Fullscreen HTML5Med Res (??MB)HTML4

A BRIEF HISTORY OF CYBER ESPIONAGE AND CYBER WEAPONS Part 2 – electronic devices for spying and surveillance by Dr David Maddison L ast month, we described many ‘side-channel attacks’ which can take advantage of the vulnerabilities in electronic devices (eg, unwanted electromagnetic, visible or acoustic emissions). These can be used by third parties to extract information that they are not supposed to have access to. We also had a section describing scenarios (real or theoretical) where hardware can or has been modified to make it easier to ‘hack’ and extract secret information. This month, we’ll cover the remaining electronic espionage techniques, primarily methods for eavesdropping, secretly recording video or extracting information from secure systems. Again, we will start with the earliest known techniques, although many of those described below are general techniques with their use spanning many decades. ELECTRONIC BUGGING AND SPYING TECHNIQUES Interception of telegraph communications Possibly the earliest use of military eavesdropping is from 1862. During the US Civil War, President Abraham Fig.20: Léon Theremin (1896-1993) at work on one of his electronic devices. See SILICON CHIP, January 2018 (siliconchip.com.au/Article/10931) for details on the musical instrument he invented, also using radio principles. 12 Silicon Chip Lincoln agreed to a request from his Secretary of War, Edwin M. Stanton, to allow rerouting of telegraph lines through his office. This let him intercept vast amounts of personal, journalistic and government information. The telegraph system back then was a bit like the internet today. Léon Theremin’s infrared microphone Russian Lev Termen, (or Léon Theremin as he was known in the west) invented the precursor to the laser microphone some time between 1938 and 1947 (see Fig.20). His device used an infrared beam and was called the Buran. It was capable of listening to conversations at a much greater distance than usual. He invented it for the NKVD (KGB) after being removed from a labour camp for counter-revolutionaries and was forced to work for them in a secret laboratory. He also invented “The Thing”, a microwave microphone which was first used in 1945. Theremin’s “The Thing” (US Embassy, Moscow) “The Thing” was an ingenious invention by Léon Fig.21: an exploded diagram showing how the bug in “The Thing” worked. It was hidden inside the Great Seal. Australia’s electronics magazine siliconchip.com.au Fig.22: a cross-section of “The Thing” from the book “CIA Special Weapons & Equipment: Spy Devices of the Cold War”. Fig.23 (right): one of the most famous (infamous?) bugs ever made: Leon Theremin’s “The Thing”, a gift from the Soviet Union to the United States for their embassy in Moscow. The intricate US Great Seal actually concealed a listening device and was in use from 1945 until its discovery in 1952. This museum replica version can be opened to reveal the bug inside. Theremin; a bugging device found in the US Embassy in Moscow. It was a gift from the Soviets to the USA in the form of a carved timber Great Seal of the United States. Such was the genius of Theremin, it was in operation from 1945 until it was accidentally discovered in 1952. A passive device, it required no power to operate (see Figs.21-23). It was a passive cavity resonator that obtained its power from outside via illumination with microwaves at 330MHz. There were no electronic components. The working parts comprised a resonating metal membrane, a mushroomshaped disc against which the resonating membrane was capacitively coupled, a silver-plated high-Q (high gain) cavity, a tuning device, and an antenna. In essence, audio caused the membrane to move as in a standard microphone, and this modulated the radio waves that were illuminating the device. Specific details as to how the device worked can be found at: siliconchip.com. au/link/aass In 1951, a British radio operator monitoring the Soviet Air Force from the British Embassy in Moscow heard the voice of the British Air Attaché, but could not find the bug. In 1952, a US radio operator picked up a conversation that appeared to come from the US Embassy and then the bug was discovered. The CIA and FBI initially had no idea how the bug worked and it took British Marconi employee Peter Wright to Fig.24: the CIA’s “Acoustic Kitty”, showing the location of the implanted electronics. The program was not a success. Fig.25: the CIA Insectothopter from the 1970s, as displayed in the CIA museum. It was never put into service but was a remarkable achievement. siliconchip.com.au Australia’s electronics magazine October 2019  13 tion of various governments or companies using non-invasive probes on the cable. See the section below on optical fibre tapping. According to Amnesty International, the UK intelligence agency GCHQ (Government Communications Headquarters) has 40,000 search terms and the US NSA (National Security Agency) has 31,000 terms of interest that they look for when routinely scanning communications over cables or elsewhere. Micro- and nano-sized aircraft Fig.26: the carrying case and instructions for the CIA Insectothopter. figure it out. He spent many hours of his own time to work it out, as recounted in the book “Spycatcher”. See the video titled “UN Spy Debate, Reds ‘Bugged’ American Embassy 1960/5/27” at: siliconchip.com.au/link/aast Animals with electronic bugs In the early 1960s, the US CIA spent an estimated US$10$20 million on the “Acoustic Kitty”. This was a cat that had been surgically implanted with a transmitting device. The idea was for the cat to go close to its desired target (Soviets) and transmit their conversations (Fig.24). The program was not a success, as the cat would not behave as required, especially when hungry. The cat in question had the equipment removed and went on to live a long and happy life. The program was cancelled in 1967 and disclosed in 2001. Covert connection to undersea cables In a famous incident in the 1970s, the USA tapped into a Soviet military undersea cable. The nuclear-powered listening device used was non-invasive and employed inductive coupling to read the information travelling through the cable. It would not have been found, except for a US traitor who sold the information to the Soviets. You can read more about “Operation Ivy Bells” in the article on Nuclear Submarines in SILICON CHIP, December 2016 at: siliconchip.com.au/Article/10459 Underwater covert intercepts can be most easily made on undersea cables at regeneration points, ie, locations that contain amplifiers and signal conditioning equipment in which the optical fibres are unbundled. However, logistically, it is still extremely difficult. It has now been disclosed that most intercepts occur at the land termination stations of cables, with the coopera14 Silicon Chip The CIA developed a remarkable device in 1970, called the Insectothopter. It was a bug (literally) that could fly to its destination, whereupon it was meant to sit and listen (see Figs.25 & 26). It used a hydrogen peroxide motor based on a fluidic oscillator (see the article on Fluidics in the August 2019 issue for more details). The device was the size of a dragonfly (6cm long, with a wingspan of 9cm) and had a flight time of 60 seconds and a range of 200m. The launch weight was one gram and the device was made by a watchmaker. But it was found to be unable to withstand even the most minor crosswind, so the project was abandoned. The audio data it would have collected was transmitted via a laser beam. The same laser beam that was used for audio transmission was also directed at a bimetallic strip in the tail for guidance. While there is little information on the source of this laser, one assumes that it was external to the device and that audio was returned via the laser bouncing off the device, modulating the beam with audio (like a laser microphone). For more information, see the videos titled “Official CIA video ‘Insectothopter: The Bug-Carrying Bug’” at: siliconchip.com.au/link/aasu and “The Insectothopter: The CIA’s dragonfly spy drone from the 1970s” at: siliconchip. com.au/link/aasv A more modern take on this idea is the Black Hornet Nano (Fig.27), developed by Prox Dynamics of Norway (now owned by USA company FLIR Systems), a nano-UAS (unmanned aerial system) reconnaissance drone in use by the armed forces and counter-terrorist organisations of the United States, France, the United Kingdom, Germany, Australia, Norway, the Netherlands and India. This UAS weighs 18g, can fly at a speed up to 18km/h up to 1500m from the controller and can fly for 20-25 minutes and transmit live video, or still images, including night vision. There is a later version of the device in use by the USA, Fig.27: an Australian Army soldier with a PD-100 Black Hornet Nano. Australia’s electronics magazine siliconchip.com.au hackers of Chinese origin stealing plans for the building. This included details of communications cabling, server locations, floor plans and security systems. These claims were denied by Government spokesmen at the time, but the opening of the building was delayed nevertheless, and Four Corners stuck to its story and the credibility of its source. The original ABC Four Corners program, “Hacked!”, can be seen here: siliconchip.com. au/link/aasy Theft of intellectual property and military information the Black Hornet III, with more advanced video and other capabilities which weighs 32g, with a range of 2000m and a speed of 20-25km/h. The Nano is extremely expensive, at US$190,000 per kit! For more details, see the video titled “Introducing the FLIR Black Hornet 3” at: siliconchip.com.au/link/aasw Of course, there are numerous examples of the theft of intellectual property and military information. Here is one example: Adelaide company Codan (https://codan.com.au/) make metal detectors and a wide variety of other high-quality equipment including secure radios for the Australian military and our allies. They had their computers hacked and their intellectual property stolen. The attack apparently involved Chinese hackers who gained access to an executive’s laptop after he logged into a hotel WiFi system in China. They inserted malware specifically designed to target the company’s files when the executive returned to Australia. The hackers used the stolen files to make cheap counterfeit copies of their metal detectors, which were sold in Africa. Further information on this hack is available in the same Four Corners video linked above. Buildings bugged during construction Stuxnet When a new US Embassy was to be built in Moscow, starting in 1979, American negotiators made the colossal mistake of allowing the Soviets to design and build it. Despite early warnings by US experts about possible or likely bugging, work continued even though the construction work being done was of low quality and plagued with problems. Starting in 1982, the building was inspected using X-ray and other techniques, and it was found to be riddled with eavesdropping devices and cables built into the structure, including resonating devices that could work indefinitely for years without their own power (as used in “The Thing”, described earlier). There were also many decoy devices. By 1985, it was becoming apparent that the listening devices couldn’t be easily removed and in 1987, it was decided to demolish most of the new building. It wasn’t until 2000 that the matter was fully resolved and a new section of the building designed for classified work was completed. See the video titled “27th October 1988: Ronald Reagan halts construction of the Moscow embassy” at: siliconchip.com.au/link/aasx In 1995, the ABC and the Sydney Morning Herald revealed that in a joint Australian/US operation, optic fibre bugging devices of an unspecified nature had been installed during the construction of the Chinese Embassy in Canberra in the 1980s. It seems the Chinese returned the favour when they allegedly stole the plans for the new ASIO headquarters. Stuxnet was a malicious computer worm and cyberweapon that was responsible for the partial destruction of Iran’s nuclear weapons program in 2010. It was installed on the target computer systems by breaching the “air gap” of the non-network connected systems via an infected USB memory device. The worm worked as follows: It installed itself in the Windows operating system as a ‘rootkit’. This is a malicious program that gets unauthorised access to parts of the operating system that are not usually allowed by normal programs. This would typically be detected and prohibited, but it installed itself undetected using the stolen private security keys from two highly-trusted companies that write software for Windows. Thus, there were no alarms. Fig.28: this widely-circulated picture is said to be of a “mosquito drone” that can take a DNA sample from a person or leave an RFID device on their skin. While similar devices will almost certainly be available one day, this photo was a conceptual mock-up only, not a real device. Theft of building plans In May 2013, it was claimed on ABC’s Four Corners program that ASIO’s new headquarters in Canberra, under construction at the time, was compromised due to computer siliconchip.com.au Fig.29: a sample of the Stuxnet code. Australia’s electronics magazine October 2019  15 Fig.31: the industry-standard Sennheiser MKH 416-P48U3, an example of a shotgun microphone for directional audio pickup (although not explicitly intended for espionage). Note the phase-interference slots along the sides. Fig.30: a Google Earth image of the bin Laden compound. It attracted attention because of its absence of communications devices or connections, compared to its neighbours. Once Stuxnet was installed, it gained access to the PLCs or programmable logic controllers which were connected to the computer and used to control the uranium centrifuges for making weapons-grade uranium. It then changed the program libraries in the PLCs in a way that if the legitimate operator attempted to change any routine, they would think they had done so, but Stuxnet would continue to operate in the way intended. This meant that no one could tell that anything was wrong. The new program libraries also prohibited any attempt to read or delete the Stuxnet code, even if it was detected. Stuxnet sat silently on infected systems for about 30 days, gathering information and preparing for the final attack. It allowed the regular code to run on the PLCs most of the time, but occasionally changed the code. This slow, subtle operation meant that as far as the user was concerned, the system was operating more or less normally, but with a higher number of breakdowns than usual. Stuxnet destroyed machinery by altering both the speed and pressure of over 5000 uranium centrifuges. Centrifuges which typically operated at constant speed were made to alternately run very fast and then very slow, which interfered with the uranium separation process and also caused long-term damage to the machines. Stuxnet also caused some pressure relief valves of the centrifuges to remain closed when they should have been open, causing dangerous and destructive over-pressures. The Iranians suspected nothing until a large number of machines (about 1000) had been destroyed. For those interested, the Stuxnet code can be viewed at: siliconchip.com.au/link/aasz (a snippet is shown in Fig.29). An analysis of how the worm works is at: siliconchip.com. au/link/aasz Catching Osama bin Laden The ex-terrorist Osama bin Laden was extremely paranoid about being bugged or tracked by electronic devices and therefore he did not even wear an electronic watch or use a mobile or satellite phone. Apart from reports from people “in the field”, one of the things that eventually gave away his location was his “presence by absence”. In an area of mansions and wealthy homes, his compound was notable for its lack of telephone and internet service (see Fig.30). Bin Laden is even known to have been concerned that one of his wives might have had a bug implanted in her tooth after a visit to the dentist. But ironically, in the end it wasn’t a bug that led to his downfall, it was his extreme paranoia about . . . bugs! Acoustic microphones Conversations can be recorded at a distance with an appropriate microphone. Apart from common uses such as recording bird calls, a parabolic dish microphone can be used to record conversations from afar. But they have poor low-frequency response due to their Fig.32: the AMPFLAB (http://ampflab.com/) X64ACS phasedarray microphone comprising 64 separate microphones. It is 38cm x 26cm and is claimed to receive human speech at ranges of up to 150m (or greater) without background noise. It has a noiseless acoustic gain of 26dB at 1kHz. 16 Silicon Chip Fig.33: this 2015 photo is from a company that specialises in ‘tear-downs’ of commercial devices for industrial competitors. It shows the Cirrus Logic WM1706 MEMs (micro-electromechanical system) microphone and associated circuitry for use in portable devices such as phones. It would be suitable for espionage devices due to its small size. Australia’s electronics magazine siliconchip.com.au Fig.35: a typical usage scenario for a laser microphone. can be easily hidden. See the section on Bugs below for more details on hidden microphones. Laser microphones Fig.34: the commercially-available EMAX-3100 remote laser audio monitoring system showing the laser, receiver and computer. relatively small size compared with the wavelengths of typical speech. Acoustic array, shotgun (Fig.31) or phased array (Fig.32) microphones are alternatives. Shotgun microphones consist of a long tube where sounds from the intended target arrive directly at the microphone element and unwanted, off-axis sounds are absorbed in the sides of the tube by phase-interference slots. See the educational video on using a shotgun microphone titled “How To Record Audio - Shotgun Microphone” at: siliconchip. com.au/link/aat0 Microscopic microphones, like the one shown in Fig.33, A laser microphone or laser-based listening system is an audio eavesdropping device that uses a laser beam which is directed onto a rigid vibrating object, such as a window pane, at the target location. The audio modulates the reflected beam, which is picked up and converted back to sound at the remote site (see Figs.34 & 35). The concept was developed by Léon Theremin who used an infrared beam (as mentioned above), before lasers were invented. The system can be defeated by attaching a transducer to a window pane to play music or other noise, masking the conversation, or by playing noise or music in the room to be protected. The system can be ineffective with rain and snow, and the beam from the laser is detectable. These systems were very popular in the 1980s and 1990s, but less so now with the multitude of other espionage options available. Bugs The number of bugs available, both commercial and home-built, are too numerous to list but here are a few common examples. Of course, we don’t know much about the bugs used by government intelligence agencies, but they would be at least as capable as these, probably much more so. Many bugs now also have a SIM card to connect to the Fig.36: this is claimed to be the world’s smallest UHF FM bug, which transmits at 420MHz with a claimed range of 250-300m. It is 15mm in diameter and 5mm thick, including its CR1220 battery, and has a working time of 5-10 hours. The antenna is 10cm long, and it is available on eBay for about $75. siliconchip.com.au Fig.37: the EDIC Mini Tiny+ A77 is a voice recording device can record continuously for 55 hours and can be activated by a switch, voice activation or by a programmed schedule. It is of Russian origin. One online seller lists it for US$339. Australia’s electronics magazine October 2019  17 Fig.39: a bug with its own SIM card, to connect to a mobile phone network, hidden in a plugpack. Fig.38: an example of a “Mini GPS Tracker” widely available on eBay, intended to track children and pets. But it could be used to track anything or anyone of interest. A SIM card is put in the device and audio near the device can be heard remotely, plus its location tracked. It can be remotely operated by another phone and is claimed to have a standby time of 12 days and a working time of 4-6 days. This particular example was on eBay for UK£14.99. mobile phone network, so it is not necessary to receive any direct radio transmission from the device. It is only necessary to dial into the device from anywhere to hear what’s going on, subject to enough battery power or a permanent power connection. Figs.36-40 show five very capable and readily available bugs. Some of them are quite cheap, while others are definitely not (but are very capable). Bugging the personal possessions of a target is a common espionage method, and bugs have been installed in just about anything you can imagine, including shoes. In 1995, two crooked NSW police offers were famously caught pocketing bribes on a camera hidden in their car dashboard. See: siliconchip.com.au/link/aat1 In a more recent case, last year, a drug dealer was arrested after a hidden camera in his apartment proved that he was selling cocaine. See: siliconchip.com.au/link/aat2 To prove that this sort of bugging is nothing new, here’s an article from the March 1964 issue of Time magazine about bugging, including video and audio feeds: siliconchip. com.au/link/aat3 Bug detectors There are a very many bug detectors on the market, from very cheap to very expensive (see Fig.41 for one readily available example). Apart from visual inspections, bugs are typically found by detecting RF emissions (if the bug transmits) or by detecting reflections from camera lenses. The problem with RF emissions is that the RF spectrum is very busy these days, and it is not always easy to determine whether detected transmissions are legitimate or not. Also, such devices will not detect recording bugs. Non-linear junction detectors (described last month) can detect the presence of electronic devices, but these can be easily defeated, as is done in professional bugs. Fig.40: an 800-line colour CCTV camera with audio, disguised as a screw, found on eBay for under AU$20 delivered. 18 Silicon Chip Australia’s electronics magazine Fig.41: a consumer-grade RF and video camera bug detector, this one available from Jaycar. Most simply detect RF emissions given off by bugs; the problem is that more “professional” bugs do not! siliconchip.com.au We expect that professional bugs would also incorporate measures against the latest detection technologies. Key loggers (hardware) Besides malware (ie, surreptitiously installed software with bad intentions), there are numerous hardware USB key logging devices available. These plug into a computer’s USB port, internal or external. An external device may not be noticed if it is at the back of a desktop machine. These devices log the user’s keystrokes (with time stamp if desired), and the data can be retrieved by physically removing the device; some devices that can be accessed via WiFi; some are stealth devices disguised as regular cables, Ethernet connectors, keyboard connectors or RS-232 devices. Some can even emulate the slight movement of a mouse to prevent the computer from going to sleep, presumably to keep the computer susceptible to other forms of attack. Optical fibre tapping Fibre tapping or interception of optical fibre communications is another category of cable interception. Contrary to popular belief, if a fibre optic cable is physically accessible, it is relatively easy to intercept communications carried within it if they are unencrypted (or encrypted and the interested party has the tools to decrypt them). This type of interception will probably never be detected unless someone is specifically looking for some small amount of signal attenuation on the fibre. Note that one would need a sufficient amount of cable slack and be able to open the cable jacket without damaging any of the fibres contained therein. This requires a bit Spy Museums The International Spy Museum in Washington, DC, is well worth a visit (www.spymuseum.org). The CIA has its own museum, although it is not open to the public. It can, however, be experienced online at: siliconchip. com.au/link/aat9 The US NSA also has a National Cryptologic Museum located in Maryland. See: siliconchip.com.au/link/aata Spyscape is a private museum in New York City (https:// spyscape.com/). Other spy museums are listed at: siliconchip.com.au/ link/aatb Sadly, Australia appears to have no espionage-related museums. of skill and good luck. The intercepted data can then be examined with a network traffic analyser like Wireshark (www.wireshark.org). See Figs.42&43 and the video titled “How to Hack an Optical Fiber.wmv” at: siliconchip.com.au/link/aat4 One example of a significant optical fibre tapping facility is room 641A at the SBC Communications building at 611 Folsom Street, San Francisco. This room is fed by fibre-optic lines connected via beamsplitters to major Internet backbone networks and therefore has “the capability to enable surveillance and analysis of Internet content on a massive scale, including both overseas and purely domestic traffic” (see Fig.45). DIY Spy Here are some DIY ideas to demonstrate some general espionage techniques. Note that ‘spying’ on someone without their permission is almost certainly illegal in all cases, so only test these ideas with the full permission, knowledge and cooperation of the subject(s). As for the use of any type of transmitter without the appropriate license, you would have to establish the legality for yourself, although compliant low-power FM transmitters for in-car or inhouse use and the like are readily available from major Australian retailers. • Build the “Sooper Snooper” parabolic dish microphone, described in SILICON CHIP, September 2001 (siliconchip.com. au/Article/4152). • See the distribution of WiFi points in an area and map them, as explained in the video titled “Building a Camera That Can See Wifi | Part 3 SUCCESS!” at: siliconchip.com.au/link/aatc • “See” through walls with a commercially available device, and also detect motion on the other side of the wall. See the video titled “How To Use Your Smartphone to See Through Walls! Superman’s X-ray Vision Challenge” at: siliconchip.com.au/link/aatd • Build a bug using the instructions in the video titled “Let’s build the world’s smallest Surveillance Spy Bug.” at: siliconchip. com.au/link/aate siliconchip.com.au • You can buy the world’s smallest consumer FPV (first person view) live streaming HD drone, the VIDIUS by Aerix. It can surveil an area of interest, with video transmitted back to the user. It is 4.3 x 4.3 x 2.5cm in size with a battery life of around five minutes. See the video titled “Smallest FPV drone VIDIUS - World’s Smallest FPV Drone by Aerix Drones” at: siliconchip.com. au/link/aatf • Build a device which claims to detect if the microphone in your smartphone has been activated by an unauthorised party. See the video titled “Make your own smartphone spy detector for less than 10$ !!” at: siliconchip.com.au/link/aatg • Use your computer monitor and a radio to play music, demonstrating how hardware can be used for purposes that it was never designed for, to breach an “air gap”. See: siliconchip.com.au/link/aath and the video at: siliconchip.com.au/link/aati • Build your own laser microphone, using the instructions at siliconchip.com.au/link/aatj or siliconchip.com.au/link/aatk • Also see the videos titled “Fast Hacks #6 - Laser Spy Microphone” at: siliconchip.com.au/link/aatl and “Laser Spy PhotoResistor test” at: siliconchip.com.au/link/aatm • Browse the large archive of material on passive resonant cavity devices at the following link, including quotes from “Spycatcher”: siliconchip.com.au/link/aatn Australia’s electronics magazine October 2019  19 Fig.42: a means by which optical fibres are non-invasively tapped. The cladding is exposed, a partial loop is created and a small amount of light leaks from the loop (1%), which is then read by a photo-detector and appropriate software. As of 2006, it was believed to contain a NarusInsight supercomputer which can analyse internet data streams and track individual users to determine what they are doing, including checking the content of emails and messages. It can also make associations between users who visit certain websites and/or use certain words or phrases in their emails or messages. It can monitor the combined traffic of several million broadband users and the software can store their internet activity for later analysis. Note, that was in 2006 and revealed only due to an Electronic Frontier Foundation lawsuit. One wonders what the capability is today! Range-R through-wall radar The Range-R from L3 Technologies (Fig.46) is a throughwall radar for police and military use that can detect the range and number of people behind a solid non-metallic wall. It does not show images of people, but is akin to an advanced wall-stud finder that indicates the number of people and their range, and even their rate of breathing, from behind a brick or concrete wall. It uses the Doppler effect to sense motion, stepped- Fig.43: the commercially-available FOD 5503 non-invasive clip-on coupler for bi-directional coupling into 25-micron coated single-mode fibres. It has legitimate purposes for testing, cable identification and linking into cables where no termination is available but could also be used for espionage. frequency continuous-wave radar technology and proprietary target detection algorithms. It is said to be in use by 50 US police departments and has raised legal controversy about its warrantless use. See the video titled “Police surveillance: Privacy invading Range-R radar gives cops ability to ‘see’ through walls” at: siliconchip.com.au/link/aat5 Using WiFi signals for through-wall imaging Researchers at the Computer Science and Artificial Intelligence Laboratory (CSAIL) at the Massachusetts Institute of Technology (MIT) have been able to use WiFi-like signals to observe people through plasterboard (‘Gyprock’) walls, although the imagery is very blob-like – see Fig.44. They have used artificial intelligence to turn the resulting blobs into stick figures resembling a person. See the video titled “AI Senses People Through Walls” at: siliconchip. com.au/link/aat6 and “Seeing through walls - MIT’s Lincoln Laboratory” at: siliconchip.com.au/link/aat7 Researchers at CSAIL have also produced human-like imagery through walls. They used a system with 13 transmitting antennas and eight receiving antennas operating in the S-band (2-4GHz) to image at people on the other side Fig.44: the results of through-wall imaging in the S-band by the MIT Lincoln Lab system. Even though the images don’t resemble actual people, they can be used to determining the number and location of those present. 20 Silicon Chip Australia’s electronics magazine siliconchip.com.au Jack Hack in a Box: Warshipping, where the packaging IS the spy! Fig.45: Room 641A at the SBC Communications building at 611 Folsom Street, San Francisco. It is a 7.3m x 14.6m facility run by the US National Security Agency and is fed by fibreoptic lines connected via beam-splitters to major Internet backbone networks. Image credit: Mark Klein, Creative Commons Attribution-Share Alike 3.0 Unported License. of solid concrete walls at 10.4 frames per second. The system is described as an ultra-wideband multipleinput multiple output (MIMO) phased array radar. The RF received from the target is only 0.0025% of the transmitted signal, and the range of the system is about 20m from the wall. An application of this is for military or intelligence use to see the number and location of individuals in a building. See Fig.47 and the video titled “Capturing a Human Figure Through a Wall using RF Signals” at: siliconchip. SC com.au/link/aat8 Fig.46: the Range-R through-wall hand-held radar unit Fig.47: here, CSAIL researchers are demonstrating detecting the location and movement of people through plaster walls using 2.4GHz radar. siliconchip.com.au As we went to press, a report appeared on the Ars Technica website (www.arstechnica.com) about a new development in industrial espionage: “warshipping”. You’d probably be aware of the term “WarDriving” where people drive around searching for vulnerable WiFi networks they can tap into. Warshipping is different: it involves hiding the search device inside packaging that is legitimately being delivered to a target. Not just in the box, it’s actually built inside the cardboard walls of the package. Hidden circuitry (much of it off-the-shelf) is secreted which will find vulnerabilities in the target’s wireless network, hack into them then start transmitting secrets using, for example, a built-in cellular phone modem. Many organisations have very strict rules about bringing mobile phones onto their premises in order to maintain tight security. But those same companies wouldn’t think twice about a courier turning up with a delivery for Mr …....... It goes to show just how much trouble people will go to when they believe the information they seek is worth the effort! Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—IBM’s X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer they dropped into a shipping box. It could also be embedded in objects such as a stuffed animal or a plaque. X-Force head Charles Henderson noted. “The thing that’s cool about this is, this is the wall of the box. It can be easily built into the cardboard. If you get a phone shipped to you, you’re suspicious of it.” But no-one would (at least until now!) be suspicious of the box that phone came in. Or in a myriad of other devices – even things like WiFi routers or wall-mounted power supplies with “hidden extras.” Even companies who routinely open and inspect deliveries can be (and have been) tricked into accepting a warshipping package. Even if they thoroughly examine the contents, they don’t suspect the box itself! There’s a lot more information in the Ars Technica story – it’s well worth a read. You can get to it via siliconchip.com.au/link/aauz Actual warshipping components secreted inside a cardboard shipping container. Add the solar panel at right and the system will keep on sending information as long as it’s not discovered. Australia’s electronics magazine October 2019  21