Tony Ingesson & Magnus Andersson
Both intelligence operatives and criminals have a constant need to be able to communicate clandestinely, circumventing surveillance efforts carried out by highly capable adversaries. The recent highly-publicized breaches of internet-based clandestine communications technology and targeted malware attacks, in combination with increasingly sophisticated methods for surveillance of internet traffic has arguably resulted in a cyber-denied environment. This paper employs a red-teaming approach to explore how clandestine communications can be structured using platforms that are physically separated from the internet and thus not vulnerable to internet-based surveillance or attacks. Recent developments in computer-based radio software can be combined with legacy radio technology to provide robust solutions for clandestine communications in a cyber-denied environment. Drawing on case studies from the Cold War, contemporary observations of clandestine radio networks in use today, and technical tests carried out by the authors, this paper stresses the importance for counterintelligence and law enforcement to be prepared for a potential shift in how clandestine communications are implemented by both hostile intelligence services and organized crime. Finally, the paper addresses the issue of proactively countering these techniques by presenting concrete methods for use by counterintelligence and law enforcement to detect radio-based clandestine communications and secure evidence.
In 2020, the supposedly secure Encrochat network was found to have been penetrated by law enforcement (Symonds, Citation2021). The year after, Sky ECC was compromised by European law enforcement, and ANOM was revealed to be an FBI plot (Osborne, Citation2021; Westcott, Citation2021). In a similar development, practitioners of human intelligence (HUMINT) were supposedly struggling in the battle against new surveillance technology (Lucas, Citation2019). This includes the new myriad ways of tracking internet-connected phones as well as methods for intercepting, analysing and eavesdropping on computer network traffic.
Law enforcement (LE) and counterintelligence (CI) organizations have also had the ability to infect targets with surveillance software for more than a decade (Cluley, Citation2011). This kind of software will compromise communications regardless of the platform used, by logging keystrokes, capturing the contents of the user’s screen, downloading updates and communicating with a remote website.
What these examples all have in common is that they show that the existing commonly employed internet-based methods for clandestine communications are facing a serious challenge. While internet-based communications will most likely remain a common solution even for clandestine users, the sheer volume of surveillance efforts targeting internet infrastructure as well as end-user hardware (such as phones and computers) means that there are many possible attack vectors for LE/CI. This includes targeting web-based chat services and messaging platforms, instant messaging services, detection of concealed steganography, traffic analysis, spyware, etc. In addition to the previously mentioned vulnerabilities, additional methods of attack can be assumed to be under development. Thus, the safest course of action for a security-optimizing user of clandestine communications is to now assume that every internet-connected device is compromised. This assumption of a cyber-denied environment is based on the same logic as the concept of air gapping which is used to secure computer systems by isolating them from all possible venues of attack by maintaining a physical distance (see for example Sarkar, Chakraborty, Saha, Bannerjee, & Bose, Citation2020). This logic assumes that since we cannot be expected to identify all possible threats, a more comprehensive solution (i.e. severing all attack vectors), which can counteract hypothetical as well as identified threats, is required.
This begs the question: which options are available for those who are looking to communicate covertly, without using internet-connected devices? In order to answer this question, a red team analysis-inspired approach has been employed. As defined in the 2009 Tradecraft Primer, red team analysis is conducted by having analysts assume the role of an adversary, attempting to identify solutions said adversary might come up with (US Government - CIA, Citation2009, p. 31). Consequently, the authors have developed methods for clandestine communication, by attempting to identify the needs and available solutions using only commercially available low-cost technology. The logic guiding this approach is that if the authors are able to develop such methods, others will also be able to do the same. Thus, this may serve as a proactive measure to identify possible strategies available to an adversary.
Previous research
Kyle S. Cunliffe (Citation2021) has argued that the proliferation of biometrics scanners and CCTV technology paired with facial recognition pose a significant challenge to human intelligence operations today. He argues that it has become more difficult than ever to maintain a credible cover and to find opportunities for clandestine physical meetings.
Edward Lucas (Citation2019) presents a perspective similar to Cunliffe’s, also pointing to developments in surveillance technology that favour counterintelligence. Like Cunliffe, Lucas also points to CCTV cameras and the difficulty of upholding a cover identity. In addition, Lucas brings up the possibility that counterintelligence officers may use phone tracking to correlate the movements of suspected intelligence officers and their sources to reveal the locations of dead drops.
While there are specific countermeasures being developed against biometric surveillance technology (see for example Noone, Citation2022), Cunliffe and Lucas both point to cyberspace as a more general solution. However, as stated in the introduction, all internet-connected platforms are inherently vulnerable. There are of course differences in how vulnerable specific platforms or modes are, where clear-text chats are relatively trivial to target, whereas end-to-end encrypted services are a different matter. Nevertheless, as the examples mentioned in the introduction clarify, even services designed to be secure can become vulnerable if central nodes are compromised by law enforcement. In addition, it doesn’t matter what kind of encryption or platform is used if one of the users has had their hardware compromised by malware that logs every keystroke and covertly takes screenshots. Law enforcement or others seeking to intercept clandestine communications thus have multiple possible attack vectors, which can, and have been, exploited. The intensity of the current ongoing battle between new technical solutions for protecting communications on the one hand, and the efforts by state actors to intercept these on the other, means that trusting internet-based communication channels with clandestine information is becoming increasingly difficult.
This article proposes that another approach is possible, and offers evidence that at least parts of it is already in use. Radio, once a prime target for surveillance, now seems to be mostly forgotten as a means of communication by the general public. Thus, vigilance can be expected to be at an all-time low. While specialised signals intelligence organisations no doubt continue to monitor radio transmissions, detecting local low-power transmissions requires trained personnel and specialised equipment at the local level, where such assets are increasingly unlikely to be found.
At the same time, enthusiasts and niche tech companies have developed new hardware and software that can be combined with legacy technology to provide completely new and sophisticated radio-based communication methods. Thus, this article contributes to the scarce research on clandestine uses of radio, where for example James David (Citation2003) has described the use of Soviet clandestine radio in the United States during WWII, and Jan Bury (Citation2007, Citation2012a, Citation2012b) has provided important background on its use during the Cold War. Carl Anthony Wege has in a similar manner described the highly complex communications infrastructure used by the Hezbollah, including fiber optical networks and cellular networks, including a wide range of security measures (Wege, Citation2014). This article goes one step further by discussing hypothetical developments. The ambition is that this can help academics studying HUMINT by providing additional information on the opportunities presented by current radio-based technology, and draw attention to other means of communication outside of the cyber sphere.
Finally, since sophisticated communications technology is now available as commercial products and no longer restricted to state actors, this article also seeks to highlight implications for criminal intelligence practitioners in case non-state actors start to adopt similar procedures.
Red team analysis: assumptions
The first assumption is that all internet-connected devices must be assumed to be compromised. They can be targeted through software on the device itself, or by analysing the traffic that passes through internet infrastructure. In addition, internet-connected devices enable real-time position tracking and eavesdropping by accessing the microphones most phones and computers are equipped with. Thus, the clandestine communications solution must be completely independent of internet infrastructure. The hardware used must be able to function even with all internet connectivity permanently disabled (note that the necessary software can either be installed before these steps are taken, or by using physical storage media such as USB sticks). Radio-based communications will in most cases have significantly more limited bandwidth than internet-based solutions, but this can to some extent be compensated for by making maximum use of each word/phrase, including code words/phrases and other types of pre-arranged signals.
The second assumption is that the communications solution should ideally be possible to operate even if one or both parties using it are under surveillance. It should thus avoid frequencies that can be expected to be monitored, such as mobile data traffic and Wi-Fi connections.Footnote1 In addition, the two parties should be able to maintain a physical distance, to prevent identification of the second party if one is under surveillance. For the purposes of this article, different physical distances are discussed, ranging from hundreds of meters to hundreds of kilometres. Shorter ranges can be used for communication using predetermined rendezvous points whereas longer ranges enable communications from more permanent locations.
The third assumption is that the communications solution should be encrypted in the most secure way that is practically feasible, to ensure that transmissions do not reveal the contents of what is being communicated even if they are intercepted. In addition, the clear text should never be present on a device capable of storing it, where it could be retrieved using forensic methods.
The fourth assumption is that the hardware and software used should be commercially available to ensure that possession would not in and of itself automatically compromise the user.
Radio: the old-school approach
Back in the days before the internet, the main method for wireless clandestine communication was radio. During World War II, resistance organizations operating in German-occupied countries used equipment like the Whaddon Mark VII, a.k.a. the Paraset/Paracette, a miniaturised radio transceiver used to receive and transmit messages using Morse code (Paraset, Citation202Citation1). During the Cold War, these devices became increasingly capable and sophisticated, culminating in designs such as the British Mk. 328 or the Soviet Strizh (Mk. Citation328 Receiver, Citation2020; Strizh, Citation2020). The late Cold War spy radio sets featured advanced capabilities such as automatic encryption and burst transmission, which allows a pre-recorded message to be transmitted in a short amount of time, to reduce the risk of detection.
The first drawback of using a spy radio was the same in the late Cold War as it had been during World War II: active transmissions can be detected and pinpointed using radio direction finding (RDF) equipment. Hence the need for burst transmission. Even so, in 1982–1983 the KGB was able to detect burst transmissions and approximately pinpoint the source. Using these methods combined with more traditional surveillance, the KGB was able to catch US diplomat Richard Osborne in the act in Moscow in 1983, seizing the sophisticated RS-804 satellite agent radio he was using (Bury, Citation2012b, p. 120).
This leads to the second drawback of using a spy radio, which is also timeless: there is no legitimate reason for an ordinary person to possess such a highly specialised piece of equipment. If a specialised radio specifically designed for clandestine or military use is found in a person’s home, vehicle or backpack, it will be very difficult to explain why. For this reason, spies sometimes refused to use such equipment, preferring to get rid of it instead (Bury, Citation2012a, p. 731).
One solution to these problems was the use of numbers stations, i.e. high-powered transmitters controlled by nation-states, which would send out scheduled coded messages. These transmissions could be picked up with an ordinary portable short-wave radio receiver (which in itself was a relatively common type of consumer electronics, and remains available today). Numbers stations are still operational today, which will be explored in more detail below.
Communication scenarios
Clandestine communications are of interest to qualified organised crime organizations, terrorist groups, and state actors engaged in espionage. While these three categories represent a very diverse range of actors with different motives, capabilities, and procedures, this article argues that their clandestine communication needs can be summarised as follows: one-way transmissions (no confirmation/reply), one-way transmissions (simple non-transmission confirmation/reply) and two-way transmissions. These are ordered starting with the most secure option, ending with the least secure.
One-Way Transmissions (no confirmation/reply)
This is a useful strategy when one party needs to send a message to another, but does not need a reply, nor confirmation that the message has been received. This can be used either with high-powered equipment normally only available to state actors (allowing extremely long ranges from no more than a handful of transmitter sites) or, hypothetically, through the use of low-cost commercially available equipment (at the expense of range).
The traditional solution: numbers stations
For state actors, a convenient solution has been the use of numbers stations, i.e. radio transmitters on the sending nation’s soil which are broadcasting encoded messages on commercial frequencies where they can be picked up by short-wave radio receivers (often marketed as ‘world radios' for people who wish to receive overseas broadcasts such as news and music). Adolf Tolkachev, for example, was issued a commercially available short-wave radio as part of a one-way communications link with his CIA handlers (Wippl, Citation2010, p. 641). The messages are typically in the form of series of numbers read by a pre-recorded voice, occasionally with the use of melodies to indicate the start of a transmission. Contemporary numbers stations may also use digital transmission modes such as MFSK, FSK and PSK (Numbers Stations, Citation2019).
The main advantage to this method is that possession of an ordinary commercially available radio capable of picking up such broadcasts would not necessarily draw suspicion even under an oppressive regime (Bury, Citation2007, p. 343). Modern radios with the capability to be used for such purposes include a number of different models manufactured by for example Tecsun, which can be bought from ordinary vendors such as Amazon.
The authors have tested a Tecsun PL-600 and successfully received long-range transmissions from numbers stations, originating in Russia and Poland. For receiving digital transmissions, the Tecsun PL-600 can be connected to an ordinary computer using an audio cable (with standard 3.5 mm audio connectors) and if necessary an external USB sound card. In combination with free software such as Fldigi, this enables digital processing of the intercepted signals without specialised equipment. This resembles the functionality of the device used by the CIA in its communication with Adolf Tolkachev who was issued a demodulator for use with his previously mentioned radio receiver (Wippl, Citation2010, p. 641).
Miniature radio receivers designed for use with computers, so-called Software-Defined Radio (SDR) hardware can also be used. A typical example is the popular RTL-SDR dongle, which plugs into the USB port of a computer. The dongle requires the use of an external antenna, but this antenna can be concealed in a backpack or vehicle. This removes the need for audio cables and sound card.
Numbers stations tend to use amplitude-modulated (AM) transmissions on the short-wave (a.k.a. High Frequency, HF) bands, i.e. 3Mhz to 30Mhz. For example, the Frankfurt am Main station operating during the Cold War used frequencies between 3.370Mhz and 4.010Mhz while the ‘Lincolnshire Poacher’ station could be found between 6.485Mhz and 16.084Mhz (Bury, Citation2007; Jansson, Citation2021). Today, several numbers stations remain operational and transmit regularly, also using the HF bands. These include the traditional voice transmissions, Morse code and digital traffic. An up-to-date transmission schedule can be found on a website run by an international group of radio enthusiasts who track and document these stations (Priyom.Org, Citation202Citation2). The authors have verified several of these station schedules by tuning in and receiving their transmissions (among others, these include the stations designated S11a, M01, P03 and XPB on the priyom.org website).Footnote2
This approach brings several benefits compared to the common commercial frequency-modulated (FM) transmissions broadcast on the very-high frequency (VHF) bands (30Mhz to 300Mhz), i.e. the kind of radio people can listen to in their cars or by using the most common types of receivers.
First, the short-wave bands are less crowded than the VHF bands, where FM radio stations tend to fill up the full range of frequencies supported by regular commercial receivers. Using HF bands makes it easier to find a frequency where broadcasts can be made with minimum risk of interference.
Second, the short-wave bands have significantly better signal propagation, in particular at night. This means that they can cover significant distances, easily travelling hundreds or even thousands of kilometres. Where VHF band transmissions are mostly restricted to line-of-sight and ground-bounce paths, which limits their range, short-wave transmissions can be reflected by the ionosphere. The ionosphere comprises several layers of ionized plasma trapped in the Earth’s magnetic field, extending from 50 km to 2000km above the Earth’s surface (Seybold, Citation2005, pp. 7–8). During the night, the characteristics of the ionosphere change, making it more likely that signals will bounce off the ionosphere, which can add significant range to these transmissions. Powerful transmitters can easily achieve cross-continental ranges under favourable ionospheric conditions.
As long as the messages are securely encoded using for example one-time pads (OTPs), this is a convenient and safe method for one-way communications.Footnote3
The low-cost alternative: commercial transceivers
For non-state actors, operating high-powered radio transmitters is less viable as a strategy, since the risk of detection is very high. Once detected, it is easy to pinpoint the source of the transmission and locate the transmitter.
However, the one-way transmission strategy can also be used with less expensive and conspicuous hardware. Common amateur radio transceivers can broadcast on the HF bands, and be picked up using inexpensive short-wave receivers such as the Tecsun PL-600 mentioned above (this has also been tested by the authors). This allows for the same range of transmission modes as the numbers stations (voice, Morse, digital), albeit with more limited range. (Figures 1 and 2)
The procedure for a digital one-way transmission, as outlined in figure 3, would thus be: the clear text message is encrypted by the sender on paper using a one-time pad (OTP), which is destroyed immediately after use. The encrypted text is typed into the transmission window of the software used on the computer. The software converts the text into audio signals (encoding) and passes the audio on to the radio, which transmits it. The recipient’s radio receives the encoded audio and passes it on to the recipient’s computer running the same software as the sender. The software decodes the audio, converting it into the encrypted text. The recipient then notes down the encrypted text on paper and manually decrypts it using a copy of the OTP, destroying it after use. The end result is the clear text message on paper, with no digital traces of the unencrypted text.
Even though an amateur radio transceiver is significantly less powerful than a fully equipped state-run numbers station, ranges can easily extend to hundreds of kilometres under favourable conditions. During tests, the authors have been able to intercept voice transmissions from amateur transceivers at distances exceeding 1,000 km.
The downside to using amateur radio equipment for clandestine communications is that licensed amateur radio operators have the responsibility to ‘police' the use of amateur radio equipment and amateur radio frequencies. For example, the American National Association for Amateur Radio (also known by its older acronym ARRL) has a formal agreement with the Federal Communications Commission (FCC) to monitor the airwaves and collect evidence that can be used for enforcement (Volunteer Monitoring Program, Citationn.d.). Using amateur radio bands for clandestine communications thus carries a significant risk of exposure since the communications procedures are highly regulated and standardised, including requirements to identify the sender. Encrypted transmissions are also expressly prohibited on the amateur bands in some nations, such as the United States.
One possible solution, identified as part of the red-team approach, is to use the less regulated international citizens band frequencies (typically around 27 MHz, and thus also within the HF bands). In many countries, use of the citizens band does not require an amateur radio license (Citizens Band Radio Service, Citation2017). Because of this, amateur radio operators have less of an incentive to report transgressions. For a long time, there has also been a tendency among amateur radio operators to look down upon the ‘chaotic’ and less regulated citizens band compared to their own exclusive frequencies (Can Amateur Radio Talk to CB?, Citation202Citation2). This presents an opportunity to use citizens band (CB) radios or modified amateur radio equipment for short, sporadic clandestine transmissions on the citizens band frequencies. The receiver will still only need a short-wave receiver of the type listed previously, but the risk of detection and reporting should logically be lower. Since some enthusiasts already use the citizens band for digital mode traffic, it would not be a unique phenomenon (2DR112 Pennsylvania Digital Modes 27mhz CB Radio, Citation2016). By moving slightly away from the frequency already used for digital transmissions by enthusiasts, it may be interpreted as an unlicensed user mistakenly transmitting on the wrong frequency and thus not draw attention, while avoiding interception by the few enthusiasts who are equipped to receive and decode digital traffic on the CB band.
For maximum ease of use, a CB transceiver can also be used to transmit voice messages to a short-wave receiver tuned to the CB bands. Predetermined code words could be used, or possibly by playing a part of a song according to a code scheme. By playing part of a song, the transmission would sound like a truck driver accidentally touching the transmit button while listening to radio on the road. One song could for example be used to represent a specific delivery location for a clandestine package or a narcotics shipment. This would also mean that even if the message was intercepted and recorded, it would be difficult to prove the identity of the transmitting party.
For short-range communications (hundreds of meters up to a few kilometres) handheld low-cost VHF radios such as the Baofeng UV-5R or UV-82 can be used (see figure 4). These radios can be connected to computers to transmit digital traffic in real time (an external USB sound card, small enough to fit in the palm of a hand, can be used in case the computer does not have a dedicated 3.5 mm microphone port), or digital traffic can be transferred to a recording/playback device such as a small voice recorder of the type used to record voice memos on the go. This can then be connected to the radio and activated when the radio is transmitting. Similarly, a voice recorder can be used to record incoming transmissions for later decoding. The only requirement is that the voice recorder has a speaker port and a microphone port that can be connected to the radio. The Olympus VN-541 voice recorder, for example, can be connected to a Baofeng UV-5R radio using two different ordinary audio cables (one 3.5mm-3.5mm and one 2.5mm-3.5mm). Tests carried out by the authors have demonstrated that both recording and playback using portable voice recorders can be used together with digitally coded compressed messages to achieve a solution that resembles a limited form of burst transmission.(Figures 5 and 6)
For one-way communications, it’s not necessary for both the sender and recipient to have radios. The recipient can also use an RTL-SDR dongle without transmission capability to receive messages from a VHF radio. Another related solution is to embed the encoded audio used for the transmission in an mp3 file with music and then put it on a portable music player. While these are mostly considered obsolete today, they are still available for purchase. In this manner, a music player can also be used as a dead drop for messages (finding the message would require running the potentially thousands of mp3 files on the player through audio processing software to look for anomalies in an oscillogram).
One-Way Transmissions (simple non-verbal confirmation/reply)
A slightly more sophisticated variation of the one-way transmission method is to include a non-verbal reply/confirmation option. This makes use of classic signalling methods employed in for example espionage tradecraft. In its most simple form, the answer is binary (confirmed/not confirmed, yes/no, etc.). This reply can be signalled through the use of a predetermined indicator at a specific location. For example, a pencil mark may be drawn on a signpost, a piece of adhesive tape stuck to a fuse box in a public location, or a light that is switched on in a window at a specific time of day. The sender will look for the signal, and if it is present, it serves as one of the binary reply options (confirmed/yes/etc.). If the signal is missing, that represents the other reply option (not confirmed/no/etc.). More advanced variations are possible, such as adding more reply options through the use of variations of the signal. This could be by drawing a different type of mark, using a different colour, lighting a different lamp or at a different time, etc.
Two-Way transmissions
This method allows for more complex interactions, and the exchange of information from both sides. The most obvious solution is for both parties to be equipped with similar transceivers. For short-range communications, handheld VHF radios such as the Baofeng UV-5R or UV-82 mentioned above, can be used for real-time two-way communications. The simplest implementation method is to use voice communications in combination with an agreed set of code words. While this kind of code would be relatively trivial to break, it could be used for tactical communications (i.e. where the information is only valid and useful for a short time). The more specialised Motorola DTR-2430 and DTR-2450 license-free handheld radios have significantly shorter range, but on the other hand offer frequency-hopping spread spectrum (FHSS) functionality. This means that they can rapidly and automatically switch frequencies while transmitting, making it more difficult to detect them using standard scanning equipment (see for example Lei, Yang, & Zheng, Citation2018).
A more sophisticated and secure solution would be to connect laptops to the radios and type in messages, which are then transmitted as bursts. This allows for a back and forth of short bursts. This resembles the functionality provided by specialised Short-Range Agent Communication (SRAC) devices used during the Cold War (Wippl, Citation2010, p. 640). The lack of automatic encryption does however mean that information has to be encrypted/decrypted by hand, which takes time and will slow down the process significantly. In addition, it would imply carrying the OTP keys which could result in difficulties in disposing of the key and decrypted messages if law enforcement/counterintelligence (LE/CI) personnel detect the transmissions and apprehend the user along with the OTP key before it can be destroyed. An automatic encryption solution would be perfectly feasible, but would also mean that the clear-text message could be stored on the computer and thus compromised. In any case, since the user will have to have the laptop open, it becomes more difficult to conceal what is going on.
A third solution that allows for significantly greater range is to use either amateur radios or CB radios. These could, as stated above, use the CB band to reduce the risk of detection by third parties (such as radio amateurs). Using amateur radios in combination with digital burst transmissions is relatively easy from a user perspective, although it is illegal in some countries to use amateur radio equipment on the CB band. While the legality of the matter per se cannot be expected to be an obstacle to most users of clandestine communications, amateur radios are also much more expensive than most CB radios.
Modifying CB radios for this purpose is significantly more demanding from a technical perspective, but a person with some experience of working with electronics should be perfectly capable of making the necessary modifications. Note that the two higher tiers of amateur radio licenses, the General and Amateur Extra class licenses, in the United States require fairly detailed skills in working with electronics (this is part of the tests users have to pass in order to obtain these licenses). Many other countries have similar requirements for their higher certificate levels, which is covered by for example the Harmonised Amateur Radio Examination Certificate (HAREC) standard used by many European countries (Recommendation T/R Citation61-Citation02, Citation2018). For a state actor, persons with the necessary skills would be trivial to find. For an organized crime or terrorist outfit, it would be enough to recruit a single competent amateur radio enthusiast.
The increased range should make it more difficult to pinpoint the source of the transmissions since they can cover much greater geographical areas. Recent models of CB radios have single-sideband (SSB) capability, which means that they use less bandwidth and are legally allowed to transmit with more power (up to 12 watts) than the older versions (which are typically limited to 4 watts using AM). Amateur radios can hypothetically transmit with much more power, up to the rating the station is built for (standard amateur radio stations can often transmit at 100 watts, but this can easily be boosted to 1000 watts or more by adding an amplifier). However, this could hypothetically attract attention and facilitate detection (the more power used, the easier the transmission is to detect).
By using the CB band, ionospheric reflection is also possible as a means to drastically increase range. Even at lower power settings, this could allow for cross-continental ranges (the exact range would, however, be less predictable).
Equipment acquisition
For those seeking to establish clandestine communication protocols without the risk of exposure brought by internet-based platforms, recent developments in radio technology provide a range of opportunities. The methods presented in this article are based on combining commercially available radio receivers or transceivers, with or without non-networked computers. The radios and accessories (audio cables, external USB sound cards) can be purchased online, in stores, or bought used. Computers can be obtained in the same way. For increased security, the Wi-Fi and Bluetooth chips in the computers can be disabled physically either by removing them or destroying them (for example using a soldering iron). This means that even if the computers are compromised, they will not be able to transmit revealing information.
The tests
The tests carried out by the authors have made use of the equipment listed in Table 1.
Table 1. Equipment used (* = bought used).
Test: receiving numbers stations
Equipment used: Kenwood R-1000 + 42 m Windom antenna; Tecsun PL-600 (built-in antenna)
Procedure: the Tecsun PL-600 was used both with the built-in telescopic antenna and the wire antenna accessory that comes bundled with the radio. The authors also used a 1980s vintage desktop Kenwood R-1000 receiver paired with a 42 m Windom antenna for reception during nights and poor weather conditions, mostly to facilitate checks of the transmission schedules listed on the Priyom.org website (since the Tecsun should be used outdoors for best performance, which is somewhat more difficult during winter weather conditions).
Results: while the Kenwood desktop receiver and long Windom wire antenna provided significantly better reception, the Tecsun was also able to successfully receive numbers stations transmissions (albeit with more interference).
Test: receiving amateur radio transmissions
Equipment used: Kenwood R-1000 + 42 m Windom antenna; Tecsun PL-600 (built-in antenna)
Procedure: The Tecsun and the Kenwood radios with their respective antennas were both used to tune amateur radio transmissions on the 80 m amateur radio band.
Results: The Tecsun was able to pick up transmissions originating from Bulgaria while being operated in southern Sweden. The Kenwood has been able to receive amateur radio voice transmissions from most of continental Europe and Russia as well as digital transmissions from all over the globe (including Indonesia and New Zealand).
Test: short-range transmissions
Equipment used: Baofeng UV-5R+ and UV-82, external USB sound card, audio cables (2.5mm-3.5mm and 3.5mm-3.5mm), voice memo recorder, portable mp3 player (iPod 4th Generation)
Procedure: three different methods were tested. First, a Baofeng radio was connected to a laptop via the external sound card and used to transmit a digital message using different types of encoding in Fldigi (PSK-31, BPSK-250, MFSK-128, Olivia 8-2000) to another computer running Fldigi via an RTL-SDR dongle using the compact telescopic RTL-SDR antenna. Second, an mp3 player with a stored digital encoded message was connected to the Baofeng radio instead of the laptop. Third, a voice memo recorder was connected to a receiving Baofeng radio (using audio cables) to record transmissions instead of having the computer receive in real time. The recorded audio from the voice recorder was later transferred to a computer for decoding. The message used was 280 characters/45 words long.
Two different scenarios were tested: transmitting from inside a parked car to a nearby building (circa 50 meters line-of-sight distance, the transmitter, receiver and antennas were positioned out of sight from windows), and transmitting from the third floor to the first floor of an office building.
Results: All of the above listed transmission/receiving methods were successful. More than 90% of the message contents could be successfully decoded. The only information losses were at the start of the message, which was solved by adding some additional padding at the start of the message (circa 5 characters).
The tests showed that the most efficient encoding (i.e. the most efficient combination of high speed and low/non-existent information loss) was BPSK-250. The transmission time for the 280 character/45 word message using BPSK-250 was 13 seconds.
Test: medium-range transmissions
Equipment used: Albrecht 5890EU CB radio + 42 m Windom antenna & magnetic-mount Maas vehicle antenna, Tecsun PL-600.
Procedure: the Albrecht CB radio was used as transmitter for one-way voice communications, both with the Maas vehicle antenna and the stationary 42 m Windom antenna. The receiver used was the Tecsun PL-600. Both the bundled wire antenna that came with the Tecsun and its built-in telescopic antenna were tested. The receiver was moved to various different locations at ranges between 1 km and just over 10 km.
Results: using the Maas vehicle antenna in a vertical position with the Albrecht CB radio, transmissions using upper side band (USB) were perfectly readable at up to 3 km (no direct line of sight) at low power (3 watts) using the built-in telescopic antenna on the Tecsun. With the horizontally-mounted 42 m Windom antenna, transmissions at 12 watts USB were perfectly readable at distances just over 10 km on the Tecsun, both using the bundled wire antenna and the built-in telescopic antenna.
Layers of security
The approach in this article relies on multiple ‘layers' of security to cope with different scenarios, where each additional layer is intended to counteract an escalation on behalf of those conducting surveillance.
Layer 1: detection of transmission
The first order of business is to make it as difficult as possible to detect the exchange of information using technical means. In the past, this has been the starting point of several investigations which have ultimately revealed the sources (see for example Bury, Citation2012b, p. 120). Thus, using low-power transmitters (circa 1–5 watts) will reduce the electromagnetic footprint of the signal, which means that detection equipment needs to be closer and more sensitive than if more power had been used to output the signal.Footnote4 In addition, transmissions should be as short in duration as possible (burst transmission), to further reduce the risk of technical detection. As shown in the KGB interception of burst transmissions mentioned above, they are not a foolproof solution for avoiding detecting and localisation. This is particularly relevant in so-called ‘denied areas’, where a significant security presence can be expected (for Western intelligence operatives, Moscow is a classic example of a ‘denied area’, see for example Fischer, Citation2011, p. 275). Nevertheless, burst transmission in general reduces the detection window and thus reduces risk. For users of clandestine communications who have not yet attracted the attention of LE/CI, burst transmission can help them continue to stay below the detection threshold.
As a compromise to increase range and reduce complexity, up to 12 watts (using single-sideband modulation) can be used on the CB band for voice communications, transmitting either code words or parts of specific songs (as explained above). This enables ranges of around 10 km, relying on the relative obscurity of the CB band and the more ‘chaotic' nature of that band for concealment.
Layer 2: hiding in plain sight
The second layer of security is intended in case the first is defeated. Thus, if the transmissions are detected and surveillance initiated to find the source, the user should be able to hide in plain sight. What this means is that the user should be able to operate the equipment in a way that is not obvious to someone conducting visual observation or audio monitoring either using a directional microphone or by hacking the user’s phone to record sounds. This is achieved by concealing the communications equipment in backpacks or vehicles, operating the equipment without taking it out of the backpack, and not using voice communications. Another possibility is for both users to simultaneously be in separate bathrooms in a crowded public place, such as a mall. If the bathrooms are single-space with a full-sized door (as opposed to stalls), the users could communicate verbally without being heard or seen. If the bathrooms are in separate parts of a large building, it would be difficult to notice. This can also be combined with frequency-hopping by using for example the previously mentioned Motorola DTR-2430 or DTR-2450 transceivers, to prevent detection by non-specialised scanning equipment.
Stationary equipment such as wire antennas can also be hidden in plain sight by for example making a horizontal wire antenna look like an electric fence wire.
Layer 3: ease of disposal
In case the users are at risk of imminent arrest, the equipment should be as easy as possible to dispose of in a way that makes tracing it to the user as difficult as possible. Whereas a traditional spy radio may be small enough to be dropped in a trash can, there is a considerable risk that such an unusual device may attract attention. If it is found by, or handed over to, counterintelligence or law enforcement personnel, its purpose will be immediately obvious and thus trigger an investigation. By using commercial off-the-shelf radio equipment, it will not be immediately obvious to a casual observer that it was used for clandestine purposes. Thus, if spotted by a civilian, the radio may either be processed along with ordinary waste without drawing particular attention, or it may be picked up by someone who may consider it a lucky find.
Layer 4: plausible deniability
In case a user is arrested, and the communications equipment found on his/her person or in his/her residence/vehicle, there is at least some chance of achieving plausible deniability. This is obviously impossible if a traditional spy radio is found. However, a commercial handheld transceiver can be used for several regular civilian purposes, including hunting, hiking in areas with poor mobile coverage, or for agricultural or construction work. Similarly, a CB radio is still found among truck drivers, and a ‘world-radio' receiver can look like a common FM radio receiver to the untrained eye (especially if it is tuned to an ordinary FM radio station after use). If the user has prepared a cover story that is compatible with these areas of use, counterintelligence or law enforcement personnel could possibly be fooled at least temporarily, enabling the user to dispose of the equipment.
Layer 5: information security
If the user is arrested, the equipment confiscated and the cover story considered implausible, the next step is damage reduction. This means that counterintelligence or law enforcement personnel should not be able to obtain any messages that have been exchanged, which could be used as evidence against the user. There are several possible outcomes for this scenario. If the user is apprehended while using the equipment, the user should not be carrying the encryption key on his/her person. This means that LE/CI personnel will have no means to break the encryption of the messages even if they have been intercepted. The equipment used will never process the plain text contents of any message, nor store any signals or voice communications, which means that forensic analysis will not reveal any additional information.
Hypothetical examples
The following section will present two scenarios in more detail, outlining how the technical solutions discussed above could be used by different types of actors.
Example 1: the case officer and the source
The Case Officer enjoys diplomatic cover and is based at an embassy. However, the Case Officer is also subject to routine surveillance by local counterintelligence officers. The Case Officer has already recruited a Source and now needs to maintain communication with the Source without compromising the source or the material being delivered.
Equipment
The Case Officer has access to a car with diplomatic license plates. This car has been equipped with a modified amateur radio transceiver (for example a Russian-made Lab599 Discovery TX-500 or a Chinese Xiegu G90) and an antenna, both of which are concealed. The Source has been issued a short-wave receiver, a commonly available portable battery-operated ‘world radio' (such as the Tecsun PL-600 mentioned above). While a ‘world radio' may not fool an experienced counterintelligence officer, it nevertheless stands a good chance of going unnoticed by less specialised security personnel.
Procedure
The Case Officer frequently drives around and likes to park at scenic spots to take in the view at the end of the day. During a few (but only a few) of these stops, the case officer operates a small panel concealed in the car, switching the radio on. The Case Officer then presses the play button on the voice recorder on which the message is stored. This triggers the radio which transmits the message to the Source. The transmission is digital, encrypted and only lasts approximately 10–20 seconds. Casual listeners on the CB band notice a noise, but it is quickly gone and not sufficiently frequent or lengthy to trigger any response from listeners. The lucky few who manage to record and decode the transmission find themselves looking at an encrypted message that is unbreakable. The Case Officer is at this point several kilometres from the Source. Meanwhile, counterintelligence officers have noticed the movement pattern of the Case Officer and suspect that some sort of communications solution is being used. However, they are unable to intercept anything of interest from the Case Officer’s phone or computer. The Source receives the transmitted message from the Case Officer at home using the short-wave radio. The message contains the location and instructions for the next dead drop. The Source moves a flower pot from one side of the window to the other to signal that the messages has been received and understood. One of the junior intelligence officers at the embassy passes by on the street below the Source’s apartment as part of a lengthy walk that same evening, observes the signal, and reports to the Case Officer the following day. By frequently switching dead drop sites, as well as adding new ones, the counterintelligence officers are unable to locate the sites.
Layers of security
Detecting the transmission requires a radio scanner covering the frequencies used. To pinpoint the source, radio direction finding equipment is also required. Even if LE/CI can determine that the Case Officer is indeed transmitting, it will be difficult to identify the recipient since the transmission is omnidirectional and covers a relatively large geographic area (a radius of several kilometres).
If the Source is identified and her residence searched, there is no evidence that the radio receiver has been used for clandestine purposes (since it stores no data). Similarly, the computer has stored no files. Even if forensic investigation of the hard drive reveals the received message, it is encrypted using an OTP (where the key has already been destroyed) and thus the code cannot be broken. The fact that the computer has had its networking capabilities permanently disabled does not provide sufficient evidence to implicate the source either.
Example 2: the courier and the customer
In this scenario, a Courier working for an international crime syndicate needs to communicate a time and place for delivery of a large shipment of drugs to the Customer. Either the Courier or the Customer (or both) can be expected to be under surveillance.
Equipment
The Courier and Customer each have a Baofeng UV-5R portable radio, a small voice recorder, and a set of 3.5 and 2.5 mm audio cables to connect the recorder to the radio. Both are carrying small backpacks or tote bags.
Procedure
The Courier takes up position in a cafe at a mall at a specific predetermined time and date. The Customer is at the same time sitting at a restaurant at the same mall, but out of sight from the Courier. At the arranged time minus two minutes, the Customer reaches into his bag, pretending to look for something. While doing so, he presses the Record button on his voice recorder and turns the knob on the radio to switch it on. Then he sits back and enjoys his food. Meanwhile, at the arranged time, the Courier reaches into her backpack to switch on her radio and then presses Play on her voice recorder. The voice recorder starts to play back the pre-recorded message in audio form. The radio picks up the signal from the voice recorder coming through the audio cable and starts to transmit. When the signal stops, the transmission is automatically ended by the radio.
The Customer’s radio picks it up and through an audio cable the message is recorded on the voice recorder. After less than 20 seconds, the entire message has been received and stored. When the Customer is back home, he connects the voice recorder to a laptop that has had its networking capabilities permanently disabled and decodes the message from tones to letters. The Customer writes down the letters on paper, and decrypts the message using a one-time pad (OTP). Having read the time and date for delivery, the Customer burns the OTP and the paper, scattering the ashes.
Layers of security
The two users are in relatively close physical proximity, but there is no overt sign of direct communication, and the number of other people in the area provides a degree of cover. If only one of the users is under surveillance, it will be difficult to identify the other. In order to detect the transmission, radio receiving equipment scanning the mobile VHF frequencies is required. The short duration of the transmission will make it difficult to locate the source. If the transmission is intercepted and recorded, there is no way to break the encryption. If the users are apprehended, the transmission stored on their voice recorders is also encrypted.
If the users are apprehended after the Customer has decrypted the message, there will be no evidence of the contents of the clear text message. The only window of opportunity to obtain the clear text message is to arrest the Customer after the message has been received, but before it has been decrypted, and even then this will only yield results if the OTP key can be secured before it has been destroyed.
Counter strategies
In order to cope with the potential use of the method described above, or variations based on similar technologies, law enforcement too can use commercially available low-cost options and free software. The previously mentioned RTL-SDR dongle combined with a small telescopic antenna is one viable option. Despite being affordable and compact, this kind of equipment supports relatively advanced scanning and recording capabilities by using appropriate software.
Law enforcement will need to accomplish two goals: first, to detect radio transmissions (and the frequency used). Second, to record radio transmissions for later analysis. An RTL-SDR dongle can be used for both of these purposes, if combined with the appropriate software. For detection, a free spectrum analyser program, such as Spektrum, can be used to detect transmissions (ล orejs, Citation2015). If the users of clandestine communications are expected to use handheld radios similar to the Baofeng UV-5R, the scan can be limited to frequencies supported by this hardware, which cuts down on the time required to sweep the frequency range. Once a transmission has been detected through scanning and the frequency used determined, a free program such Gqrx or CubicSDR can be used to record the transmission for later analysis in for example Fldigi (Csete, Citation2021; CubicSDR, Citation201Citation8).
The same procedure can be used to monitor CB bands. If combined with one or more directional antennas, LE/CI can also attempt to pinpoint the source of transmissions (although this requires either lengthy or reoccurring transmissions to track down the exact location). However, all of these solutions require equipment and trained personnel to be available at the local level, and that they are activated and prepared at the time of transmission. Unlike internet communications, radio transmissions leave very few residual traces that can be detected after the fact (the only exceptions being if someone else intercepted the transmission by coincidence, or if LE/CI can find recorded traces on the user’s hardware, such as saved audio or text). This presents a significant challenge for LE/CI from a resource perspective.
Another possible solution for LE/CI is to enlist the help of amateur radio operators. Such approaches have been used before, notably in the UK where the Radio Security Service (RSS) was used during WWII and the Government Communications Voluntary Radio Service (GCVRS) during the early Cold War (Christensen, Citation2021). These were staffed by amateur radio enthusiasts who used their own equipment to provide expanded coverage to detect illicit transmissions. However, such a solution would require the creation of an entire structure and system for managing this kind of decentralised surveillance effort.
Conclusions
This paper covers three aspects of clandestine communications:
observations
logical assumptions based on observations
hypothetical developments based on available technology.
1. Observations
As stated above, state actors are currently using numbers stations operating in three different modes (voice, Morse and digital). This activity is carried out on a daily basis (a total of a hundred such transmissions per day from a number of different stations is not uncommon). This implies that one-way communications using radio is still a viable solution for avoiding internet-based surveillance measures. Voice and Morse transmissions can be received and decrypted without any use of a computer (although the latter does require some training on behalf of the user). Digital modes require a computer to decode before they can be decrypted. Unlike during the Cold War, specialised equipment is no longer necessary to decode digital transmissions. A commercial USB dongle and antenna in combination with software on a regular computer is sufficient.
2. Logical assumptions based on observations
Radio transmissions are used for clandestine communications to this day, as evidenced by the activity of numbers stations. The users may or may not be using specialized equipment to receive and decode these transmissions. The main difference compared to traditional numbers stations is that these transmissions are now also frequently using digital modes. The observations made by the authors only prove the existence of one-way transmissions, which may or may not be combined with other means of communication (such as visual or physical confirmation signals, as outlined above). The sheer volume of these transmissions (i.e. the number of currently active stations and the regularity of their activity) indicates that they are being actively used.
Since the technical knowledge required to develop and implement such procedures is fairly widespread, all it would take is for a qualified criminal organisation with enough resources to buy this kind of technical support from a licensed radio amateur or someone else with similar skills.
3. Hypothetical developments
As demonstrated in this article by the tests carried out by the authors, commercially available radio equipment can be used together with regular (non-networked) computers to achieve capabilities previously reserved for specialised clandestine communications equipment. This includes digital encoding and burst transmission capabilities to make detection and localisation more difficult. The small size of contemporary radio transceivers makes it relatively easy to use them even while they are concealed. Using somewhat larger and more powerful transceivers would also allow users to communicate over significant ranges. Less advanced users can still use CB transceivers and ‘world-radio' receivers for medium-range communications around 10 km, in combination with code words or by playing songs according to a code scheme to convey information.
The above outlined options for counter-signals intelligence (C-SIGINT) all include trade-offs between security and convenience. The more complicated the solution, the more time-consuming the training of the users will be. On the other hand, C-SIGINT can be tailored in relation to the capabilities of the adversary. For organised crime trying to evade local law enforcement, it will likely be significantly easier to avoid detection than for sources trying to evade counterintelligence officers in a denied area.
Implications for research and training in intelligence analysis
Researchers in intelligence analysis rarely have a technical background and thus are less aware of how clandestine communications actually work, and what kind of opportunities exist today as a result of technological developments. Thus, there is a risk that researchers become too focused on internet-based communication and surveillance, which may result in them drawing conclusions that fail to take other modes of communication into account. In particular, the difficulties associated with contemporary human intelligence (HUMINT) may be overstated.
For those involved in training intelligence analysts, it remains important to encourage thinking ‘outside of the box’, and an open mind to new developments (in particular new developments that combine legacy solutions with contemporary technology may be difficult to identify). This article aims to provide trainers with a set of indicators to be on the lookout for, which may be conveyed to relevant practitioners during training. These include short-wave radio receivers, amateur radio transceivers, CB transceivers, portable VHF radios, USB sound cards, 3.5 and 2.5 mm audio cables and amateur radio software (Fldigi or similar encoding/decoding software used for digital traffic).
No comments:
Post a Comment