| REVERSE ENGINEERING WIRELESS NETWORKS |
|
The concept of data security is often mentioned, usually in terms of the internet or some other computer network. However, most people do not take security seriously, the public concept seems to be that only large corporations, politicians and the government need be worried about their communications being not only intercepted, but also tempered with. Wireless networks are used by people from all walks of life. It is the goal of this paper to demonstrate not only the insecurity of wireless networks but also the vulnerability of these systems to tampering.
In this essay I will attempt to show the frailty of a wireless network system by examining the logistics of the network, and then actually explain how it is possible to both intercept traffic on the network, and interact with that network even if unauthorized. It is assumed that anyone who is attempting to attempt to repeat this exercise is technically competent to perform electrical modifications to radio equipment if provided with instructions from the web. Furthermore, due to the fact that website addresses change quite rapidly, addresses will be cited in the bibliography rather than in the body of the text. Wireless networks are all around us, people like the convenience and mobility provided by them. We are surrounded by a vast assortment of cellular telephones, wireless keyboards, wireless computer networks, cordless telephones, and pagers. These are just a few examples of communications devices that do not require a physical connection to a main station. All of these devices generate signals that can be intercepted and deciphered using common test equipment that is easily available to the general public. Perhaps the largest network in use is the radio paging system. Pagers are used for a vast number of applications. Nearly everyone has pager and a wide variety of different types of data are sent on the system. Corporations, doctors, and government all make use of pagers. Additionally, pager signals are used to remotely control industrial processes and electrical substations. The common misconception is that information sent over a paging network is safe, however as shall be demonstrated this data is not only easily read but also easily interfered with. To begin lets take a look at how paging works. THE PAGING SYSTEM Before attempting to decode the paging system it important that one first have a basic understanding of how the paging system works. For clarity lets use a B.C. Tel Mobility pager as an example and examine what happens when a page call is sent out. Initially the caller dials the individual phone number of the pager concerned. When the system answers the call, a message is heard ""You have reached a B.C. Tel Mobility pager, please leave tour message from a touch tone phone ", the user types in his phone number and hangs up. From here on the process is automatic, the data is placed on a queue and in its turn is broadcast by radio signal, when the destination pager hears a message frame with its own serial number ( capcode ) attached it saves the data frame. Frames containing the capcodes of other pagers are ignored. When a message is received by a pager it is saved in memory until the user erases it. This is an example of the paging cycle, of course there are also more advanced paging scenarios however they are beyond the scope of this essay. POCSAG There are several different protocols used currently by pager companies to send messages, they are FLEX, GOLAY, and POCSAG . By far the most commonly used of these is POCSAG which is an acronym for Post Office Standardization Advisory Group. This standard was set by the British Post Office and adopted for world-wide for paging. Three transmission rates are used to transmit POCSAG namely 512, 1200 and 2400 bps. Most commercial paging uses at least 1200, although many companies who own their own paging terminals for in-house use transmit at 512 bps. The majority of telephone company (telco) pagers use 2400 bps so as to get the most out of their bandwidth. Messages are broadcast in batches. Each of which is comprised of 8 frames, each frame consists of two codewords separated by a synchronization codeword. A message can stretch through several batches and have as many codewords as needed. The end of a complete message is indicated by a next address code word. POCSAG has been used by amateur radio operators for many years. RADIO DATA TRANSMISSION Pager data is transmitted via radio frequency signals in binary format. The way this is accomplished is through the use of tone encoding. Tone encoding is a simple technique whereby a binary zero is assigned say 1200 Hertz tone while a binary one is assigned a 2400 Hertz tone. When a message is transmitted it is sent as a series of tones that switch from one to the other either 512, 1200, or 2400 times per second. Both 1200 Hz and 2400 Hz are audio frequencies. This is a similar technique to that implemented in the tape players used to store data on old computer systems. This technique works well for the wireless transmission of binary data. All radio frequency allocations are controlled by the federal government, as a result the information pertaining to the user and use of any frequency in the radio spectrum is public information and is published in books available at any Radio Shack store. These listings are generally cross referenced by frequency, by area, and by use. The frequencies used for paging are given in the following table. PAGER FREQUENCIES Frequencies transmitting pager information are extremely easy to identify while scanning. They identify each batch transmission with a two-tone signal, followed by bursts of data. People with scanners may tune into some of the following frequencies to familiarize themselves with this distinct audio. Voice Pager Ranges:
Other Paging Ranges:
INTERCEPTING AND DECODING POCSAG Since we now have a basic understanding of paging and the technology involved, lets take a look at intercepting the radio signals carrying the POCSAG code and then converting the code into human readable form. We are dealing with digital data that is send over a radio frequency, all we need to do is receive the signals via a radio scanner and convert the audio signal into digital data using a computer. The resulting pager data can then be displayed on the CRT. THE RADIO RECEIVER The frequencies used for paging are all easily programmable using a radio scanner. The best type of scanner to use is a direct entry programmable one. This will allow any frequency to be input from the key pad and monitored with the scanner. The frequency range of the scanner is very important, most top end scanners sold today will receive a frequency range from 30 Mhz or lower up to 1 Ghz or higher. Often the range of frequencies that are used for cellular telephone traffic are blocked at the factory. In Canada all frequencies are public property and therefore legal to monitor. There is cellular phone frequency modification information for a large number of different types of scanners available on the internet, thus enabling any one with even limited electrical skills to restore the cellular phone frequencies to most types of scanner. Older scanners are easier to work on than the newer ones. The audio amplifier circuits of all scanners modify the sound output so as to place emphasis on the speech in order to make it more understandable, The amplifier also eliminates any sub-audible tones that may be present in the signal. This is not a desirable condition. It is very important that the audio signal from the scanner be as close as possible to the original broadcast signal. Some scanners provide a clean audio signal which is made available to the user via a line out jack If this signal is not provided by the scanner, it is necessary to modify the scanner so that it will provide this signal. If the circuit board of the scanner is tapped before the discriminator circuit it is possible to get an unbutchered signal to work with. The modification procedure varies depending on the type of scanner under consideration. It is a good idea to check newsgroups: rec.radio.shortwave to make sure that a scanner is modifiable before buying it. When performing the scanner modification it is always a nice touch to install a new audio jack on the back of the scanner so that a patch cord can be easily plugged in and the line signal thereby accessed. In addition, remember that any modification done will immediately void the warranty of the scanner. THE COMPUTER AND SOFTWARE The hardware requirements of the computing device used are primarily dictated by the software that will decode the audio signal from the scanner. The program used is called POC32 it requires that the system be running either MS Windows95 or Windows NT. The audio signal can be input to the computer through either an audio card or a special serial adaptor. The construction of a serial port adaptor is beyond the scope of this article (see bibliography ). Lets take a look at the software. POC32 is a shareware program intended for amateur radio use. It is able to decode the time and date stamp, capcode number, message type, baud rate, and message sent. POC32 is also able to drive the audio input of a transmitter thus enabling POCSAG signals to be sent over the airwaves by the user. Additionally the POC32 program allows specific capcodes to be flagged so that the data displayed is limited to pages sent to preset pager numbers. The program was written by Deti Fliegl, in visual C++ and is downloadable from the world wide web as a self extracting zip file ( see the bibliography ). The most important aspect of the computer used for decoding the signal is the speed, if a slower CPU is used too much processor time will be eaten up reading the audio data and the system will become quite sluggish. This becomes especially important when you consider that POC32 runs under Windows95. At least a 100 Mhz Pentium is recommended, although slower systems will work and the more RAM the better. The system used must contain a sound card that is Sound Blaster compatible. PUTTING IT TOGETHER At this point all that is left to do is connect the equipment and start reading pager calls. The interface between the computer and scanner is straight forward. Simply plug a patch cord with the appropriate connectors between the clean audio signal out put jack of the scanner and the line in jack of the audio card in the computer. The scanner can now be turned on, and the computer and software started. The scanner should be programmed with a fairly active local paging frequency ( In Abbotsford 141.36 Mhz.). The pager messages should now be scrolling down the screen. If a transmitter is also connected to the computer, POCSAG signals can also be broadcast ( It is illegal to transmit radio signals without an amateur radio license). CONCLUSIONS As can be seen from the procedure discussed in this paper, it is possible for any person who is in possession of a moderate amount of technical knowledge to not only decode but also encode and send POCSAG pager signals. POCSAG signals are used not only for paging, but also for controlling such things as hydroelectric substations, railway switches, road information signs, and industrial operations. This is a serious threat to public security and safety. Although data encryption is in use in some of the newer systems, it is still not wide spread. It is only the advent of the internet that makes the ability to tamper with these systems available to the general public. The vulnerability of systems utilizing wireless technology to hacking or sabotage by various political, industrial, and private entities can no longer be ignored. BIBLIOGRAPHY BOOKS; Kiss Ma Bell Goodbye, How to Install Your Own Telephone, Extensions
& Accessories.
|