Chapter 7
Basic Overview of Equipment and How it Works
In Chapter 2 the basic concept of a scanner was introduced. To review a scanner is a radio that stores multiple frequencies in channels, quickly switches between the channels, and stops scanning when a channel is active. This chapter will take a deeper dive into scanner features and operations, how to select a scanner for radio reconnaissance, and accessories that are helpful when performing radio reconnaissance.
Common Scanner Controls and Features
The best source of information for operating a particular scanner is the owner’s manual. That being said, there are controls and features that are common to most scanners available on the new and used market.
Channels and Banks
Channels store the frequencies the scanner searches when it is scanning for radio traffic. Most scanners organize channels into banks. For example, a 200-channel scanner may have 10 banks of 20 channels each. This can be helpful when you need to group services together. A hobbyist may put police in one bank, fire in a second bank, and air traffic in a third. Alternatively, if you travel, you can put channels in banks organized by city or location. It is usually simple to enable or disable an entire bank, so that instead of locking out 20 channels individually, you can simply disable a bank.
Tip
It can save time and frustration if you program the last few banks with common frequencies. For example, the authors use bank 10 for Family Radio Service Channels, bank 9 for dot frequencies, and so on. Lower banks are then used for specific engagements and targets. This saves the need to reprogram the higher banks.
Tip
Scanner banks can make life much easier during multiple location penetration tests. If you program the frequencies for each location into a separate bank, you can easily move between locations with a minimum of reprogramming. Other banks can be used to store common frequencies.
While older scanners do not allow you to change the size of the banks, many newer scanners allow you to group channels however you wish. For example, bank 1 can be channels 1–3, bank 2 can be channels 4–10, and so on. Bearcat and GRE have two competing flexible memory systems which are respectively named Object Oriented Memory and Dynamic Memory Architecture (DMA). Both systems obtain roughly the same goals and which system is better is really a matter of personal preference. If you get a scanner that uses either of these systems take the time to fully understand how the system works so you can make full use of it.
Squelch
Squelch is a control that adjusts the amount of signal needed to stop the scanner or break audio silence so that a user can listen to the transmission. If the squelch is turned all the way down, you will end up with static where there is no signal. Alternatively, turning squelch too high can cause you to miss weak signals that may be useful. The goal is to find a happy medium where you get as little static as possible while still being able to receive the desired signals. On most scanners, squelch is controlled by a knob. Some newer radios use plus and minus buttons or a rocker. While it is an issue of personal preference, the authors prefer knob control due to the granularity of adjustment it allows.
Scan Button
Pushing the scan button will cause the scanner to scan its channels for activity. Additionally, the scan button can be used to resume scanning if the channel being listened to is not of interest.
Hold Button
The hold button will stop a scanner from scanning and hold the radio on the current frequency or channel. This is helpful if you want to follow a conversation on a single frequency.
Manual Button
The manual button, also known as the direct button, allows you to directly enter a frequency you wish to listen to. This is often the first step to programming a frequency to a channel. Some scanners combine the Hold and Manual button.
Program
Program can be either a button or process followed to program a frequency to a channel. The control is different for each radio but is often similar between radios by the same manufacturer. The best source of information for instructions on using the programming function is the radio owner’s manual.
Tip
If you work for a team of penetration testers that will be sharing a scanner on or between engagements you should use a standard channel/bank layout so multiple teammates can easily use the same device. This will save time when you need to setup scanners between engagement and lessen confusion while performing an engagement.
Lockout Button
The lockout button is used to lock out a channel so that it is not scanned. This is especially helpful if a channel has a lot of static for some reason, or if you wish to ignore a certain channel. A common reason for using the lockout during reconnaissance is when there is another user group nearby, such as maintenance, and you are only interested in listening to other group, such as the security force. Some radios have temporary lockouts which will lock out a channel until the unit is rebooted.
Tip
When preparing to use a scanner on a new engagement always make sure all locked out channels are unlocked. This will ensure that channels locked out during the previous engagement will not be skipped at the new site.
Search
The search feature allows you to program in high and low frequency stops, and the scanner will scan the defined range and stop on activity. Some units will store frequencies where they find activity into scratch memory, sometimes referred to as “monitor channels.” This feature is valuable for penetration testers, and is very helpful when looking for a signal in a set area. One option to take advantage of this feature is to set up the scanner overnight or while you are working on other things, and then return to see what the scanner has found. You can first scan the range and lockout birdies or other signals that are not of interest. This is much easier than using the search or scan button each time the scanner locks on a birdie or other undesired signal. Keep in mind that some radios will store frequencies that you locked out between power on and off cycles or searching sessions. Be sure to clear the memory before performing a search in a new location, or you may find that you have locked out the very frequency you are looking for. Some units allow selective memory deletion, meaning that you can leave some birdies in the list to be locked out. The authors, however, have found that it is easier to clear memory and start fresh.
Priority
With the priority feature, you can set a channel or group of channels as a priority. In some implementations, this channel or group of channels will then be checked more often for activity, while in others, the priority channel(s) will be checked even while the scanner is listening to another channel, and will switch to the priority channel if activity is detected. In some older implementations of the priority feature, the scanner would check the priority channel ever second, causing an annoying cutout while listening to other channels. If buying an older scanner, it is a good idea to test this feature before making your purchase to be sure it is implemented in a way you can live with.
Tip
If a target site has a frequency that is used to communicate with the police, it is a good idea to set that as a priority channel. During a penetration test, you want to know as soon as possible if the police have been summoned so you can be prepared to explain yourself.
Selecting a Scanner
The most important piece of equipment for radio reconnaissance is a scanner, and selecting the correct scanner can make things much easier. In fact, selecting the correct scanner can often times mean the difference between success and failure. Many folks are tempted to get a top of the line scanner with all the bells and whistles. Although this may be fun if you only occasionally use your scanner these extra features often add confusion as you need to relearn all the features each time you need to use the radio. Remember the point is to have a tool you can use and gain value from. For most targets you do not need a fancy or expensive scanner to gather valuable information. In addition to the features discussed earlier in this chapter here is some criteria to keep in mind when selecting a scanner for wireless reconnaissance work.
Form Factor
When selecting a scanner the first step is to figure out what form factor works best for your needs. There are variety of form factors scanners are available in including handheld (Figure 7.1), base scanners (Figure 7.2), and mobile scanners. Many mobile scanners can be used as base scanners, or can be mounted in a vehicle, either hardwired or powered by the car’s 12 V power socket/lighter receptacle. Handheld scanners tend to be small and are battery powered, and many can use ac adapters to power the unit and charge onboard batteries. Rechargeable batteries can significantly lower operating costs if you use the scanner often. For most wireless reconnaissance work, especially the first radio, we recommend handheld scanners because they are the most portable and easy to power.
Tip
Always be sure to bring plenty of batteries. Even if you use rechargeable batteries, be certain to have non-rechargeable batteries available in case the rechargeable batteries die. It makes for a bad day to get on site only to discover that you do not have any battery power left. Also, note that some scanners have a switch to change operation between rechargeable and non-rechargeable batteries. Be sure that the switch is set correctly.
Figure 7.1 Handheld Scanner, Reprinted with Permission from Meagan Call
Figure 7.2 Base Scanner, Reprinted with Permission from Meagan Call
A fourth form factor that is starting to become more popular are scanners that can only be controlled using a computer. These scanners do not have any control on them besides a power switch and occasionally volume control. These radios are often just a plain metal box so are also referred to as black box radios. Because these radios require a computer to function as they are not a good first radio to get for radio reconnaissance work. These radios often contain specialty features which may be of value to penetration testers and will be discussed more in Chapter 9 New Technology and the Future of Radios in Penetration Testing.
Programmable Verse Pre-Programmed Scanners
Scanners are available both as pre-programmed units or as programmable units. The pre-programmed units are not particularly useful for the purposes of this book, and are intended for hobbyists as well as automobile racing fans and railroad enthusiasts. A pre-programmed scanner may make sense to have as a second scanner that is dedicated to monitoring police traffic in the area because the radio will not need to be reprogrammed each time you perform an assessment in a new city. To be effective for reconnaissance, choose a programmable scanner which can easily be programmed in the field as new target frequencies are discovered.
Frequency Coverage
Scanners are generally divided into two basic categories as far as frequency coverage is concerned; Full Coverage and Band Coverage.
Full Coverage is generally found on higher-end units, and often includes shortwave coverage. While shortwave coverage is not particularly useful for penetration testers, it can be fun to have if you are interested in becoming a radio hobbyist. Unless you get a special radio, even a Full Coverage radio will still block old analog cellular telephone frequencies. While this may seem odd given that these analog frequencies are no longer used, it is still illegal to sell a radio that can receive these frequencies. However there are exception to this law and unblocked radios can often be legally obtained if you are willing to cut through a good deal of red tape. Contact a dealer that sells unblocked scanners and they can provide the requirements and the paperwork needed to purchase an unblocked scanner.
Band Coverage scanners cannot tune to every frequency, rather they provide access to popular bands or groups of frequencies. These are sufficient for most users, as the frequencies you will want to listen to are generally included in the Band Coverage.
It used to be that there were three basic types of radios: those banded to cover 30 MHz to roughly 500 MHz, those banded to cover 30–900 MHz and Continual Coverage. These days, more or less every scanner sold new covers 900 MHz where 900 MHz coverage used to be a differentiator, today the common differentiator is in the trunking and digital capabilities of the unit. For radio reconnaissance purposely a scanner will not need to receive signals below 30 MHz Having a scanner that can receive over 1.8 GHz is usually of limited value as well. If you are performing an assessment that requires receiving traffic over 1.8 GHz a scanner is probably not the best tool to use because most traffic in this range is digital. Chapter 11 will discuss specialized tools that are more appropriate to this task.
Tip
If purchasing an older radio, be sure to determine if it has 900 MHz coverage.
Useful Scanner Feature
In addition to the criteria provided above there are a number of other features which will be useful when using a scanner for wireless reconnaissance. These features are explained in the next section so you have an understand of what features do and what features to look for when purchasing a scanner for wireless reconnaissance work.
Number Pad
The number pad (Figure 7.3) is used to enter channel numbers or frequencies. Not all radios will have a number pad, and require other methods to enter frequencies. Many smaller radios will forgo the number pad in the interest of saving space.
Figure 7.3 Scanner Number Pad
The authors prefer scanners with a full keyboard. Of course, units without keyboards are usually very small, often times the size of a standard deck of playing cards (Figure 7.4). While this can be great if you need to hide the scanner for covert listening, it can take a great deal of time should you need to enter additional frequencies, unless you are able to use a computer to program it. While these qualities make scanners without keyboards a great option for a secondary scanner, the advantages of a full keyboard scanner outweigh the small size. The full size keyboard can make or break an engagement if you forget the software, your computer, or a programming cable and need to reprogram on the fly. Programming cables can be extremely difficult to find when traveling as they are specialty items not generally carried by mainline retailers.
Figure 7.4 Icom R-6 is an Example of a Small Scanner Without a Full Keypad, Reprinted with Permission Icom America Inc. ©2012 Icom America Inc. The Icom Logo is a Registered Trademark of Icom Inc. The Use of Icom Product Images has been Approved for Tutorial Purposes
Lighted Screens and Keyboards
Lighted screens and keyboards are of course helpful in night operations and also in any low light situation you may encounter. Even if you do not plan to perform any night operations, keep in mind that even during the day, penetration testers often find themselves hiding in closets and other dark places. When selecting a scanner, keep in mind that some units have lit screens and not lit keyboards. A unit with a lit screen and keyboard is best.
Channel Spacing/Steps
Step size is the amount of adjustment when tuning to frequencies. Similar to modulation, most scanners are designed to automatically select the appropriate step size for the current band. As a general rule, for a scanner to find every signal it must tune in steps no more coarse than those used in any of the communication systems to be scanned.
It is important to select a step size that matched that of the band so that you don’t miss any desired transmissions. Step sizes can greatly impact search speed on a particular band. The smaller the step size, the longer the search will take, as the scanner must monitor more frequencies. The reverse is also true; larger step size will reduce search time. Most radios will automatically select the correct step size for the band, however, some higher-end radios may not select step sizes automatically, and as such you will need to memorize them or have a resource available where you can refer.
When using a search function, selecting the correct step size is critical. If you use too large of a step size, you may miss a signal and never even know it was there. Conversely, if the step size is too small you may trigger on a signal that is not at the center of the frequency, leading to a weak or distorted signal. Also keep in mind that small step sizes can dramatically increase search time. Selecting 5 kHz on the 25 kHz band will cause the scan to take five times as long. If unsure which step size to select go with the default selected by the scanner.
Tip
In order to allow for more efficient use of the spectrum, steps in the US are changing. It is important to keep this in mind if you are looking at older units, and also important to “future proof” a newer unit. Many newer, modern units support firmware updates that can address these step changes as they occur. This does, of course, assume that the manufacturer will still be supporting the unit and releasing updates years into the future.
Scan Speed
Scanning speed refers to how quickly a unit can switch between channels while scanning. Scanning speed is generally measured in terms of how many channels per second it can scan. Ten channels and 100 channels per second are common speeds. The scanning speed ultimately affects how quickly a unit can scan a band or section of the spectrum, generally the faster the better.
Modulation
In Chapter 2 we discussed different ways radio signals can be modulated to encode data into them. Common analog modulations types supported by scanners are AM, FMN, and FMW. Single Side Band (SSB) modulation is not generally of interest to penetration testers as it is mainly used on shortwave frequencies. It is good to note, however, that if you get a high-end scanner that goes below 30 MHz, SSB support will allow you to listen to all the activity on shortwave.
Most scanners are designed to know which modulation commonly occurs on which frequency. This mean that if you tune to 146.xxx, the unit will automatically switch to FM, and if you tune to 108.xxx, the air band, it will switch to AM. Higher-end scanners will often allow the defaults to be overridden to enable listening in non-standard situations. Being able to override the default modulation type is generally only required if the license class for the band you are trying to monitor has changed, which happens very infrequently, but having this option on a scanner is a good way to future proof it against future band plan changes.
APCO P-25 Decoding
APCO P-25 is a common digital form of modulation that is gaining popularity in public sector radio systems. Although P-25 can be used with traditional radio systems it is mainly deployed on trunked radio system. Currently P-25 is the only digital format which is decoded by consumer-grade scanners. At the time this book was published the authors have not seen any business using P-25 on their radio systems but as systems get upgraded private sector radio systems will adapt this standard. Today this is not a required feature for monitoring most business radio systems. But this will likely change in the future. Additionally this feature is useful when monitoring some police radio systems. If you can afford it the authors recommend purchasing a radio that can decode P-25 traffic so it is future proofed as this standard is rolled out in more locations.
Trunk Tracking
The concept of trunking was first introduced in Chapter 2. In general most business do not have radio systems complex enough to justify the cost of a trunked radio system. However it is not unusual for larger business to deploy trunked systems and many cities are upgrading their municipal radio system to trunked systems. For this reason we highly recommend selecting a scanner that supports trunking.
When choosing a trunk capable scanner a number of things need to be kept in mind. First be sure to find one that can trunk in the bands you will need to monitor. Keep in mind that not every trunk capable scanner can trunk in all the frequency bands it can receive. Newer trunked systems are beginning to operate in the 300 MHz and 700 MHz band, which may not be covered by older radios. New scanners that support trunking generally support trunking in all the bands the radio can receive in.
Second not all trunked systems are currently supported. It seems like every year scanner manufactures are adding support for more trunked systems to their trunking scanners. Because of this research the trunking systems supported by the scanners on the market and pick one which supports the most number of trunking systems.
Third if you purchase a trunking capable scanner be sure it is running the latest firmware. Many scanners now allow the end user to upgrade the firmware in the device to add new features or fix bugs. Frequently these bugs are related to how the units support trunking or decoding P-25 traffic, if supported. So if you are having trouble monitoring a trunked system with your scanner verify that you are running the most recent firmware. If you are not, upgrade the firmware to see if that solves the problem.
Tip
Trunked systems often have complicated programming functions. The best reference for programming your scanner to work with trunked systems is your scanner owner’s manual and the RadioRefernce.com wiki.
Rebanding
Rebanding, also known as reconfiguration, refers to changes in the 800 MHz band to allow users on the Nextel Network and users on public safety networks to coexist. If monitoring rebanded trunked systems, you must have a scanner that supports rebanding. If you attempt to monitor rebanded trunked systems without a scanner that supports rebanding, the scanner will go to an incorrect channel and you will not be able to monitor the transmission. While rebanding is not usually a major concern if you are monitoring private trunked systems, it is definitely a concern when monitoring public safety systems in the 800 MHz range.
Continuous Tone-Coded Squelch System (CTCSS)
Continuous Tone-Coded Squelch System (CTCSS), also known as tone squelch or remote squelch control, is designed to allow users on a shared frequency to hear only users in their user group. Theoretically, CTCSS will allow a user to hear only transmissions by those in their user group, and not be subjected to the transmissions of others on the same channel. CTCSS equipped receivers generally can operate in either CTCSS mode or normal mode. While in CTCSS mode, the receiver’s audio will only be activated if the transmitted signal was sent using the same CTCSS tone. CTCSS is also helpful in noisy RF environments where a scanner could pick up spurious signals that break the squelch. By programming in a CTCSS tone for that channel the scanner will not stop scanning unless a signal is present which also has the correct CTCSS tone.
Digital Code Squelch (DCS)
Digital Code Squelch (DCS) is a newer digital version of CTCSS that operates by sending digital data using subaudible tones. Some manufactures refer to DCS and Digital Private Line (DPL).
Alpha Numeric Memory
Alpha numeric memory feature on a scanner allows the user name each channel with a text string. In the past all a scanner would show is a channel number and maybe a frequency. On those types of scanners you needed to remember that Channel 1 is the fire main dispatch for Lakewood, Channel 2 is the fire dispatch for Rocky River, and so on. When you program 200 channels into a scanner, it very quickly becomes impossible to remember them all. This feature is very helpful when performing wireless reconnaissance because you may be visiting multiple sites in a week which makes the task of memorizing channel names even harder.
Computer Programmable
It is wise to spend more money up front and acquire a scanner that can be computer programmed. Being able to program the scanner with your computer will allow you to use your full size keyboard, copy, and paste frequencies from manuals and Web sites, and save significant time if you need to enter a large number of frequencies.
Voice Squelch
Voice Squelch is a radio feature where the scanner will only stop when it has identified what seem to be voices. While this can be useful to skip over data traffic that you may encounter during reconnaissance, it will only work as well as the vendor has implemented it. It is wise to assess the scanner’s ability to accurately pick out voice transmissions before using this feature on an engagement. Similarly some manufactures have a Data Skip features that skips over channels that seem to carry data signals. This feature achieves the same results as Voice Squelch.
Attenuator
Attenuation is a filter that decreases the power of signals entering into the radio. The attenuator is inline between the antenna and the front end of the radio. Various scanner models implement attenuation differently, where some allow the attenuator to be set on a per-channel basis, while others require that the attenuator be used for all channels or none. Attenuation can be helpful in environments where there is a strong signal in the area that is overwhelming the other signals. Pager transmitters are notorious for overloading surrounding signals. Attenuation can also be helpful in an RF rich urban environment when using a sensitive scanner.
Note
Recent model GRE and RadioShack scanners have a reputation of the front end of the radio easily being overloaded in environments with lots of signals, such as metropolitan areas. This results in distorted audio or hearing signals on the incorrect frequency. Enabling the Attenuation feature on the radio will help decrease the strength of these signals and prevent the radio front end from being overloaded.
Near Field Frequency Counting Features
Chapter 6 on On Site Radio Profiling covers using a frequency counter such as the Optoelectronics Scout to find unknown frequencies used by target radio system. Some scanners have similar near field capabilities built in. Uniden has branded this technology Close Call while GRE labels it Signal Stalker. Other manufactures may have similar systems with different names. As a refresher near field receiver work by finding the strongest transmitter in the area that is high enough above the noise floor for the receiver to detect it. Generally this means these features work best in environments with low RF noise where you are close to the target transmitter. The usability and usefulness of these systems can vary greatly between models, manufactures, and the operating environment. Overall the authors have had mixed results with using these built in features and much prefers to use a dedicated device such as the Optoelectronic Scout. However if your scanner does have these features it is worth learning how to use them and employing it during assessments. There have been rare cases were the near field frequency counter in a scanner detects a signal the Scout could not detect. The more information you can gather while profiling a target the better.
Discriminator Out
When a scanner receives a signal it goes through a number of filters and processes to clean up the audio before you hear it. When listening to normal audio traffic this is a good thing so you get clean and clear sound which is easy to understand. However during this cleanup process information is lost that is needed to decode digital signals. Some high-end scanners have a discriminator out feature that outputs this data before it has been cleaned up so digital signals can be decoded. Decoding these digital signals is beyond the scope of this book, but this feature may be of interest to individuals who perform wireless reconnaissance if they plan or want to try to intercept and decode signal signals. This is also a feature that can be added to most scanners by the end user. However usually this involves opening the radio and soldering connectors to the internal circuit boards. So needless to say this is not for the faint of heart and will void your warranty. If you attempt this the normal warning apply and the authors of this book will not be held responsible for any damage you do to your radio. Figure 7.5 shows the inside of a radio with a homemade discriminator out added.
Figure 7.5 Scanner with a DIY Discriminator Out Added, Reprinted with Permission from Meagan Call
Additional Considerations When Buying Used or Older Model Scanners
There are many arguments to be made for purchasing used or older model equipment, price being chief amongst them. Used units are also great for physical penetration tests; it is preferable to drop a $100 used unit in a stream instead of a brand new $500 unit. There are of course additional consideration when buying used equipment. Used equipment is often buyer beware, and assessing the remaining service life is beyond the scope of this book. Do, however, buy from a reputable seller and learn about the unit so you can judge its merits and condition.
Note
Ham radio stores are usually a great place to purchase used equipment. Often times, they will offer some form of warranty, and if something goes wrong you will be able to contact the person who sold the equipment. Additionally, Hams are passionate about radio, and generous with their knowledge.
Tip
If funds allow, it is best to have two scanners. One can be used to monitor dispatch and the other can be used to scan. On reconnaissance engagements, you will almost always find at least two things you will want to monitor.
Scanners Recommended for Wireless Reconnaissance
Even with laying out the critical used to select a good scanner for wireless reconnaissance some individuals may prefer specific recommendations on which radio to buy. The next section contains these recommendation on currently produced scanners that would work well for radio reconnaissance. Note that new scanners come out yearly so very quickly this list could be out of date. Also because a radio is not listed in this section does not mean it’s a poor fit.
Note
Remember, you don’t always need the latest or most expensive scanner to gather valuable information during a penetration assessment. While there are many great top of the line units available, sometimes a cheap unit will do the job just as well.
Uniden Bearcat BCD-396XT
Currently the top scanner we recommend for wireless reconnaissance is the Uniden Bearcat BCD-396XT (Figure 7.6). This is the scanner most frequently used by the authors and during most of the case studies in this book. This scanner covers the frequency range that encompasses all the commonly encountered during wireless reconnaissance. The scanner can follow trunked systems and decode P25 digital audio traffic so it is as future proof as you can get with current production scanners. The 396XT comes with Uniden’s Close Call feature which can be helpful when trying to identify unknown frequencies. The scanner is also computer programmable and controllable. Currently the BCD-395XT retails for about $450.
Figure 7.6 Uniden Bearcat BCD-396XT, Reprinted with Permission from Meagan Call
GRE PSR-310
If you don’t want to decode P25 digital traffic or if the price of the BCD-395XT is outside your budget the next model down to look at is the GRE PSR-310 (Figure 7.7). The PSR-310 frequency coverage is almost identical to the BCD-395XT and will also track analog trunked systems. The PSR-310 includes GRE’s Spectrum Sweeper feature which can be used to find the frequency of unknown close transmitters. The scanner is also computer programmable and controllable. At time of publication the PRS-310 is selling for around $150.
Note
Most RadioShack brand scanners are made by GRE so there are often what appear to be equivalent models between GRE and RadioShack. RadioShack will often run sales where you can get their scanners at substantial savings. Sometimes the changes between equivalent models are just cosmetic. Other times useful features or accessories are missing on between brands. So be sure to research the difference between a GRE and RadioShack scanner before you make a purchase.
Figure 7.7 GRE PSR-310, Reprinted with Permission from Spencer E Holtaway
AOR 8200MKIII
The AOR 8200 MKIII (Figure 7.8) is a high-end continual coverage scanner that has a number of unique features which can be helpful to individuals performing wireless reconnaissance. The big shortcomings of the AOR 8200 MKIII are it lacks the ability to track trunked radio systems and cannot decode P25. Although it cannot decode-25 digital signals it can demodulate all popular analog signals. A unique accessory this scanner has is the ability to decode voice inverted traffic using the AOR VI8200 Voice Inverter Card. Using this card the radio can decode single point voice inversion transmissions. The radio is also very easy to control using a computer. AOR has published the full specifications on how to control the radio so someone with programming ability can write simple programs to control the scanner. The case study at the end of Chapter X used an computer controlled AOR 8200 MKIII to take signal strength readings from multiple locations to determine which wireless headsets were inside the target building. The computer control port on this scanner also allows easy to access the discriminator output for the radio which is helpful if you need to decode or analyze data transmission on frequency. The 8200 MKIII can also be paired with an Optoelectronic Scout to perform Reaction Tuning where the radio automatically tunes into the frequency that Scout detects. This can be a valuable feature to quickly determine if the frequency the Scout discovered belongs to the target organization. With all these features also comes one of the biggest disadvantages of the 8200 MKIII. It is a very complicated radio that has a steep learning curve. If you do get one for wireless reconnaissance work be sure to acquaint yourself with the radio and its features before you take it out in the field. Also be sure to bring along the owners manual in case you need to look something up. At the time of publication the AOR 8200 MKIII sells for around $750. In general the AOR 8200 MKIII makes a good second or third radio for individuals performing wireless reconnaissance. Another good second or third radio is the Icom IC-R3 which is a handheld scanner that can decode video signals. Although the IC-R3 is no longer produced it can still be found used on eBay and at ham radio stores.
Figure 7.8 AOR 8200MKIII, Reprinted with Permission from AOR USA Inc.
Building You Kit: Helpful Accessories
Before heading out, the authors will make sure that they have the right equipment for the job. If you are planning to use radio reconnaissance in a penetration test (and hopefully you are, if you are reading this book) it is helpful to have the following equipment. The first and most important accessory is getting a quality antenna.
Tip
If we had to choose between a cheap radio and a good antenna or a good radio and cheap antenna, the authors of this book would always choose a good antenna with a cheap radio. A good antenna will pull in signals better so that a cheap radio can hear it. However a cheap antenna will make a good radio deaf.
Antenna Connectors
Most scanners use either BNC or SMA antenna connectors. When selecting an antenna for your scanner make sure you get one that has the appropriate connector or get the appropriate adaptor. Also do not confuse the SMA connector used on scanners with the reverse-SMA connection used on some 802.11 wireless cards. An SMA and a reverse-SMA connector are not compatible. Figures 7.9 and 7.10 show what these various connectors look like.
Figure 7.9 Male SMA, BNC, and Reverse-SMA Antenna Connectors, Reprinted with Permission from Meagan Call
Figure 7.10 Female SMA, BNC, and Reverse-SMA Antenna Connectors, Reprinted with Permission from Meagan Call
Antennas for Handheld Scanners
Every new handheld scanner will come with an antenna. These free antennas usually work OK to poor and should be one of the first upgrades when building a wireless reconnaissance tool kit.
Flexible “Rubber Duck” Antennas
The flexible “rubber duck” antenna (Figure 7.11) offers many benefits; foremost among these benefits is convenience. These antennas are fairly easy to conceal, are rugged, and as you may have guessed, are flexible. Rubber ducks are also fairly inexpensive, making them an ideal choice for environments where your radio equipment will be subject to abuse. It is far better to break a cheap antenna than an expensive one.
Figure 7.11 Various Rubber Duck Antennas, Reprinted with Permission from Meagan Call
Rubber duck antennas also have their disadvantages. As a general rule, they have poorer range than other varieties of antennas. Be especially aware of small 1-in. rubber duck antennas. While compact, and neat looking, they generally perform very poorly unless used in high frequencies in the 900 MHz range and above.
Telescoping Whip Antennas
Telescoping whip antennas (Figure 7.12) can be tuned to the desired frequency by shortening or lengthening them. They are generally very good for receiving signals; however they do have several disadvantages. They are not particularly rugged, and are fairly easy to bend or break during use. Their larger size makes them generally more difficult to conceal, which is at cross purpose for our intended uses. They are also rigid, making them a poor choice when wearing a radio on your belt. If not careful, rigid antennas can also place strain on the radio and cause the internal antenna connector to break from the circuit board. If you plan to use a telescoping whip with a portable radio, choose one with a joint so that it can be pointed skyward when the radio is laying flat. This will be a great help if using the radio at a table, desk, or in your car.
Note
Once bent a collapsible whip antenna is difficult if not impossible to bend them back into their original shape. For this reason, it is best to buy a new one.
Figure 7.12 Telescoping Whip Antenna, Reprinted with Permission from Meagan Call
Recommended Handheld Scanner Antennas
If you can only get one antenna, we recommend a high-quality rubber duck antenna such as the Austin Condor or Diamond RH77CA. Both are good multi-band antennas. Beware of rubber duck antennas that are very short, around an inch in size. Although these small antennas may be easy to conceal, oftentimes they have very poor performance and will cause you to miss everything except very strong signals. If you need a small antenna you can easily conceal try the Diamond RHF10 which is only 2.75 in. high, very flexible, and receives 450 MHz, 800 MHz, and 900 MHz signals surprisingly well for its small size.
If possible we highly recommend getting at least two scanner antennas. The second antenna should be a telescoping whip. The algorithm discussed in the Antenna Theory section of Chapter 2 can be used to figure out how long or short a telescoping whip antenna should be to match the target frequency. If you need to listen to a specific frequency, investing in a frequency-specific antenna may be a good option.
Tip
Antennas are sensitive to all metallic objects in the nearby area. Moving an antenna often has a dramatic effect. This is especially true in high metal cubicle farms, inside office buildings, hotel rooms, and the like. If using radio equipment while in a vehicle, simply moving the car a few inches may be enough to improve the reception. Of course some times, you will need to find another location altogether to get a clear signal.
Mobile Antennas
For mobile antennas, the authors generally recommend the magnetic mount type. This allows easy portability and can be used on multiple vehicles. If you don’t need to use the antenna on more than one vehicle, a permanent mount antenna is of course also an option. In a pinch, the RadioShack mobile antenna is a good option, and it is usually fairly easy to locate a RadioShack. Better options include the Larson Tri-Band (Figure 7.13) and the Austin Spectra antennas. The Austin Spectra is the taller and more expensive of the two. Both of these antennas are quality units, and both have their hardcore devotees in the radio community. The Larson and the Austin antennas can both be used with an NMO magnetic mount (Figure 7.15). NMO stands for New Motorola and is a type of antenna connector commonly used on mobile antennas. A BNC magnetic mount (Figure 7.14) can be used to mount a portable antenna on the outside of a vehicle, however this may not be the best option for long-term durability because BNC connector are not water tight.
Figure 7.13 Larson Tri-Band Antenna, Reprinted with Permission from Meagan Call
Figure 7.14 Magnetic Antenna Mount for Antennas with a BNC Connector, Reprinted with Permission from Meagan Call
Figure 7.15 Magnetic Antenna Mount for Antennas with a NMO Connector, Reprinted with Permission from Meagan Call
Tip
Suction cup window mounts (Figure 7.16) can be a great tool during reconnaissance. These allow you to mount antennas in hotel or office window, or inside a car. While generally people don’t notice antennas on vehicles, mounting the antenna inside can be a great option when you do not want extra attention.
Figure 7.16 Suction Cup Windows Antenna Mount, Reprinted with Permission from Meagan Call
Coax Cable
Coax cables are a special type of cable used to carry RF signals. The quality and type of coax cable used become more important the longer the cable needs to be. For most wireless reconnaissance work long coax cables are not needed. Therefore most of the details around coax cables and selecting a high-quality cable are purposely not included in this book. For the purposes of wireless reconnaissance the most important thing to remember is to match the impendence of the cable with the impendence of the antenna and receive. Scanners and scanner antennas have an impedance of 50 ohms.
DTMF Decoder
DTMF decoders decode telephone touch tones. If cordless telephones or headsets are used by the target, DTMF decoders can be useful for decoding voicemail passwords. Some high-end scanners have DTMF decoders build into them. DTMF decoders are also available as an external piece of hardware or software.
Camera
As discussed in Chapter 5 Onsite Profiling having a camera can be helpful for taking pictures of the radio equipment and antennas used to by the target organization so they can be analyzed later. A camera with a good optical zoom will be of the most benefit. Additionally binoculars can be helpful for similar reasons.
Headphones or External Speakers
Headphones are another must have accessory when performing wireless reconnaissance. They will allow you to discretely list to radio traffic. The crackle of a police radio dispatcher will always gather attention in public. When working in a car an external speaker can help hear transmission over road and engine noise. When getting a speaker to use in a car also consider getting one with a build in audio amplifier so you can turn up the volume loud enough to clearly hear radio traffic.
Audio Recording Equipment
Being able to record information you are receiving is helpful in case a transmission is missed, if a transmission needs to be reviewed to gather additional information or if you want to record activity on a channel while you are away from the radio. Also recording and playing back the information leaked by a company can be a great way to illustrate the risks to upper management of the intercepted data. Many desktop and mobile scanners have a line out designed specifically for being hooked up to a recording device. If you have a handheld scanner you can also connect the recorder right into the headphone jack. When selecting an audio recorder pick on that has a build in VOX feature that will start recording only when audio is present. Finally, although not critical, try to select a recorder that will time stamp the audio files so you can look up with the transmission occurred. Note that some scanners such as the Uniden Home Patrol, GRE PSR-800 and Icom R-20 (Figure 7.17) come with built in sound recording capabilities.
Figure 7.17 Icom R-20 with Build-In Sound Recording Capabilities, Reprinted with Permission Icom America Inc. ©2012 Icom America Inc. The Icom Logo is a Registered Trademark of Icom Inc. The Use of Icom Product Images has been Approved for Tutorial Purposes
Video Decoder
The ability to decode video signals given off by a target organization is immensely helpful. Many organizations will use wireless security cameras to monitor area where they cannot easily run a video cable. Some high-end scanners such as the Icom IC-R9500 (Figure 7.18) have the ability decode video signals. However radios like this are outside of most budgets. Other options include getting a used Icom IC-R3 which is a handheld scanner that can decode video signals. Although no longer in production used models can be readily found on eBay and other online sources. A dedicated video interception device such as the Optoelectronics Video Sweeper or AOR AR-STV (Figure 7.19) is another option. These are self-contained devices explicitly designed to scan for and decode video signals. Note that most of the units will only decode analog video signals. In Chapter 10 we’ll touch on how the upcoming technology of software defined radios can also be used to decode both analog and digital video signals.
Figure 7.18 Icom R-9500 Has a Build In Video Decoder, Reprinted with Permission Icom America Inc. ©2012 Icom America Inc. The Icom Logo is a Registered Trademark of Icom Inc. The Use of Icom Product Images has been Approved for Tutorial Purposes
Figure 7.19 AOR AR-STV, Reprinted with Permission from AOR USA Inc.
RF Amplifiers
In general the authors of this book do not recommend using RF amplifiers (Figure 7.20), also known as antenna boosters or pre-amplifiers. An RF amplifier will amplify not only the signal you are trying to hear but also other RF noise in the area. Generally use of an RF amplifier will just overload the front end of the scanner and cause you to miss the signal you are searching for.
Figure 7.20 RF Amplifier, Reprinted with Permission from Meagan Call
Voice Inversion Decoder
Warning: Be sure to check applicable state, local, and federal laws before attempting to decode transmissions using voice inversion.
Voice inversion is a simple way to scramble audio transmissions to make them difficult to understand. Voice inversion technology can be broken down into two types single point inversion and dual point inversion. Single point inversion flips the audio at a set point. Dual point flips the audio at a set point and flips it again at a different point. Breaking a single point voice inversion system is fairly simple because only one value needs to be brute forced. Breaking dual point inversion is more difficult, but still not impossible, because both inversion points need to be discovered. It’s important to note that neither dual point nor single point voice conversion are actually encryption. They are simply ways to scramble the signal. Voice inverted transmissions are pretty easy to spot because they sound like Donald Duck speaking gibberish.
Some older scanner had voice inversion decoders built into them such as the Alinco DJ-X2 and DJ-X2000E. These units could only decode single point voice inversion traffic and are generally very difficult to find on the used market. As discussed earlier the AOR 8200 MKIII is capable of decoding single point voice inversion with the optional VI8200 Voice Inverter Card installed. Ramsey Electronics makes the SS70C Speech Scrambler/Descrambler Kits which can decode some single point voice inversion traffic. If you search the web you will also find a number of programs which claim to decode voice inversion traffic. Overall the authors of this book have found these programs to be unreliable and high suspect, so use them with caution.
In general very few organizations still use voice inversion technology to protect their transmissions. If the organization has a strong need to protect their radio traffic they have moved to either digital systems with a custom vocoder or implemented a true encryption technology. However the ability to decode voice inverted traffic is still helpful if you encounter a target using this feature.