2009-12-31

One more way to detect bugs

The intelligence community is cool stuff. Since I could never be a G-man, I then tend to be interested in the SIGINT side of things. At least I can relate to what those folks are doing, and the technology side is rather deep as well.

Now that I then ventured onto one of the better known technical surveillance counter-measures (TSCM, "bug sweeping") site and started reading through the material, one simple but potentially quite powerful idea came to me. In fact, it's so embarassingly simple that I can't really understand why I'm not able to find any online references to existing implementations already.

The basic premise of bugs is to capture and retransmit data, most commonly audio or video, where remote surveillance does not suffice. Essentially they are about capturing, amplifying and retransmitting data that is otherwise too weak to be detected at a distance. The processing also has to be achieved in a manner which is surreptitious enough not to be noticed. The problem of the bug sweeper is to detect whether that sort of thing is going on, which then boils down to a) identifying and enumerating the possible covert channels which could be used to retransmit the information, and b) systematically, physically going through the weak spots to verify the presence or absence of machinery ("bugs") that could be doing the job. The problem is that there are incredible numbers of such channels, so that even checking for the presence of unwanted radio transmissions is very laborious. Especially when the adversary is actively trying to hide his presence.

Still, there are two distinct advantages on the side of the bug hunter. The first is that he's almost by definition closer to the transmitting device than the adversary, since because range extension is what bugs are installed for in the first place. That means that any signals they send out are going to be stronger at the source, and thus in theory easier to detect. This advantage is commonly used in the TSCM community, in the form of frequency scanners and the like. The adversary then tries to hide his presence into the complexity of the problem, and spread out, encrypt and randomize the outward information flow. Cutting through such counter-counter-measures becomes a well-known arms-race.

Then there is the second advantage, which is that by definition, bugs are about retransmitting a signal produced by the party that is bugged. This means that the signal is under the control of the target, and so potentially under the control of the TSCM expert as well. At some level, this idea has been exploited as well -- the typical warning sign that bugging is going on is when outsiders seem to know stuff that they shouldn't, and of course no spy novel is ever complete without at least some amount of deliberately planted misinformation.

However, at the purely technical level, I've never seen this idea utilized to its fullest. My point is that at one level or another, the functioning and often even the transmissions of a bug of any kind must show some kind of correlation to the message being retransmitted. Since you can control the message, sorting out whether a particular information channel is retransmitting becomes tantamount to measuring some form of cross-correlation or cross-information measure. And at least as far as cross-correlation goes, there are highly efficient means of computing it, especially with input sequences such as maximum length sequences. So why not start by (ideally) convolving/correlating the entire useful radio spectrum against such a low-level noise signal that you inserted? Quite a number of continuous retransmission schemes could be uncovered in that way, after the matched filter presented by your sequences brought out dependent structure from the RF chaos.

The beauty of this kind of thinking is that it is bug-agnostic and employs your natural advantage to its fullest. As a systems level concept it is equally applicable to video -- just perturb the lighting conditions instead, and then proceed the same. It is well-suited for continuous monitoring, because spread spectrum probes can be quiet/dim enough not to be disturbing (or even noticeable) to anybody in the space. Algorithms and hardware to accomplish the feat are generally available, and can easily stretch to hundreds of millions of samples per second, which covers quite a bandwidth already. Narrowband scanning techniques are equally as adaptable to this kind of treatment as are wider band ones. High speed entropy estimation algorithms are available which can help sort out whether there is something anomalous ("I hear structure") in the filter output. Sure, store-and-burst type bugs would not be easily detected this way -- but then, even they have to record continuously, which means that their input stage will probably be noisy in the RF range in a way that is correlated to the acoustics, so that local detection is possible. (In the longer term, their aggregate RF output will also have to be correlated over time with the envelope of the bits actually captured and retransmitted.) And perhaps most beautifully, when you're only trying to detect the presence of anomalous transmissions and not trying to decode them in any particular way, correlations show even in heavily aliased signals, which means that the complexity of the correlator stage can theoretically be dropped into a much lower intermediate sampling frequency; all that is really needed is a wideband sample-and-hold circuit without antialiasing of any kind, and a long enough correlation length.

This sort of thing is not fool-proof; nothing ever is. But I have a hunch that it could catch a relatively high proportion of low to middle tier intercept devices in a completely automated way. And because of the systems level approach, it would also catch many spurious and passive covert channels as well.