Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site hydra.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!cybvax0!frog!hydra!die From: d...@hydra.UUCP (Dave Emery) Newsgroups: net.ham-radio,net.dcom,net.video Subject: Listen to phone calls on your tvro Message-ID: <125@hydra.UUCP> Date: Tue, 3-Sep-85 00:05:37 EDT Article-I.D.: hydra.125 Posted: Tue Sep 3 00:05:37 1985 Date-Received: Wed, 4-Sep-85 06:50:06 EDT Distribution: net Organization: Charles River Data Systems, Framingham MA Lines: 328 Yes it is possible, and not even very difficult. Some years ago it was pointed out that 68 percent of long distance telephone trunks went by ground based microwave. And while the long distance carriers have been working (under some pressure from the NSA and White House) to convert these circuits to optical fibers or at least coaxial cable there are still many routes that use microwave or satellite hops. I don't know an exact figure but I think it would be reasonable to guess that at least 40-50 percent of long distance trunks include a microwave or satellite hop. And some 75% (approx) of long haul microwave relays use the 3.7-4.2 Ghz band which is readily receivable by a tvro. Most long haul microwave systems use FM modulation and frequency division multiplexing (FDM) of single sideband supressed carrier voice channels. Some satellite systems also use this modulation. Unfortunately FM-FDM-SSB modulation is quite easy to receive with simple and widely available equipment. Recovering the contents of a specific channel is very easy, which opens up the possibility of monitoring random phone calls to a specific group of destinations or monitoring specific private line data or voice circuits (which are assigned to a multiplex slot for long periods of time). The question of whether a TVRO could be used to monitor phone conversations has been raised on the net. The answer is that with the addition of a stable general coverage single sideband receiver (such as an ICOM R-71 or a Kenwood R-2000 or the receiver section of a modern transceiver) connected to the unfiltered and unclamped video output (provided for connecting stereo adapters and descramblers) a TVRO can be used to listen to FM-FDM multiplexed telephone signals from both celestial and ground based sources. Further, with a stable down block down converter that converts to the UHF TV band and one of the scanner type receivers designed to cover this band one can also receive the some of the single channel per carrier (SCPC) signals that carry telephone circuits to more remote places (along with network radio feeds, Muzak, and various broadcast data services such as the AP and UPI news services). (Some signals are dithered and require some form of closed loop afc to receive them). This vulnerability has been well known in security circles for many years, but as the number of tvro systems has increased to over a million, the problem assumes a somewhat different perspective. In 1976 Mitre estimated that it would cost $50,000 + to intercept microwave telephone calls, and would require a 10 foot dish. In that era a 10 foot dish would attract much attention. Today one can buy a tvro system with a 75 K LNA and a 8-12 foot dish for $1000-1500, and almost nobody will give the system a second glance as tvro's are commonplace. A 75 K LNA beats a the 10-12 db noise figure receiver that Mitre based it's calculations by a very substantial amount. And the current generation of computer controllable general coverage ssb receivers is a much cheaper demultiplexing device than the synthezizer and selective voltmeter that seemed necessary in 1976. The existance of all these millions of receivers that can pick up both celestial and ground based telephone circuits means that one should not presume that a long distance telephone call is private. And more important (because they are much easier to find in FDM complexes) nobody should assume that a private leased line is secure (unless the long distance carrier has specially routed it via lightwave (much more secure) or coaxial cable (somewhat more secure) for it's entire path. (Obviously conventional (and highly illegal) wiretaps also have to be considered if there is some reason to beleive that some individual or organization has a strong enough reason to be interested in your communications). Background Communications satellites carry telephone traffic in several formats. The principle formats are: Multi Channel systems 1. FDMA - PSK - TDM - PCM. Used on a number of transponders on 4 and 12 Ghz satellites. Heavily used by private business for tie lines and other leased line services, sometimes mixed with data. Quite secure if encrypted. Not easily intercepted by private individuals 2. TDMA - PSK - TDM - PCM. Used on SBS (12 Ghz) satellites as the principle access technique. Therefore SBS Skyline service and some MCI service (they are now both owned by IBM) is protected this way. Used also on some 4 Ghz transponders. Very difficult for private individuals to intercept even if not encrypted. Some circuits encrypted some not. TDMA is felt to be the heavy use satellite access technique of the future as it offers very efficiant use of transponder power and dynamic allocation of system capacity to those links which are currently active. When combined with encryption it is quite secure. 3. FDMA - FM - FDM - SSB. Standard modulation used on almost all terrestrial long haul telephone microwave circuits. Used on several 4 Ghz domsat transponders and most multi channel Intelsat links. Wideband FM-FDM signals can be readily received by standard tvro receivers, and an individual channel can be easily picked out of the multiplex signal with a garden variety general coverage ssb comunications receiver. Very easy for private individuals to intercept. 4. CDMA - TDM - PCM otherwise know as spread spectrum. CDMA or spread spectrum techniques are widely used on military satcom links because of their security and resistance to jamming. As far as I know the only commercial satcom use of such techniques is by Equatorial Communications to broadcast data streams to small (2-3 foot) dishes. Intercepting and decoding military spread spectrum signals is presumably nearly imposible even for large well equiped intelligence agencies. Intercepting Equatorial signals is quite possible, though it is reported that they will soon encrypt all the data they transmit. Single channel systems 5. FDMA - FM otherwise known as SCPC - FM. Single Channel Per Carrier is used to transmit one single nbFM telephone channel between two points. A transponder carries many such FM carriers at one time. Frequencies used are often coordinated by a central station when the call is set up, and may only used for the duration of the call. This technique is used for communications with remote places that rarely need more than a very few circuits at once. Can be relatively easily intercepted by a wide band scanner connected to a very stable block downconverter. Easy for private individuals to intercept. 6. FDMA - PCM otherwise known as SCPC - PCM or SPADE. This technique is the international standard Intelsat method of establishing telephone connections between places that don't have enough traffic to warrent permanently assigned FDM trunks. Each direction of each telephone call is assigned a channel by the central control station. Stations transmit a PSK keyed carrier on that channel for the duration of the call. Each carrier contains one 8 khz sampled PCM bitstream along with some error correction and sychronizing bits. As far as I know encryption is not used. The signal can be intercepted by a sophisticated individual but intercepting it requires a very large dish as the effective radiated power per carrier is very much less than domsat SCPC carriers use. A few domestic satcom SCPC users use PCM, probably with some form of encryption. Hard for a private individual to intercept. 7. FM - FDM - FM (Subcarriers on Video feeds) As most TVRO owners discover, many of the video feeds contain additional subcarriers that carry unrelated or tangentially related material. Included amoung these are cue and coordination channels that may occasionally carry telephone like conversations. There are no regular telephone circuits on video subcarriers however. On FM-FDM-SSB All it takes to recover FM-FDM signals is a suitable wideband FM receiver connected to a stable general coverage ssb receiver that tunes the frequency range used for the baseband. Tvro receivers have the correct bandwidth for many such signals and often incorperate provisions for IF filters that can be used to better adapt the receiver to the narrow band signals found on some transponders. And modern general coverage receivers and transceiver receiver sections with synthezised tuning, digital frequency display, and narrow IF filters are well suited to recovering the audio on a particular channel. Listening to FM-FDM-SSB signals can be accomplished by tuning the TVRO receiver to either a satellite transponder carrying a FM-FDM signal (this may involve restricting the IF bandwidth with a filter as some transponders carry more than one FDM-FM signal), or pointing the antenna at a nearby terrestrial microwave transmitter and tuning the receiver for maximum signal. Once the FDM-FM signal has been tuned in, the single sideband receiver can be used to search the baseband (typically .3Mhz to 6 or 8 Mhz) for telephone conversations, data transmissions and other private line circuits. Individual channels will appear as usb or lsb signals at precise 4 khz intervals. In fact the whole baseband is organized into 12 channel groups, 60 channel supergroups, and 600 channel mastergroups according to a standard frequency plan (the AT&T plan as usual is different from the CCITT one used internationally) Most channels have completely supressed carriers, although certain channels will seem to have a carrier in them (but slightly off frequency) which is something called a pilot tone, used to monitor circuit continuity and control overall gain. Depending on how archiac the telephone trunk equipment is on a particular trunk, it may have a 2600 hz sf signalling tone in it when it is idle which is dropped when the channel is in use for a call. Trunks which use sf signalling also often use MFKP (multi-frequency key-pulsing - the famous blue box version of tone dialing) to pass telephone numbers on to the destination switch. More modern trunks use CCIS (common control interoffice signalling) which is a packet network replacement for the earlier and less secure in band signalling that uses separate signalling channels to carry all the signalling for all the trunks in a trunk route. Obviously, a single signal usually carries only half a telephone conversation so it is necessary to use two receivers and TVRO's to pick up both sides of the call clearly. Receiving both sides of a terrestrial circuit requires a suitable location where both directions of transmission can be picked up, which usually means a site in line with the microwave path. Sometimes both directions of transmission from a repeater site can be monitored by a very nearby (less than a mile) receiver. Many telephone trunks have low enough echo return loss so that both parties can be heard even on when monitoring only one direction of transmission however, so it is quite possible to listen to both sides of some conversations with only one receiver. Both sides of a satellite FDM circuit can usually be found on the same bird but are sometimes not, and sometimes not even on FDM satcom at all. In general, particularly on terrestrial signals, all the channels in a 12 channel group originate and terminate at the same place. The groups and supergroups that make up a mastergroup however often originate from several different places. Demodulation to baseband audio is generally done as few times as possible on a trunk or private line circuit that connects two places, the 12 channels of it's group are shifted to various frequencies within the baseband of the different satellite, microwave or coaxial cable FDM signals that carry it to it's destination, but at least with older multiplexing equipment the granularity of routing resolution is a usually a group (occasionally half a group), and all 12 of the channels in a group usually end up demodulated to audio at the same place. Channels within a group are assigned to various purposes. Some may carry telephone trunks, some may carry private line data, some may carry private trunks that belong to large companies, and a certain percentage are reserved for use as spares. It has long been telephone company practice to route the telephone trunks between two switching centers over several different paths to supply redunancy in the event one path fails (and also to make it harder to intercept a particular call between the two switches). This means that any given FDM group may contain trunks from several different trunk groups rather than containing all the trunks from say Chicago to West Bend. On PSK TDM The most secure technique in commercial service, and probably the technique that that will predominate on satellite links in the future, is TDM-PCM (time division multiplexed pulse code modulation) either phase shift keying (usually QPSK) a continuous carrier on a transponder that may have several such carriers on it (FDMA - frequency division multiple access) or keying a single carrier that occupies the whole transponder in bursts precisely timed so as to not overlap other carriers from other stations that it shares a transponder with (TDMA - time division multiple access). Telephone traffic on TDM-PCM links is sampled 8000 times a second and converted into 8 bit binary values (in a sort of floating point format called A-law or u-Law companding that greatly expands the dynamic range from softest to loudest that the channel will handle). (There are other digitizing standards used on satellite phone links but the standard T carrier - D channel bank is widely used). Some number of these channels (often 24) are combined into a high speed serial bit stream (often 1.554 mb/s) by sending one sample from each channel in serial form as a string of 8 bits followed by a sample from the next channel and so forth. Sometimes this composite bit stream or the bit stream from individual channels is encrypted with a DES chip. Error correction and framing bits and sometimes special control channel bits are added. This digital bit stream is then scrambled (so it has more predictable transition statistics and little or no DC component) by a linear feedback shift register sequence. The resultant bit stream is used to PSK modulate a carrier which is uplinked to the satellite. Receiving these FDMA-PSK-TDM-PCM digital transmissions requires complex rf modems, a large enough dish to get an acceptable signal to noise ratio (and BER), and often requires knowlage of the DES encryption keys used (unless you are a major intelligence agency and can break DES). While some such transmissions that aren't encrypted could in theory be monitored by a very sophisticated individual, particularly one who had access to the rf modem and multiplexing hardware used by the subscribers, the required expertise and technology is great enough so few if any such listeners exist. Presumably the only listeners to such transmissions are the intelligence agencies and perhaps industrial spies who can afford to buy the necessary hardware to listen to their competitors private circuits. And more and more users of such links are encrypting them with DES. TDMA-PSK-TDM-PCM signals are much more complex than most FDMA-PSK-TDM-PCM signals. This is natural since all traffic is transmitted by having each station on the network transmit a burst of very high speed (tens of mb/s) data in an assigned time slot round robin fashion. Included in the burst is all of the traffic that station has with every other station on the network. Every other station monitors the all the bursts from stations it is in communication with and picks out the channels that correspond to it's incoming traffic. In many such systems burst lengths and time slots are dynamically assigned by a master ground station computer as calls are set up and terminated. Each station is capable of receiving and decoding the bursts transmitted by every other station it talks to, so if the channels are not encrypted it could monitor much of or all the traffic going through the transponder. In practice, however, the complex firmware and hardware make it difficult to accomplish this. The burst formats are complex and contain error correction, status and control channels, call setup channels and so forth. And the bursts are scrambled just as in the continuous carrier TDM case. Intercepting and demodulating such a signal would be a major task and is probably something that has only been done (by intelligence agencies) by using perverted versions of the ground station hardware and firmware used by the system. In addition to the complexity of the task of sorting out the digital information and finding the right time slot from the right burst to retrieve the channel of interest, the very high speed fast lockon rf modems used to demodulate the bursts are themselves non-trivial devices. I suspect that even perverting the firmware in a legitimate ground terminal is complex enough so that no private individual or group could easily accomplish it without access to a lot of detailed non-published information (such as source of the firmware and precise details of the protocol and burst formats). It has been said that SBS which uses such TDMA techniques on it's 12 Ghz system regards the signal format as complex enough so encryption is not necessary for at least some of the traffic it transmits. I doubt very much if a private individual has ever successfully monitored telephone traffic through this system (except perhaps by fiddling with a legitimate ground station).