Close Advertisement


Finding and Measuring Hidden Wireless Networks

Hidden wireless networks are all around us. In urban warfare and on the battlefield, finding and listening to hidden cellular networks speaks volumes about the enemy.


Keywords in this Article:

No Keywords

  • Page 1 of 1
    Bookmark and Share

In modern warfare, the ability to win battles often comes down to taking out an opponent’s command and control ability. The theory is simple: if the head cannot control the body, then the head is defenseless. In today’s world of wireless telecommunications, many countries are turning to cellular communications networks to augment or replace traditional military communications systems. In this ever-changing battlefield, it is increasingly important for intelligence operations to have the capability to identify and gather control information about these wireless networks in countries of interest.

At first glance, this task would appear to be relatively easy because most deployed wireless communications networks are based on published wireless protocol standards. In fact, there are even commercially available tools for gathering network data that appear to satisfy this requirement. However, there are ways to “bend” commercially deployed wireless networks to create hidden networks within commercial networks that are both easy to build and difficult to detect.

Is There Anyone Out There?

Intelligence and military resources often use commercial test equipment to interrogate wireless commercial networks. Commercial tools used to collect data from wireless networks are typically called “drive-test” tools. These tools are used to “survey” wireless networks to identify protocol, capacity, coverage and other key parameters of wireless networks. Most of the tools used to measure mobile communication activity utilize a standard wireless phone as a measurement device. These systems are often handsets communicating with application software to interpret the signals coming from the wireless network. In addition, a GPS unit is often included in the system to display information collected from the handset and location data is displayed on a map.

These phone-based systems have two immediate shortcomings for use within the intelligence community. The first shortcoming is when a mobile phone is used within an area, it sends a request to the network to register itself, so that the network knows how to connect with the phone if a call is made or received. This is the first step a phone uses to get access to the network to begin data collection. Because survey missions are often covert, it would be extremely counterproductive for troops to use a tool that emits a signal that can be located with either mobile Directional Finding (DF) or network-based location finding equipment. Furthermore, these registrations leave records in the target network’s databases that—depending on the target’s counter-intelligence capabilities—can be queried to determine when a suspect system was in the area collecting information.

A second shortcoming of a phone-based system is that it surveys the wireless network of interest by utilizing information that is provided by the network itself. A phone-based device measures a list of channels that are sent to the phone from the network (the switch) via the base station. This list is called a “neighbor list.” The neighbor list includes every channel that should be given consideration for the phone to use for any given area, and there is a different neighbor list for each cell site. The phone will measure each of these channels as dictated by the network and report their respective signal strengths as well as other pertinent parameters.

However, if there are signals present that are not included in the neighbor list, the phone-based system will never know and thus never be able to report that information. These channels could have been left out intentionally or unintentionally. It is possible to run a “secret” wireless network within a commercial carrier’s wireless network by programming the network to leave selected channels out of the neighbor list and then allocating non-neighbor list channels to special phones. This would allow civilians to use the commercial wireless network normally, but provide a hidden network, which can be accessed by specially programmed phones that would not be visible to phone-based drive-test tools.

If these channels were left out intentionally, it leads to several questions. Are there communications taking place on these channels? Could there be conversations occurring on these channels? This type of hidden network could represent a serious threat to the ability of intelligence operatives to: (1) gather critical intelligence from communications intercepts or (2) shut down enemy communications.

Nuts and Bolts of Hidden Wireless Networks

The primary way that multiple users are provided access to cellular networks is known as a Frequency Division Multiple Access (FDMA). This technique simply provides multiple agreed upon frequencies within the allocated spectrum for use by the equipment. Radio and TV stations are allocated by using frequency division, where each station is provided an available bandwidth of 10 kHz (AM) or 200 kHz (FM). Nearly every cellular protocol provides for FDMA as a form of providing multiple accesses.

In addition to using FDMA, some cellular protocols use Time Division Multiple Access (TDMA) techniques as a way of further dividing the available bandwidth amongst various users. TDMA is time-slicing of a signal so that multiple users are given a portion of the time to use the channel from the total available time. For example, let’s assume that three users are all going to share the same frequency channel. Each user would be provided 1/3 of the time during which they can send whatever data they wish. During the other 2/3s of the time, the other two users get to use the channel. By making the time between uses quick enough, a seamless voice conversation (from the perspective of a human user) is possible.

Figure 1 demonstrates an issue for cellular protocols that use multiple RF channels to communicate information. In this example the neighbor list, or list of other channels in use by the system, is reported by the network to the phone-based test device (Figure 1). In this scenario, the neighbor list does not contain channel 50, yet channel 50 is just as strong as the other channels in the area (Figure 2). A specially programmed phone could use channel 50. For a surveying tool to see this channel, it would need a network measurement instrument that is not directed or controlled (as wireless phones are) by the network, such as a demodulating scanning receiver.

The third main form of multiple access provided in cellular systems is Code Division Multiple Access (CDMA). This is the hardest to understand, and numerous references are available on the topic. The easiest way to visualize it is multiple people all having simultaneous conversations in a room, say at a party. Each person can hear whom they are directly talking with because their brain pulls out that person’s voice from the background. However, to a person standing on the outskirts of the group listening to the conversations going on, it is a merger of many indistinct voices. CDMA systems use the math technique of correlation with pseudo random noise sequences (PN) to accomplish this same effect. The PN sequences are unique for each unit communicating with the base station, and in the above example, would be the voice that makes it possible to distinguish one conversation from another

A similar problem exists in CDMA networks as discussed above for FDMA systems. In the CDMA protocol, covert operators can establish an entire hidden network by changing the primary frequency (essentially using FDMA techniques from above). Certain mobile phones can be programmed to use the second frequency, which means that a commercial phone-based measurement system will not even attempt to measure the second network. To gain a better understanding of this issue, refer to Figure 3, which illustrates how a second CDMA carrier can be present. This carrier will accept the traffic from the mobiles that are programmed to use this second carrier.

In addition, a more difficult CDMA network to identify would consist of two commercial pedestals set shoulder-to-shoulder, with a third covert communications pedestal “buried” below the transmission levels of the two commercial channels by overlapping the “buried” channels at an offset to the commercial channel’s frequency. This network is “invisible” from an RF perspective unless the surveyor actually uses correlation techniques to identify hidden PNs. Such a network deployment can be visualized as in Figure 4, where the energy from the red station is completely obscured by the power of the commercial network’s primary and secondary channels.

Cellular Sleuth and Stealth

The solution to these shortcomings is to use a system that does not transmit, and is therefore non-intrusive, and does not need to receive its instructions over the air from the network under observation. A demodulating scanner-based system is a solution to these types of problems. By changing the measurement device in the system from a wireless phone to a demodulating scanning receiver, both problems are solved. A demodulating scanning receiver rapidly scans all channels available in the network, demodulates protocol content such as base station identification (BSIC in GSM, DVCC in IS-136 and PNs in CDMA), and reports back the information that is available. If there are signals present that may have not been included in the neighbor list, either intentionally or unintentionally, the scanner will be able to measure and report that information.

In the case of Figure 4, even a spectrum analyzer wouldn’t be able to differentiate the three signals without using some form of correlation. Figure 5 illustrates what the situation in Figure 4 looks like on a spectrum analyzer. It is nearly impossible to determine whether two or three signals are present at this location. The inability of other tools to detect such scenarios further necessities a demodulating scanning receiver that can correlate targeted signals out of the interference of adjoining signals. Thus, the operator would identify both of the scenarios discussed above.

Finally, a demodulating scanning receiver does not transmit over the air so it is “invisible” to other tools monitoring the RF spectrum. Thus, the demodulating scanning receiver sees the entire network and is not itself locatable. It doesn’t leave data file entries in base station logs that could later be used to determine when observation was occurring and by whom.

The scanner’s ability to overcome these shortcomings in phone-based solutions is critical to the mission because it allows the intelligence operator to (1) find these hidden networks and (2) prevent them from being compromised due to his or her interaction with the commercial network. A scanner is therefore a better choice in these mission-critical scenarios, and it offers a number of additional benefits that characterize a network’s performance.

Scanner Benefits

The first auxiliary benefit of a scanner is that it is precision test equipment (Figure 6). Unlike phones that are mass-produced and optimized for voice and data communications, a scanner is designed with RF surveying as the primary goal, and is therefore optimized for this purpose. This results in equipment that has detailed RF specifications geared for test and measurement, as opposed to performance parameters primarily of interest to commercial users of the product.

Cellular Protocols

Cellular Networks all use a portion of RF spectrum to allow users to transmit and receive wireless data and voice. In the interest of most effectively using the available bandwidths, and providing systems that can be inexpensively used in multiple locations with equipment provided by multiple vendors, various cellular protocols have been devised to define the way in which two devices are to interact (Figure A).

The advanced mobile phone service (AMPS) was the first commercial cellular system deployed in the world by Bell Labs in the 1970s, and is the “analog” format that most phones fall back to in the United States. It uses FDMA to allow multiple people to use the system concurrently, and is operated in the 800 MHz region in the United States. Many other countries have their own early protocols derived from AMPS that differ mainly in the bandwidth and frequency range supported. Examples of these protocols are ETACS and NMT.

After the popularity of cellular systems and the number of users escalated, it became clear that a digital communication system was needed to make better use of the available spectrum and that the newer spectrum become available for worldwide cellular use. The first of the second-generation protocols (known as 2G) was referred to as IS-54, which divided the AMPS single channel into 3 or 6 “timeslots” using TDMA, on which multiple users could communicate concurrently. Later the control channel, which is used to provide network information and establish calls, was also digitized and the resulting system re-titled IS-136. This was the first TDMA protocol, and is often referred to now in the industry simply as TDMA. IS-136 was used primarily in North and South American by companies such as AT&T and Cingular. While this protocol is still in use, most adopters are transitioning to GSM.

GSM, or the Global System for Mobile Communications, is very similar to IS-136 in that it uses TDMA and FDMA as the basis of dividing the bandwidth. It has a wider bandwidth than IS-136, and more timeslots. This standard has been largely adopted in Europe, and many of the IS-136 users are transitioning their networks to GSM to allow for world-wide roaming and to take advantage of future upgrade paths to third-generation technologies. GSM providers in the United States include T-Mobile and Pacific Bell.

As the industry developed and technology advanced, CDMA systems started gaining popularity. Qualcomm drove the first converts to the system known as IS-95 or CDMAOne, which is the American CDMA system used by Verizon and Sprint. This technology is known as 2.5G, and provides for multiple users of the same bandwidth continuously and simultaneously. It is also more robust to interference and noise sources due to its larger bandwidth and ability to add processing gain to received signals.

Currently, many vendors are pushing toward third-generation (3G) protocols that allow users to achieve faster data rates for use in wireless modes and data applications. Two of these protocols are vying for dominance, WCDMA and CDMA-2000. WCDMA is built upon GSM, is being test deployed in Europe and has full installations in Asia by carriers such as NTT DoCoMo. CDMA-2000 is based upon IS-95, and is being deployed in the United States by some of the CDMAOne carriers. It is not clear which of the two will prevail, and like GSM and IS-136, which are similar, it is likely that both will find their place in the overall market.

In addition, whereas a phone is optimized to receive the best server at a given location, scanners are optimized to provide data on all possible servers at a given location. This distinction is a great benefit for the intelligence community, since it is normally very important to understand the other signals that could become primary servers if the network is altered or reconfigured for any reason, the discovery of hidden signals as discussed above, and total network capacity.

The second benefit of a scanner is that it is designed to tune between frequency channels as fast as possible, and to gather the data using the shortest possible dwell times. Phones are designed to maintain a single channel, or hopping pattern, as their primary function. Multiple channel coverage is an auxiliary function to a cellular phone. This is an extremely important benefit when the mission requires that multiple carriers or networks be simultaneously monitored. Monitoring multiple frequency-based systems (that is, FDMA), gathering data on CDMA systems operating on two or more simultaneous RF channels, and data acquisition rates across the entire band are critical to success.

There are many types of technologies being transmitted over the air. CDMA, GSM, TDMA (IS-136), AMPS and iDEN are the primary commercial protocols in use today (see sidebar: Cellular Protocols), with many others being used in certain locations and for certain purposes. All of these signals can be measured with a scanner. The key functionality of the scanner is to rapidly be able to measure and decode the signals that are transmitted over the air. A demodulating scanner will be able to see the signals and apply algorithms that will allow the decoding of those signals, even on secondary or third servers and with non-standard channelization.

Demodulating scanner systems can provide system information and output voice traffic as dictated by the mission parameters. For example, an operative utilizing only a scanning receiver system could scan the RF spectrum for available channels, monitor the detected channels looking for targeted communications, and then eavesdrop on the communication once it is detected. All of this can be done transparently to the network being interrogated.

The end result is this: a scanner can take measurements without letting the opposition know that the scanner or its operators are there. For the user, this translates into the security of knowing that all of the signals are being measured, as opposed to the signals that the phone is instructed to measure based on the neighbor list or other network parameters. In addition to addressing the primary shortcomings of a phone to the intelligence community, there are many other benefits a scanner provides including multiple frequency coverage, precision of measurement data and support for multiple protocols. The ability to fully utilize the nuances of wireless scanning technology is critical in business, as well as in modern warfare.

Dynamic Telecommunications
A PCTEL company
Germantown, MD.
(301) 515-0036.