Security expert thinks radio frequency could be used to detect cyber attacks on critical infrastructure with complex systems.
Just recently, the New York Police Department announced it was working with the U.S. Department of Defense to develop gun-scan technology capable of detecting concealed firearms. The scanner would work in a similar fashion as an infrared detector, but with a slight twist – it would read the energy people emit and identifying where that energy is being blocked by an object, such as a gun.
The technology falls under the umbrella of what is called Measurement and Signature Intelligence, or MASINT, commonly used by the military for activities like tracking war ships using their radio frequency (RF) signatures. But what if cyber-attackers could be tracked in a similar way?
This question is being asked and answered by Brad Bowers, a security operations manager for a large financial institution (whose name is being withheld by SecurityWeek) with more than 10 years of experience in security engineering, system forensics and incident response. In a presentation this week at the upcoming ShmooCon conference in Washington, DC, Bowers will discuss how low spectrum analysis equipment and homemade radio frequency antennas can be used to take a MASINT approach to cyber-crime.
There are several types of MASINT technology, including acoustic, nuclear, radio frequency, and so on, he explained.
“I focused on Radio Frequency (RF) MASINT for my research, and while I don’t see it being used in the traditional sense for tracking down hackers defacing Websites, it can still be a very valuable tool for tracking down attackers,” he said.
MASINT, he said, is a better fit for critical infrastructure companies with complex computer systems controlling various types of sensors, valves and temperature gauges.
“Many of these organizations are starting to implement wireless versions of these sensor devices into their environments because running a physical wire is significantly more costly,” he said. “These wireless devices can use an array of different types of wireless technologies including Zigbee (802.15.4), RF Link 802.11, etc. An RF MASINT set of tools could be very helpful in identifying abnormal activity that sits in the RF spectrum that the other wireless equipment resides in. MASINT technology would also help in identifying and tracking down devices that are attempting to interrupt, attack or otherwise intercept information from the legitimate sensors.”
Another use for RF MASINT technology can be found by looking at the defense industry, he said.
“Let’s say that we are aware of a malicious group of people using radios to communicate between each other,” he explained. “The radios that they use are encrypted and frequently jump channels, so intercepting the actual conversation is not an option or would take significantly longer to accomplish. Even though we can’t intercept the conversation we can use RF MASINT to learn a tremendous amount of intelligence about the bad actors. With a MASINT setup we could identify the frequencies being used, the output power – which provides us a rough range of how far the party being communicated with is from the transmitter – we can use simple signal direction finding (SDR) to help us track down the bad actors (and) we can “fingerprint” the unique characteristics of the bad actor’s equipment so we can uniquely identify how many parties are involved and those that are the most frequently used.”
According to Bowers, a spectrum analyzer can range from $2,000 to more than $60,000, with the higher end versions capable of providing very accurate measurements and analysis of RF activity in a very small spectral range.
“What I focused on was very low cost software defined radios (SDR) which offer most of the same levels of sensitivity and functionality of their big brothers but at a much lower cost,” he said. “SDR spectrum analyzers are also much easier to get raw data from and some even come with API interfaces that make it easier for a hobbyist like myself to experiment with and make it do things that it was never really intended to do. The SDR Signal receiver I’m using is called a Signal Hound, and can be obtained off eBay for around $300-$400 used. The Signal Hound device was a nice fit since it was physically small, has a very large spectrum, 1 Hz to 4.4 GHz, and (is) very easy to programmatically interface with.”
“I created a couple very simple python scripts that manipulate data taken from the spectrum analyzer and create unique signatures from a Signal of Interest (SOI),” he continued. “These signatures allow me to be able to uniquely identify an electronic device based off the characteristics and unintended artifacts it generates. This process is very similar to what Technical Surveillance and Counter Measures (TSCM) professionals use to identify and locate eavesdropping devices (bugs) placed inside corporate offices.”
The project is still in its toddler stage, he said, and there is more work to be done.
“I’m hoping to link up with some developers at the upcoming ShmooCon conference that have a better understanding of integrating C++ with hardware than I do to continue the project and build out a couple of areas,” he said. “I’d like to develop a more robust antenna system that supports frequencies for 1hz up through the 100ghz range. I’d like to develop a detection algorithm that would automatically detect signals of interest or signals that exceed a certain defined norm – think intrusion detection for wireless signals.”
MASINT is still in its infancy from the perspective of commercial, non-military uses, he added. Still, one can see some of the ways capabilities can be adapted, he said.
“Since all things from digital recorders to people put off a RF signature it’s only a matter of being able to collect it to generate intelligence from it,” said Bowers. “I suspect that we will see MASINT technologies grow significantly as companies start to understand the information it can provide them and the information it can provide about their competitors.”