk from software and hardware available on the open market. The United States is currently crisscrossed by millions of miles of fiber, copper,and wireless communications lines and stations that essentially make the heart of America run. Fiber communications was once thought to be the most secure form of information transfer in the U.S. however now even fiber lines are proven to have been hacked effectively utilizing commercial tools. While hacking into fiber is expensive and often a very delicate procedure the availability on the market of lower cost tools and software is placing the ability to hack into the hands of many subversive organizations and private entities.
A fiber optic cable can be tapped without actually piercing the fiber or disrupting the flow of the data. “Fiber can be bent or clamped in a precise way that will form micro-bends. When micro-bends or ripples are introduced, photons of light will leak out and there is a possibility that the intruder’s receiver can capture enough of these escaped photons of light to have viable data this method appears to be more successful at lower speeds and not effective on higher data rates."
The above method, while not entirely efficient, does allow for an intruder to actually capture SIGINT without actually physically having to break the line, and alerting a network operations team who would inevitably get the signal to come check the line. In regards to safeguarding U.S. infrastructure, it should be noted that a lot of equipment is readily available on the civilian market for open purchase. One of the main issues in regards to tapping a fiber line is the issue of light interruption. If there is a break in the line, the light (communications) will be interrupted and thus signal the NetOps (FiberOps) team monitoring the network. The following excerpt from the aforementioned SANS document describes a non-intrusive optical tap that would allow the intruder to act undetected.
“There are available methods that can be used to tap fiber cable without actually physically touching the cable. These non-touching active taps inject additional light into the fiber plant and analyze the underlying optical signal by gauging certain interactions between the two. Without the right kind of physical-layer optical signal protection, an end-user may never notice that their data is being intercepted. It also indicates that another vulnerable concern is when intruder gains access to the cable before the first switching center. Detection can go unnoticed and optical tapping requires less complex and expensive equipment in the local and access loops"
Since fiber forms the backbone of American communications networks, they too are also vulnerable to the threat of hacking that their copper predecessors once were and still are too. In 2003 a “Security forces in the United States discovered an illegally installed fiber eavesdropping device in Verizon's optical network. According to the white paper Wolf Report, "Das Schweigekartell I & II," March 2003, the device was placed at a mutual fund company shortly before the release of their quarterly numbers.” The threat to commerce as a result of fiber hacking is extremely detrimental to the economic security of the United States, as any manipulation of financial data can negatively affect the security of the country.
Much like the hacking of fiber, the hacking of satellite signal communications could pose far more danger to troops in the field, as well as government agencies that rely of satellite communications in order to communicate with each other around the globe. An excerpt from a Black Hat conference in Arlington Virginia in 2010 shows the vulnerability of satellite signals.
“In a presentation at the Black Hat security conference in Arlington, Va., Tuesday, Spanish cyber security researcher Leonardo Nve presented a variety of tricks for gaining access to and exploiting satellite Internet connections. Using less than $75 in tools, Nve, a researcher with security firm S21Sec, says that he can intercept Digital Video Broadcast (DVB) signals to get free high-speed Internet. And while that's not a particularly new trick--hackers have long been able to intercept satellite TV or other sky-borne signals--Nve also went a step further, describing how he was able to use satellite signals to anony-mize his Internet connection, gain access to private networks and even intercept satellite Internet users' requests for Web pages and replace them with spoofed sites.”
As the research progresses it is more and more clear those threats such as hacking satellite communications can be created for less than 80USD. Mr. Nve tested his programs on geosyncronous satellites operating over Europe, it can be assumed that the software would also work within the area of the continental United States further harming national security by placing cheap off-the-shelf technology into the had to malicious hacker who have the intent to do harm. As with the drone-hacking the main culprit in the east by which Mr. Nve was able to hack the satellite communications was due to the fact that most transmissions are unencrypted.
Research has shown that there is in-fact a threat from open-source, low-cost/no cost devices available openly for consumptions by all parties. The ability to hack inflight drones, GSM signals, fiber optical lines, satellite communications, VoIP communications and SCADA systems that provide command and control of vital infrastructure. All of the hacks mentioned can be created and carried out for as low as 26 dollars and as high as 2000 dollars.
The low cost of the programs and hardware alone constitutes a threat to the current state of national security in the United States of America. The ability to take over a drone from a civilian entity, monitor police live video footage by increasingly sophisticated organized crime entities, and other subversive elements produces an environment where communications are no longer considered private and trust in the integrity of the systems in place will further degrade.
The ability to hack a drone for around 1000USD is more than a concern in regards to U.S. National Security, especially with the future of drones wide open to be utilized for many civilian applications such as fire spotting, environmental surveys, border patrol, and less intensive geo-surveying for property lines. The ability to take control of an aircraft in flight utilizing an electronic method is clearly call for alarm and a call to arms for future information security professionals. While the U.S. 8570.1 program is attempting train and certify as many information security professionals as possible the US is still behind in the development of a proper cyber offensive capability.
In conclusion the research has shown that the low cost point of hacking software and hardware does indeed pose a threat and will remain a threat for the foreseeable future unless there are stricter regulations on its sale, and availability on the web. We know that for every action there is a reaction, for every attack there is a counter attack. The same reasoning and logic is going to count for hackers. The issue now stands on how the national security element will contain hackers and their ability to take on private communications. With full scale cyber warfare on the horizon howwill the United States defend itself against a large coordinated cyber-attack from a large power such as China, Russia, India, or even Brazil. As of yet there does not seem to have been an all-out state sponsored cyber-attack on the U.S. However there are examples of state sponsored attacks on other nations such as Iran. It would be foolish to say that state sponsored hackers have not taken advantage of low-cost/no cost programs in order to exploit economic, academic, and defense intelligence utilizing the very networks that private communications, and infrastructure systems use every day.
Benjamin Battin