Chapter 2
Basic Radio Theory and Introduction to Radio Systems
Whether you credit Guglielmo Marconi or Nicola Tesla with its invention, radio has been in use for over a century, and will continue to grow for the foreseeable future. Indeed, tried and true radio technologies are becoming even more important in our increasingly connected world.
A solid background in radio terminology and theory is essential for wireless reconnaissance. This chapter will provide a general overview of the fundamental concepts of the science and technology.
The Electromagnetic Spectrum
In the nineteenth century, electricity and magnetism were understood to be two separate phenomena, until discoveries by Michael Faraday, James Maxwell, Heinrich Hertz, and others unified these two forces under a single theory of electromagnetism. Electromagnetism is concerned with the forces that occur between electrically charged particles, and today is considered one of the four fundamental forces by modern physics. This paved the way for the inventions of Marconi and Tesla only a few years later, and an accelerating avalanche of innovation that continues to this day. In the twentieth century, a continuing trend of reductionism in the field of physics still endeavors to unify theories of the four fundamental forces (gravity, electromagnetism, weak, and strong nuclear forces) into one Grand Unified Theory. However, all technological applications of radio that are of interest to security reconnaissance do not depend on such advanced physics, and can be well understood using the groundwork provided by Maxwell and his contemporaries.
Terminology
It’s important to have a firm understanding of the underlying science and the terminology used to describe it. The following concepts are fundamental to understanding radio, and it is critical that you become familiar with them.
1. Frequency: Frequency is the measure of how many times the radio wave oscillates in a unit of time. Looking at the graph of a sinusoidal wave form (Figure 2.1), frequency can be understood as the time between like portions of a wave (such as the peak or the trough) as the wave passes over a stationary point in space.
Frequency is measured in Hertz (Hz). It is a measurement of frequency, regardless of the medium—Hertz is used not only for measuring the frequency of electromagnetic waves, but in other contexts as well, such as acoustic waves and seismic waves. In every case, 1 Hz = 1 cycle per second. In the electromagnetic spectrum, the band known as radio waves ranges from about 3 kHz to about 300,000 MHz. Named after German physicist Heinrich Hertz, Hertz was established as a term in 1930, officially adopted as an SI unit in 1960, and widely replaced the phrase “cycles per second” by 1970. When an SI unit is spelled out in English, it should always begin with a lower case letter (hertz), except where any word would be capitalized, such as at the beginning of a sentence or in capitalized material such as a title. As a part of the SI system of measurement, the typical prefixes kilo—(1000), mega—(1,000,000), giga—(1,000,000,000, or 1 billion) are used in the customary fashion to create the derived units kilohertz (kHz), megahertz (MHz), and gigahertz (GHz). The first two should be familiar to anyone who has seen an AM/FM radio; gigahertz has become familiar in the last decade, as 802.11 (Wi-Fi) operates in the 2.4 and 5 GHz band.
Figure 2.1 Sinusoidal Wave Form
2. Wavelength: Wavelength is the linear distance between two like parts of the wave form, typically the peak or trough of the wave (Figure 2.1). Because all electromagnetic waves travel at the speed of light, an inverse relationship exists between wavelength and frequency. The longer the wavelength, the lower the frequency, and vice versa. This is because a wave of a higher frequency moves through its cycle in less time (thereby creating more cycles per second), and all electromagnetic waves travel through a vacuum at the same speed, but with a high-frequency wave completing a single oscillation in less time, it necessarily covers a shorter distance, resulting in a shorter wavelength.
3. Amplitude: Amplitude is a measure of the energy in the wave (Figure 2.1). Amplitude is directly related to the strength of the signal and the amount of energy in it. A strong signal has a high amplitude, while a weak signal has a low amplitude. When a signal is amplified, its amplitude is multiplied.
Pipe Organ Analogy
It can be difficult to think about electromagnetic waves, since they cannot be seen or felt. Fortunately, wave phenomena behave very similarly in other media. For example, with sound waves, waves of physical matter (usually air) vibrating, we see the exact same relationships between frequency and wavelength. Consider the pipe organ: The vibrating pipe creates a vibrating column of air vibrating in sympathy with the pipe. The pipe has a natural frequency, based on its length, which is tuned to a specific note. When energy from the organ causes the pipe to vibrate, it tends to vibrate at its natural frequency. The low notes (low frequency) are sounded by very long pipes (long wavelength), while the high notes (high frequency) are sounded by very short pipes (short wavelength). If the organ is played at full volume, more energy is imparted into the pipe, resulting in greater physical distance traveled in each cycle of vibration, in other words higher amplitude, and a more energetic vibration. Keep this image of the pipe organ in mind (Figure 2.2); it will become important later on when we discuss antennas and tuning to resonate on a target frequency.
Figure 2.2 Different Length Pipes Generate Different Frequencies
Note
Regardless of the frequency, radio waves all travel at the speed of light, 186,280 miles per second (3.0 × 10^8 m/s)!
Note
Wavelength is equal to the speed of light divided by the frequency
The radio spectrum is a vast band of the electromagnetic spectrum which includes frequencies from 3 kHz to 300 GHz. This is a huge chunk of the spectrum, and is commonly divided into different bands.
Common Frequency Ranges of the Radio Spectrum
| Band | Frequency in Hertz (Hz) |
| Extremely low frequency (ELF) | Below 3 kilohertz (kHz) |
| Very low frequency (VLF) | 3–30 kHz |
| Low frequency (LF) | 30–300 kHz |
| Medium frequency (MF) | 300–3000 kHz |
| High frequency (HF) | 3–30 megahertz (MHz) |
| Very high frequency (VHF) | 30–300 MHz |
| Ultrahigh Frequency (UHF) | 300–3000 MHz |
| Superhigh frequency (SHF) | 3–30 gigahertz (GHz) |
| Extremely high frequency (EHF) | 30–300 GHz |
The entire radio spectrum is vast, a frequency band spanning almost 300,000 MHz. By comparison, the FM band, the one used in the US for commercial radio broadcast, is only a 20 MHz wide portion of that 300,000 MHz range. The RF portion of the electromagnetic spectrum covers the lower-end frequencies. Above 300 GHz, electromagnetic waves shift into near-infrared, infrared, visible light, ultraviolet light, and finally, X-rays, and gamma rays, where frequencies get into the terahertz range and beyond. At ultraviolet frequencies and higher, electromagnetic radiation becomes increasingly dangerous due to the energies involved in generating these frequencies, and the ability of tiny wavelengths to penetrate most solid matter, and requires special shielding and careful handling. Of course, even lower frequency electromagnetic waves can pose a danger at higher intensities and under the right conditions. For example, 2.4 GHz waves are used in microwave ovens, infrared is used in heat lamps, and most lasers are in the visible spectrum.
Wavelength/Frequency Characteristics
From our quick overview of the electromagnetic spectrum, it’s readily obvious that electromagnetic waves behave very differently at different frequencies and wavelengths. Even within the RF portion of the electromagnetic spectrum, radio waves behave differently depending on their frequency as well. Understanding how radio waves behave at different frequencies is helpful for understanding how the target signal is likely to react, based on the frequency, material in the area, and atmospheric conditions.
An important property of different frequency RF signals is the distances they are capable of travelling. Due to the different wavelengths of different frequencies of RF signal, they are absorbed and reflected differently by different types of material. The higher frequencies are “line-of-sight” frequencies, but tend to be absorbed and blocked by solid objects. Waves of RF frequencies in the shortwave band are of a length that causes them to bounce off the Earth’s ionosphere (Figure 2.3). The lower-frequency waves actually bend to follow the curvature of the Earth. Each of these frequencies is useful due to these unique properties which give them capabilities that make them applicable in specialized contexts.
Figure 2.3 Behavior of Radio Waves of Different Frequencies
VHF and UHF frequencies travel line-of-sight, with a typical range of 20–30 miles. This distance varies greatly, depending on obstructions, as VHF and UHF are easily blocked by buildings or topography. Antenna height and transmitter power are also key factors, which is why transmitters are often placed on the top of tall towers. The higher the antenna is placed, the longer distance to the horizon will be, following line-of-sight from the antenna.
There are certain atmospheric phenomena that can change the behavior of radio waves. Sporadic-E, also known as E-Skip, is caused by the E-layer of the ionosphere becoming thicker (see Sidebar), which causes VHF waves to bounce off the ionosphere much like HF waves, and thus travel further than they would normally.
The Atmosphere
Atmospheric and meteorological conditions can have a significant effect on the propagation of radio waves. Earth’s Atmosphere consists of several layers, each with its own properties. Each layer absorbs, reflects, and refracts electromagnetic waves differently, giving rise to a number of interesting phenomena which can aid or hinder radio operators. The principal layers of the atmosphere, starting from Earth’s surface, are: the Troposphere, Stratosphere, Mesosphere, Thermosphere, and Exosphere (Figure 2.4).At frequencies of ultraviolet light and above, electromagnetic radiation possesses enough energy to dislodge electrons from atoms, creating ions. Above the stratosphere, and extending through the mesosphere and partially into the exosphere, is the ionosphere. Reaching from altitudes of 50–1000 km above sea level, this region is so named because solar radiation interacts with air molecules, exciting them and causing them to become ionized (electrically charged). These charged layers of air molecules interact with electromagnetic phenomenon, such as radio waves and Earth’s magnetic field. The ionosphere consists of four layers (Figure 2.5):
The amount of ionization and number of layers varies greatly depending on the radiation received from the sun. At night, when the Earth blocks the sun’s radiation from reaching the dark side of the planet, the F1 and F2 regions merge together. The E and D regions also become weaker at night as the level of ionization decreases, and the D-layer disappears. This allows HF (below 30 MHz) waves to reach the F-layer, where it reflects due to the wavelengths of RF emissions at these frequencies. This is why shortwave radio can be heard from such distances.Another atmospheric phenomenon that results in altered behavior of radio transmissions is tropospheric ducting. This occurs when cold and warm air streams meet about 2 km, or approximately 1.25 miles above the Earth. This phenomenon, which is often seen during the summer and usually lasts about an hour at a time, creates a “pipe” of warm and cold air that reflects the signal repeatedly, in a zig-zag fashion, allowing the VHF and UHF RF signals to travel great distances. Tropospheric ducting of VHF frequencies start above 100 MHz. Below that, the signal quality is greatly deteriorated.To summarize, RF signals below 30 MHz are capable of bouncing off of the atmosphere’s upper layers and can travel great distances, reaching around the curvature of the Earth. This works best at night when the D-layer of the ionosphere disappears. Signals above 30 MHz are more line-of-sight, apart from the tropospheric ducting phenomena.
Figure 2.4 Atmospheric Layers
Figure 2.5 Ionosphere Layers
How Materials Affect Radio Waves
When performing radio reconnaissance, it is obviously essential to be able to receive radio signals. Therefore, it is helpful to understand how certain materials attenuate, or block radio waves. Where radio waves are concerned, matter can do one of two things: it can conduct radio waves and be a conductor, or insulate and be a dielectric. The majority of conductors are metals, while the majority of dielectrics are non-metallic. When a radio wave encounters a material, some quantity of its power will be reflected by the surface, some quantity of power will pass into the material, and some quantity will pass through the material. The amount of power absorbed by the dielectric is the material’s attenuation coefficient. The quantity of energy that is able to pass through a dielectric is determined by the material’s attenuation coefficient and thickness. A low attenuation coefficient will allow radio waves to easily pass through the material.
Multipath
Multipath occurs when the signal from a transmitter bounces around enough that it arrives at the receiver at different times (Figure 2.6). When this happens, signals arrive at different points in the phase, and interfere with each other. This is a common problem in urban environments where signals bounce off buildings and metal objects, and can cause deteriorated audio signals and “ghosting” in video images. One way to combat multipath is to have an antenna at the proper polarity. (See Antennas section of this chapter.)
Figure 2.6 Multipath
With technologies such as 802.11 Wi-Fi (2.4 and 5 GHz), multipathing actually becomes a useful property. A Wi-Fi signal indoors will reflect off of surfaces (walls, cabinets, etc.) and reach corners which would otherwise be in shadow if a line-of-sight frequency were used. Wi-Fi radios have specialized circuitry which allows them to combine these multiple paths, shifting the out-of-phase wave forms arriving from multiple paths back together into a reconstituted signal that is stronger than what otherwise would have been received, allowing Wi-Fi to work at longer ranges than it otherwise would. Wi-Fi signals are partially attenuated by most building materials, and completely blocked by some, so this is an important factor in 2.4 GHz’s usefulness in 802.11 applications.
Regulatory Agencies
For wireless reconnaissance, we are mainly interested in a few chunks of the radio spectrum, specifically in the 30 MHz to 1 GHz range, 2.4 and 5 GHz spectrum. In the United States, the RF spectrum is governed by the Federal Communications Commission (FCC), who designates and apportions the RF spectrum into different bands, which are commonly used by different types of services. The FCC also is responsible for coordinating and issuing radio operation licenses, which authorize organizations to transmit on specific frequencies, at specific power levels, in specific geographical regions. The FCC manages the RF spectrum, and therefore is required to keep and maintain public records of who is licensed to use which frequencies. This makes them a valuable resource for profiling targets. How to access and use this license information from the FCC will be discussed in Chapter 4. Additionally every electronic circuit emits an RF field when powered. Electronics manufacturers are required to certify products with the FCC, to guarantee that they are properly shielded so that their incidental RF emissions are properly contained and will not interfere with the operation of legitimately licensed broadcasts.
Other countries have similar organizations to the FCC which manage and license access to the spectrum in that country. In Europe, each country has its own governing body that manages the use of the spectrum within their borders. The ITU (International Telecommunication Union) is a UN agency that coordinates shared global spectrum. This body covers spectrum utilization over international waters, satellite, short wave amateur radio bands, and the broadcast shortwave spectrum. The ITU provides standards to help the various country regulatory bodies coordinate.
Applying the Science: Radio Technology Basics
Having provided a basic understanding of the radio spectrum and how radio waves at different frequencies act, we can apply this knowledge to understand how information can be transmitted and received using radio frequencies. For this we’ll learn the basic components of a radio and some basic radio theory.
While we all have an image when we hear the term radio—be it a clock radio, car stereo, or walkie-talkie—all radios do three basic things:
Tuning: A radio can tune into a desired frequency.
Amplification: A radio can amplify the weak signal that is received as the radio waves pass over the antenna. The amount of energy imparted when a radio wave passes over an antenna is very weak. So the signal usually needs to be amplified to a level where the other parts of the radio can process it.
Demodulation: A radio must detect the signal over the background noise, and demodulate the signal into a usable form. In most cases, this means converting the signal into sound waves the end user can hear.
To accomplish these things, a radio has different specialized parts. Figure 2.7 is a block diagram for a Superheterodyne Receiver (also called Superhet), which is the most popular type of receiver used today, and commonly used in modern day scanners.
Figure 2.7 Block Diagram of a Radio
It is important to understand at least at a high level what is going on inside the radio, in order to understand the limits of your equipment, as well as troubleshoot issues, such as front-end overload and spurious or false signals.
Following the path an incoming signal from the air takes as it is processed by the radio receiver:
1. Antenna: When radio waves pass over the antenna they induce a small current into the antenna which passed into the radio. When an electrical conductor passes through an RF field, the field induces a current in the conductor. Antennas and how they work will be covered in more depth later in the chapter.
2. RF amp and Tuner: The RF amp amplifies the weak signal that comes from the antenna. Often this signal is only a few microvolts. Getting the amplification right is a delicate balance for the engineer building the system. A strong enough amplifier is needed in order that the radio may be able to detect and demodulate a weak signal. But too strong an amplifier will create a signal the overloads the mixer, resulting in distortion in the signal as a variety of garbage signals are introduced into the radio and the radio generates signals outside of the intended frequency. This stage is also where the signal from the antenna is tuned to a specific frequency. In a scanner that can search 100 channels per second the tuner needs to be able to very quickly tune to different frequencies while still remaining accurate.
Tuners often also have filters to keep out strong signals that may be in the area. For example, a scanner may have a high-pass filter in place that filters out signals below 30 MHz, because that’s the lowest frequency the radio is designed to tune. Or, if a radio is only supposed to receive signals in the 144–148 MHz range they may put a band-pass filter in place that only allows frequencies between 144 and 148 MHz through. This will help keep out spurious signal caused by strong FM commercial radio stations or pager transmitter. FM radio stations and pager transmitters are both notorious for causing front-end overload in radio scanners.
Some high-end radios will have multiple filters that are switched on and off depending on the frequency range the radio is tuned to. With scanners that need to receive signals over such a wide frequency range, it is extra challenging to make a front-end amplifier that works well across the entire range they are intended to receive.
3. Mixer: A mixer is sometimes referred to as a down converter. The signals from the RF amp and local oscillator enter the mixer. The mixer combines these waves and outputs a signal at a set frequency, referred to as the Intermediate Frequency (IF). No matter what frequency the radio is tuned to, the IF that comes out of the mixer is always the same. On most scanners the first IF output frequency is 10.7 MHz. Using an Intermediate Frequency makes it convenient to design the radio’s components, because they can be built around specific IF frequencies.
In many radios this IF signal will actually go through multiple down converters and filters until it is at a frequency the demodulator can process. A radio with more conversions will filter out more “birdies” (see Sidebar). To keep the explanation simple, this diagram lumps these stages together, rather than break them out into multiple blocks.
Most scanners put the signal through 2–3 conversions. This is referred to as double and triple conversion. Some high-end radios have quadruple conversion. Generally, the more conversion, the more likely the radio is to filter out spurious signals. These will work better in RF rich environments like urban areas. As radio emitters become increasingly commonplace, more and more places are becoming RF rich. Today most scanners are triple conversion, but this needs to be watched more when purchasing a used radio. We recommend getting a triple conversion scanner if you can afford it.
Why 10.7 MHz?
The choice of 10.7 MHz for the Intermediate Frequency is a convention that was settled upon for a number of practical reasons. The standardization came about when Superhet receivers were first being made for the broadcast FM band in the US. 10 MHz was picked because any harmonics created by the mixer would fall outside the FM band (which is 20 MHz wide). The 0.7 was picked because the frequency spacing in the US was 2 MHz—since 0.7 is not a multiple of 0.2, any harmonic signal generated by the mixer would fall between channels, and thereby minimize their interference. From then on, 10.7 MHz became the popular value for other FM receivers such as scanners, most likely because there are lots of parts that are already designed and tuned to work with this IF, and using those parts is cheaper than designing new.
4. Local Oscillator: The local oscillator could be considered separate from the mixer, but it’s a key component that makes the mixer work. The local oscillator creates radio waves at different frequencies, and is often referred to as a VFO (Variable Frequency Oscillator). The frequency created by the VFO changes in proportion to the frequency the radio is tuned to. This occurs so when radio waves from the local oscillator and tuner are combined they always exit the mixer at the IF frequency. If the VFO did not change frequencies, the IF produced by the mixer would change as the tuner frequency changes.
Birdies
“Birdies” are spurious signals and harmonics produced by the radio circuits. This is internal RF noise generated by the radio itself. Birdies make it appear like a signal is present where there really is not. A birdie will either be a signal that is silent, or will sound like static. To tell if you have tuned to a birdie on your scanner, remove the antenna. If the signal is still there, it is a birdie.
Most scanner manuals list the birdie frequencies for their radio. It is still good to verify this list, because new birdies could appear depending on slight difference in the manufacturing process. To find the birdies, take the antenna off your scanner and have it search all the frequencies it can find. Anytime it stops on a signal, it is probably a birdie.
If you are unsure, put the antenna back on. If attaching the antenna pulls in a strong signal, like a local pager tower, FM broadcaster, or TV station, then it is not a birdie—just a signal strong enough to receive without the antenna.
Since you’re going through the trouble of identifying them, keep a list of these birdies for future reference.
When you setup your scanner to search for new signals (covered in the onsite profiling chapter), you can consult the birdie list to see if the signal you got was a birdie or not. Some people will also lock out the birdies so they are ignored during searches. Note that it’s entirely possible for a real signal to be transmitted at a frequency that happens to be a birdie frequency of your scanner! Blocking out the birdies could cause you to miss a signal if it is on that frequency. Because of this, we do not recommend locking out the birdies until you’ve determined that the signals are indeed originating from inside your scanner.
Thanks to technological advances with equipment, finding a list of birdies is not required as much these days. If you have a triple conversion scanner, the number of birdies will be minimal. This is more important, but still not critical, on older double conversion radios.
Tip
The components that process the received signal from the RF amp to the first Intermediate Frequency are referred to as the front end of the radio.
5. Demodulator: The demodulator extracts information carried by the radio wave, and (usually) converts it to an audio wave. For example, an FM radio uses an FM demodulator to extract the information needed to reconstruct the music the radio station is broadcasting. There are many types of modulation and demodulation. Other types will be covered later in this chapter.
6. Audio amplifier: This component amplifies the audio signal coming out of the demodulator to a level the end user can hear it. This is almost always variable, in order to provide volume control. The audio amplifier often contains filters to clean up the signal. Although the filters can make the audio sound better, they can cause problems if you try to decode data signals by feeding the audio output from a scanner into a computer. Oftentimes these filters will manipulate the signal enough that data signals, especially signals over 1200 Baud, cannot be recovered.
To get around this, it is necessary to pull the data signal before the audio is cleaned up by getting the audio from the discriminator output. The discriminator output provides access to the unfiltered audio signal. Some scanners have discriminator output ports built in, which makes it easy to access the unfiltered signal.
DIY Radio Modification: Discriminator Output
Scanners that do not have this convenient feature can be modified by opening up the radio and soldering an audio line at a specific point on the circuit board. This is a relatively easy modification, which can be performed by the casual hobbyist or enthusiast, in a few minutes for less than $5 in parts that can be obtained from Radio Shack or similar stores, using a soldering station, a Dremel tool for drilling holes, and a screwdriver.
Detailed instructions are beyond the scope of this book, as the procedure varies depending on the model. A Google search will often produce instructions on how to add a discriminator output to your scanner. Figure 2.8 shows the inside of a scanner with a discriminator output added.
Figure 2.8 Inside of a Scanner with a DIY Discriminator Output Added, Reprinted with Permission from Meagan Call
Of course, the usual disclaimers apply. This will void your warranty and we are not responsible if you break your radio!
Filters
A filter is a device that allows certain frequencies to pass, and rejects other frequencies. Filters are used inside radios to clean up both RF and audio signals. Each filter has a cutoff frequency which is the frequency at which the filter reduces (attunes) the signal being passed through it and a decibel (dB) rating which tells how much the signals are reduced by the filter. A filter may not completely eliminate a signal if the input signal is stronger than the dB rating of the filter. Filters can also have a fixed cutoff frequency or a variable cutoff frequency. Classically, filters are electronic circuits. However, as more radios become software-based, more and more filters are being implemented in software.
There are two basic types of filters high-pass and low-pass filters. A high-pass filter allows frequencies above the cutoff frequency to pass through the filter (Figure 2.9). A low-pass filter allows frequencies below the cutoff frequency to pass through the filter (Figure 2.10).
Figure 2.9 High-Pass Filter
Figure 2.10 Low-Pass Filter
Band-pass and notch filters are also common filters used in radios. A band-pass filter allows a set range of frequencies to pass and is created by combining a low-pass filter to remove signals below the target band and a high-pass filter to remove signals above the target band (Figure 2.11). Band-pass filters are helpful to eliminate strong signals outside of the target band.
Figure 2.11 Band-Pass Filter
Notch filter (Figure 2.12), also called a band stop, removes a section of the spectrum. Notch filters are helpful to remove a specific strong signal or band of strong signals that are causing interference. For example, commercial FM transmitters can overload the front end on some scanner. If this occurs placing a notch filter that attunes 88–108 MHz between the antenna and the scanner will fix the front-end overload.
Figure 2.12 Notch Filter
Antennas
Radio waves passing through the air are very weak. The antenna helps gather and strengthen the available signal in the air. When RF waves pass over an antenna, they induce their signal, which is comparatively weak, into the antenna that, which resonates with the frequencies it is catching from the air, boosting the signal, and feeds it into the radio.
The antenna is one of the most important components in any radio. A good antenna can easily mean the difference between detecting and missing a signal. In fact, given the choice, we would prefer a high-quality antenna paired with a low-quality radio than a low-quality antenna paired with a high-quality radio. The antenna is that important.
Antennas are used when signals are both transmitted and received. Because the focus of this book is on receiving signals, the next section will focus on how antennas receive signals and ways to improve how antennas can receive signals. Similar techniques can be applied to transmitter antennas to improve their performance.
Antenna Theory
A number of concepts are key to understanding antennas:
1. Resonance: Resonance occurs when an electric signal travels from one end of a wire to the other and back, in the same amount of time as the period of one cycle of the RF frequency. In other words, when the length of the wire is equal to half the wavelength. RF signals will resonate with antennas with lengths at multiples of the wavelength, as well, a phenomenon known as harmonics. Harmonics makes it easier for the antenna to pick up signals of the resonant frequency. Full wavelength antenna can get very long which makes them unwieldy when mounted on a handheld radio or vehicle. Because of this people often use 1/2 and 5/8 wave antennas. To understand why 1/2 and 5/8 wave antennas function, it is essential to understand resonance. The more resonant an antenna is with respect to a given frequency, the less RF energy is required to excite the antenna and allow the antenna to pass a signal at that frequency through to the radio.
The low threshold, or how weak a signal the radio is able to pick up, determines the sensitivity of the radio. This is typically measured in microvolts (μV). RF energy passing over an antenna excites the antenna, generating a very small voltage, also measured in μV. Antennas can also act as filters. Tuning an antenna to resonate at specific frequencies will make it easier to hear signals on that frequency. Note, however, that tuning an antenna to resonate on specific frequencies will make it more difficult to hear other frequencies. This is fairly easy to do with a telescoping whip antenna by changing the length of the antenna. Remember longer isn’t always better. Sometimes you will need to shorten an antenna to hear higher frequency signal.
Tip
Bigger isn’t always better, especially when it comes to antennas. In fact, the shorter the antenna, the better it will hear higher frequency signals, since high frequency means short wavelength.
It is often useful during onsite reconnaissance to be able to determine the approximate frequency of a transmitter by the length of its antenna. Knowing this length will help you zero in on the frequency ranges that interesting signals are more likely to be found, and decrease the time it takes to determine the exact frequency used by the target. The required length of dipole and whip antennas is determined by the following equation:
To obtain the length in inches, multiply by 12. For the length in meter, use this equation instead:
Multiply this result by 100 (or simply divide 3/f) to obtain the length in centimeters.
Polarity: An antenna’s polarity determines which spatial axis the antenna is most responsive in. There are two types of polarity: horizontal and vertical. Understanding the polarity of the antenna you are using will help you to position it properly, to get the maximum gain, and to aim it (if the design of the antenna necessitates) at the transmission source. Antennas with horizontal polarity are most sensitive in a horizontal plane, and properly deployed the antenna should look like it is laying down, like the old style television directional antennas (Figure 2.13) you may still see on rooftops. Antennas with vertical polarity should stand vertically, as with a whip antenna on a portable FM radio or CB radio. These are also the most common antenna for RF scanners.
To get the best performance from your antenna, you want to match the polarity of the transmitting and receiving antenna. So for most systems in this book the antenna on the receiver should be held vertically to get the best performance.
Figure 2.13 Horizontal Polarity TV Antenna
Antenna gain: The amount that an antenna increases the signal strength is called gain, which is measured in decibels (dB). The decibel scale is logarithmic rather than linear, and due to this, just a few dB of gain can make a significant difference. As an example, the difference in signal strength between a 50 W light bulb and a 100 W light bulb is 3 dB.
Signal Strength
There are three basic ways to increase signal strength when receiving a signal: amplification, antenna tuning, and antenna orientation. Using an amplifier will amplify noise as well, including those you may not want, and may simply result in a louder version of the same noisy signal. You can also tune the length of the antenna to the frequency of interest. This can be done by adjusting the length of the antenna, or changing to an antenna tuned for the range you are interested in. Finally, using a directional antenna that is designed to focus the signal energy can increase the signal strength.
Antenna Diagrams
To understand the reception properties of a given antenna, refer to the antenna diagram for the type of antenna. An antenna diagram is a graph, showing the gain and radiation pattern an antenna has around it. This is useful for determining the characteristics of a directional antenna, or to see how uniform an omnidirectional antenna is. No antenna is going to perfectly receive in all directions, so a diagram can help you understand the characteristics of the antenna. Antenna diagrams are useful for understanding the concept of directional antennas. By studying antenna diagrams, you can see the lobes generated by making an antenna directional. This is an important concept to understand if you plan to use antennas for direction finding.
Tip
When trying to determine the direction of a signal source, change the orientation of the antenna until you find the orientation which allows you to receive the signal most clearly and strong. As you do this, you may see a small jump at a sub-lobe in the antenna’s gain field, which has the potential to give the appearance that the direction has been found, leading you on a wild goose chase. Knowing the antenna diagram for the antenna you’re using will help you to avoid being fooled. Always look for the most gain when orienting the antenna toward a signal source.
Popular Types of Antennas
Broadly, antennas can be divided into two groups: directional and omnidirectional. There are many different types of antennas—dozens or hundreds, depending on how you classify them. This section will focus on just the types that are of interest to penetration testers performing wireless reconnaissance.
Omnidirectional and Directional Antennas
Omnidirectional antennas receive signals equally from all directions. Directional antennas pull in signals better from one direction. In this direction, they can detect a weaker or more distant signal than an equivalent omnidirectional antenna. The trade-off is that they do this by decreasing their ability to pull in signals from other directions.
Note
How Omni is Omni?While the prefix omni—implies that the antenna is able to receive signals from any direction, technically omnidirectional antennas are usually only omnidirectional in a single plane. For example, depending on its orientation, an omnidirectional antenna may detect signals to the North, South, East, and West, but not above or below.
Note
Gain: The difference in signal strength achieved by an antenna is known as gain, which is measured in decibels (dB). Directional antennas adjust the gain pattern to better receive signals from a specific direction. A well-designed omnidirectional antenna can also provide gain on specific frequencies the antenna is tuned to.
Directional antennas have both positive and negative gain, depending on from which direction you are looking at the antenna. This is mapped out in antenna diagrams.
Types of Omnidirectional Antennas
Discone: Discone antennas are broadband antennas (able to receive a wide range of frequencies) that are generally base mounted. There are a few commercial discone antennas available for handheld radios, the most popular of which are tuned for cellular phone frequencies. Discone antennas can be designed and built to be sensitive across a wider range of frequencies than other types of antennas.
Whip: A very common type of omnidirectional antenna is the whip antenna (Figure 2.14). Typical scanners come with a whip antenna. These antennas are usually so inefficient that they have no gain, however this is a sacrifice made to allow the antenna to cover a wide frequency range. This wide range also means that it is also possible that the antenna will have a negative gain on certain frequencies. Usually, they are made to operate best on a specific frequency largely based on the length of the antenna. Telescoping whip antennas can be tuned to a variety of frequencies based on how much the antenna is extended.
Figure 2.14 Whip Antenna, Reprinted with Permission from Meagan Call
Dipole: Antenna made up of two wires connected in a straight line. One wire connects to the radio and other wire connects to group. Usually made to operate best on a specific frequency. Commonly used as a base antenna. The biggest advantage to dipole antennas is they are a very simple design and so are cheap to make. Additionally because they are a simple design they are very easy to make at home and are usually the first home-brewed antenna people make.
Types of Directional Antennas
Yagi: This is the familiar roof antenna used for television reception (Figure 2.15), which were a common sight in the golden age of NTSC broadcast, before cable and satellite television caught on and eventually largely replaced it. It consists of a central spine with numerous “ribs” of various lengths sticking out laterally.
Figure 2.15 Yagi Antenna
Panel and wave guide: These types of directional antennas (Figure 2.16) which may be familiar to penetration testers from attacking wireless 802.11 networks. The “cantenna” an inexpensive hardware hack involving a Pringles potato chip can, was a well-known example of this type of antenna, which happened to have dimensions and materials suitable for picking up Wi-Fi signals. They are not of much use in the frequency rangers usually covered by radio recon (below 1 GHz).
Figure 2.16 Wave Guide Antenna, Reprinted with Permission from Meagan Call
Tip
Antennas are sensitive to all metallic objects in the nearby area. Moving an antenna often has a dramatic effect on reception. This is especially true in high-metal cubicle farms, inside office buildings, hotel rooms, and the like. If using radio equipment while in a vehicle, simply moving the car a few inches may be enough to improve the reception. Of course sometimes, you will need to find another location altogether to get a clear signal.
Tip
Some antennas require a ground plane to function properly and get the best possible signal. The owner’s manual or technical specifications for the antenna should state if a ground plan is required, recommended, or not needed. If a ground plane is needed, it can be created by placing the antenna on a large piece of metal. If indoors, a filing cabinet is a good option, and if outdoors, use the roof or hood of a vehicle (unless of course the body is fiberglass or plastic).
Modulation
Modulation is the method used to encode voice or data that is transmitted by a radio. Broadly speaking, modulation may be classified as analog or digital. Analog is the older of the two, but digital is already well established, and continues to expand its share of the market, due to its numerous advantages. Digital formats offer higher audio quality and allow data to be sent more reliably, can use data compression, and sharing of the media, which allows for greater transmitter density, and more users of a given frequency in a given area.
To properly listen to a signal, it is necessary for the transmitter and receiver to use the same modulation type. On some scanners, the modulation type is called the mode.
Analog Modulation
While most people are familiar with Amplitude Modulation and Frequency Modulation (AM and FM), there are many other modes in which different types of radios operate. FM is the most common mode of modulation in the United States that is of interest to penetration testing, but it is good to know and understand the other modes.
Common Analog Modulation Types
AM—Amplitude Modulated: The strength (amplitude) of the radio wave is varied to encode the information into the carrier wave. Used with frequencies below 30 MHz, for shortwave radio transmissions, in the commercial AM band, and for aircraft communications such aircraft-to-aircraft or aircraft-to-tower.
FM—Frequency Modulated: The frequency of the carrier wave is changed to encode information into the radio wave.
• FM Narrow (FMN) is commonly used by two-way radio systems. It is designed to transmit low audio fidelity signals and takes up less bandwidth then the FM Wide (FMW) modulation (see below), which is used by broadcast FM stations and is discussed next. FMN is the most popular format for the focus of this book. With the exception of AM being used by aircraft, FMN is used for all two-way analog voice traffic transmitted on frequencies over 30 MHz.
FM Wide (FMW) is used by commercial FM Broadcasters because it can transmit a higher fidelity signal than FMN. This increase in audio fidelity comes at a price and FMW takes up more bandwidth then FMN.
SSB—Single Sideband: This type of modulation is generally only used with shortwave frequencies below 30 MHz, because it makes better use of bandwidth. It is used for two-way communications, typically applications like ham radio and ship-to-ship communications. Broadcast shortwave and AM radio stations do not use SSB because it requires a more complex radio which can be more difficult for the end user to tune.
Tip
If you are planning on obtaining a radio that covers shortwave bands, consider getting one that supports single sideband so you can listen to more than just commercial shortwave.
Digital Modulation
Digital modulation types are becoming more and more common as people look for new ways to conserve bandwidth. Thanks to data compression algorithms, a digital signal carrying voice data can take up less RF bandwidth then an analog voice signal. Digital can be higher quality for voice traffic, as well. This is due to error checking, which keeps the 1’s and 0’s of the digital stream preserved and automatically corrected when the signal is distorted within limits. A distorted analog signal, by contrast, cannot be corrected this way at the receiving end, and therefore will sound distorted. However, this comes with a trade-off. A badly distorted analog signal may still be demodulated and be at least discernible as voice, and a good ear can make out intelligible speech through the static and distortion. With a digitally modulated signal, if the distortion is too great, the error correcting cannot restore the signal, and if a packet cannot be demodulated, it gets dropped, resulting in cutouts of the voice stream. Once you get enough dropped packets, you lose all voice traffic.
Currently, the great challenge with digital modulation is finding a radio or software that is able to decode it. The situation that exists today is similar to the “codec hell” issue that drove computer users crazy a number of years ago when trying to watch videos downloaded from the Internet. Each video file was encoded with its one of dozens of custom codecs. In order to decode the video data, you needed the right codec to watch the video, which was not included with the video file itself, and had to be downloaded and installed separately. Without any automated means of finding and installing the codec files, it could sometimes take a great deal of searching to find a web site that offered the codec for free download. Until just a few years ago, many video codecs in wide use were often license—and/or patent-encumbered, and had to be purchased in order to be used legally.
With digital radio demodulation, it’s more a matter of proprietary modulation not being made available for scanners. Many manufacturers have developed their own method of modulation and consider it a trade secret that confers them an advantage if they keep it to themselves, forcing customers to buy from them. Oftentimes, the only way to demodulate a signal, other than with the proprietary radio that supports the format, is a time-consuming reverse-engineering effort.
Tip
During the offsite profiling stage of your penetration test be sure to check the http://www.radioreference.com database for voice codecs commonly used by your target to verify if your scanner can monitor them or research ways to decode the traffic.
APCO P-25
There are an ever-growing number of digital modulation types used by wireless systems. However, currently the only standard that can be decoded by consumer grade scanners is the P-25 standard. Other digital modulation types are covered in Chapter 9.
Project 25 (P-25) is an open standard made by the Association of Public-Safety Communications Officials (APCO) to promote interoperability between public safety radio systems. Many advanced radio features such as digital modulation and trunking are proprietary features created by manufacturers. These features traditionally did not interoperate with other manufacturers’ equipment. This often made it difficult to coordinate the response to a large-scale disaster requiring multiple agencies or municipalities to respond because the radio system used by one city or agency would not be compatible with radios used by another city. The APCO P-25 standard was created to overcome these interoperability issues. The technical specifications for P-25 can be found in the ANSI/TIA-102 series of documents.
P-25 transmissions can also be encrypted using a variety of standard encryption algorithms such as Data Encryption Standard (DES), Triple-DES, or Advanced Encryption Standard (AES). A number of NSA generated encryption ciphers are also supported such as ACCORDIAN, BATON, Firefly, MAYFLY, and SAVILLE. However, few organizations implement encryption because of the additional hardware costs, administrative overhead of maintaining and distributing encryption keys, and poor reputation for performance encrypted radio systems have.
Note
Older voice encryption systems had a reputation of degrading the sound quality and reliability of a radio system. Although these challenges have been overcome by modern day voice encryption systems, many users still avoid encryption because of this bad reputation.
The P-25 standard is being deployed in a number of phases. Each phase adds additional features. Phase 1 is currently in wide deployment. At the time of this writing, most P-25 systems were Phase 1 systems. Currently, multiple scanners can decide P-25 Phase 1 traffic. In Chapter 7 we discuss how to select a scanner suitable for monitoring these systems.
At the time of this writing, a half dozen P-25 systems had migrated to Phase 2 or Motorola’s X2-TDMA system. Motorola’s X2-TDMA system was released before the Phase 2 requirements were finalized and is largely based on the Phase 2 standard. Currently scanners support for Phase 2 systems is very limited. The GRE PRS-800 has experimental support for P-25 Phase 2 systems. As these systems become more widespread, most likely additional scanners will be made that support this system.
Common Types of Spread Spectrum Modulation
These modulation types all incorporate methods that spread a signal over a chunk of the spectrum to make better use of the bandwidth and avoid interference. Monitoring these systems can also be difficult, since the hopping pattern can be difficult to follow. Spread spectrum modulation enables sharing of the electromagnetic media, in other words more users in the same area can transmit in the same frequency range without interfering with each other. This is because the digital modulation broadcasts data in packets, and exercises a protocol to share tiny slices of time on the same frequency band with other radios that may be operating in the same area. In some systems, the hopping pattern is specifically made to be hard to track as an added security mechanism. Direct-Sequence Spread Spectrum (DSSS) and Frequency Hopping Spread Spectrum (FHSS) are two common types of spread spectrum modulation.
DSSS spreads the signal over the full bandwidth of the transmitter’s frequency range. This is done using a pseudorandom sequence to determine how data is spread throughout the frequency range. DSSS signals look very much like white noise when looking at their RF graph. DSSS modulation is used by a variety of wireless systems such as GPS, CDMA-based cellular networks such as Verizon and 802.11b.
FHSS rapidly switches the radio carrier among many different channels in a pseudorandom sequence. FHSS is used by many consumer devices that operate in the 2.4 GHz band such as baby monitors, cordless phones, and wireless video cameras.
With both DSSS and FHSS the transmitter and receiver need to share the same pseudorandom pattern if they are going to exchange data. This offers a level of security because an attacker would need to figure out the pseudorandom pattern to intercept the transmission.
Radio Systems
A single radio by itself is not of much use. In order to work, you need a system. The most basic system consists of a transmitter and a receiver, using a common modulation type. More commonly in radio reconnaissance, we deal with two-way radios, from pairs of transceivers to complicated radio networks and trunked systems. Next, we’ll review the common types of systems and describe how they are structured.
Simplex and Duplex
Two-way communication can be handled in a few different ways, depending on the sophistication of the radio system. This gives different systems different capabilities.
Simplex
Sometimes simplex is referred to as half-duplex. In simplex two-way radios, communications take place over a single frequency. This means that only one person can talk at a time. To prevent talking over each other, most users of simplex systems employ a spoken protocol to mark beginning and end of transmission, (e.g. saying “Over” when done speaking.) Monitoring the conversation on a simplex system is easier, because you only need to monitor one frequency.
Two-Frequency Simplex
Some call it split-frequency simplex, or split-frequency half-duplex. Transmission and reception take place over different frequencies, but you can only transmit OR receive at the same time—you cannot do both. If listening in, in order to hear the entire conversation you will need to listen to both frequencies on your scanner.
Duplex
Sometimes called full duplex, to differentiate from half-duplex. With a duplex radio, two frequencies used—transmit and receive. The radio is able to transmit and receive simultaneously, allowing both parties to speak and listen at the same time like a telephone conversation. In fact, a common application for duplex radios is with cordless telephones. With duplex radios, usually it is necessary to monitor both frequencies to get the entire conversation. However, some systems retransmit both sides of the conversation over one of the frequencies. Transmitting both sides on one channel is common with cordless phones. So always beneficial to try to monitor both frequencies to see if one retransmits both sides. If one does, it saves you the work of having to monitor the other.
If you are only hearing part of a conversation on your scanner you are probably listening to a two-frequency simplex or full duplex conversation, so this should be a clue that you have another frequency that you need to find. Once you’ve found both the send and receive channels, program both frequencies into your radio to monitor them.
Repeaters
A radio repeater is exactly what the name sounds like. It is a device used to extend the range of a radio. When a signal is transmitted into a repeater, it boosts the signal and rebroadcasts it, extending the range of the original signal. It is essential to note that repeaters have separate input and output frequencies. Were it not for this, the retransmission would be picked up again by the repeater, creating a feedback loop, and render the repeater useless. When listening to repeater traffic, be sure to listen for the output frequency; if you listen to the input frequency, you will only hear the traffic in your local area. For amateur radio repeaters there are set repeaters offsets used depending on the band of the frequency the repeater operates on. Commercial repeaters do not follow a standard. Instead the input and output frequency are depending on what frequency the FCC licenses for them to use.
Repeaters may be fixed, or they may be mobile. Fixed repeaters are (usually permanently) mounted in a fixed location, while mobile repeaters are attached to a mobile platform, such as a vehicle.
Fixed repeaters are also often stationed in high places to increase the broadcast area by extending the horizon and minimizing line-of-sight issues. They are commonly mounted on hill or mountain tops, or the highest available areas of local geographical elevation, tall buildings, and purpose-built towers. For example, if a handheld radio is being used in a valley, a repeater positioned on high ground can take the signal and retransmit it so that other can receive it. Multiple repeaters can be linked together so a signal is transmitted over multiple locations, attaining even greater coverage. In this way, short-range signals can be relayed across vast distances, even across a country or state. Mobile and fixed repeaters may be used in concert, augmenting each other, to create radio networks.
Repeaters frequently use Digital-Coded Squelch (DCS) and Continuous Tone-Coded Squelch System (CTCSS) (see Media Access Control in Radio, below) to prevent spurious signals from entering the repeater and being retransmitted. This can also function as a simple and inexpensive form of access control because someone who wants to transmit using the repeater needs to know the CTCSS or DCS code used by the repeater. However, keep in mind that many radios have a feature that will automatically determine the CTCSS or DCS code in a received signal so this is also a fairly weak form of access control.
Note
Some police vehicles act as repeaters for handheld radios, repeating and amplifying the signal from the officer’s handheld, allowing the signal to reach the main dispatch center.
Media Access Control in Radio
Media access control is any of the types of methods that enable multiple people to share the RF spectrum. A number of systems have been developed over the years to make better use of the spectrum.
The radio spectrum is a finite commodity, and getting increasingly crowded. Because of these limited availability of open spectrum, it is expensive to get licenses for multiple channels. To deal with these limitations, different approaches, from techniques improvised in the field, to increasingly sophisticated technological innovations have been developed to provide ways for multiple groups to share the same frequency of system.
In its simplest form, operators simply listen to the channel and wait for it to be clear before transmitting provides access control. More complex access control consists of using CTCSS or Digitals Squelch Tones (see below). In its most complex form, access control is accomplished with trunking.
CTCSS
Continuous Tone-Coded Squelch System (CTCSS), also known as tone squelch, is designed to allow users on a shared frequency to hear only users in their user group. Each group is assigned its own squelch tone, and the radio only plays to the audio when the squelch tone is transmitted. The transmitter adds a unique sub-audible code to the transmission. The receiver, if in CTCSS mode, listens for the transmission and the unique sub-audible code. The receiver’s audio will only activate if both the transmission and the sub-audible code are present. Theoretically, CTCSS will allow a user to hear only transmissions by those in their user group, and not be subjected to the transmissions of others on the same channel.
CTCSS-equipped receivers generally can operate in either CTCSS mode or normal mode. While in CTCSS mode, the receiver’s audio will only be activated if the transmitted signal was sent using the same CTCSS tone. CTCSS tones are standardized by the Electronic Industries Alliance (EIA) in standard RS-220.
Note
CTCSS does not provide any scrambling or privacy protection. Heeding the CTSS signal and ignoring the transmission from other groups is “voluntary” and a radio does not need to know the code tone in order to listen to the broadcast.
One important caveat with CTCSS systems, from a user perspective, is that CTSS does not somehow magically create extra bandwidth. There is still only one channel in use, and it cannot carry more than one transmission without interference. However, because users in one group cannot hear the transmissions of the other group or groups, they may not know whether or not the channel is clear before attempting to transmit. Because of this, most radios using CTCSS are designed so they automatically will not transmit when the channel is occupied. However, the radios in these systems are not capable of prioritizing traffic based off of user groups. So, if a high-priority user like a fire fighter needs to transmit but a low-priority user like a dog catcher is talking, the fire fighter will need to wait for the dog catcher to finish before they can transmit. Obviously, for this reason, CTCSS may not be suitable for mission or life critical applications. As more users, or in this case, more groups, use the same channel, congestion builds as traffic increases. The more often someone is transmitting, the more likely there will be interference. There are some ways to mitigate this interference, including features that do not allow new transmissions while the channel is in use.
Reconnaissance of CTCSS Equipped Radios
A receiver with the CTCSS function turned off will hear all transmissions on the channel. Users of CTCSS may incorrectly believe that CTCSS provides some degree of security, and may be more likely to discuss non-public information. This can of course be used to our advantage as penetration testers.
Digital Code System
Digital Code System (DCS) is a digital version of CTCSS. Motorola called their version of this access control technology Digital Private Line (DPL). For DCS there are only up to 100 possible codes. As with CTCSS the presence of a DCS tone does not encrypt or scramble the signal, so it’s not really very private. As with DCS, a receiver with the DCS function turned off will hear all transmissions on the channel. Again, the false sense of security can provide opportunities for attackers and penetration testers should look for them.
Note
CTCSS and DCS tones are also used by repeaters to prevent rebroadcasting spurious signals. In these instances the repeater will only rebroadcast signals that have a specific CTCSS or DCS tone transmitted with the input signal.
Trunking
During the early years when radio was still a new technology, and not widely deployed, efficient use of the spectrum was not a major concern. Those days are long gone, and the RF spectrum is a limited commodity. In the early days of radio, the RF spectrum was a frontier being settled, and the FCC was brought into existence to apportion the spectrum to avoid conflicts. Later, as radio became increasingly popular, even this did not adequately apportion the band—it wasn’t enough to license one operator to use a particular frequency in a particular region at a particular power level, especially with bands of the spectrum that are not used for commercial broadcast, and thus are not in use 24/7. For two-way radio systems with many users in the same general region, licensing in the old way was no longer adequate. It became necessary to devise better techniques of utilizing those parts of the band, in order to allow for more efficient use of it by many operators. And this was the need that trunking was devised to address. Where older systems allowed only a smaller number of operators to use two-way radios in a given region without constant chatter making the system difficult to use, trunking systems made it possible to share that band more efficiently, allowing more users in a narrower band of channels. Today, the radio spectrum is a finite resource, and there are increased demands on and competition for access to the RF spectrum. The RF bands used by two-way radio systems is in demand too much for underutilization to be acceptable. With the FCC tightly controlling access to frequencies, and step sizes growing smaller to fit as much traffic as possible into frequency ranges, efficiency is a must. This is where trunked radio systems come in. A trunked system is designed to make better use of the spectrum to allow a greater number of users to share a small number of channels, in greater density than otherwise might be practical to achieve.
Trunked Radio Systems in Depth
Trunked radio systems centrally manage a pool of channels, and intelligently switch users to whatever channel is open at a given time. This is often a difficult concept for scanner enthusiasts to understand, as trunking represents a paradigm shift in design of the system. Trunked radio systems are one of the most complex types of radio systems in use today. Trunked radios use several channels or frequencies, and allows those channels to be shared by a large number of users, in multiple talkgroups, without their conversations interfering with each other.
Talkgroups are defined groups of users. For example, all police officers and dispatchers would belong to a police talkgroup; all fire fighters and fire employees would belong to a fire talkgroup, and all municipal waste collectors would be in a waste management talkgroup.
Trunked systems use a control channel, called the trunk, which transmits data packets which allow a talkgroup to carry on a conversation by telling members of a talkgroup which frequency to communicate on when they key up. This allows for a large number of users to communicate using only a small number of frequencies, and more efficient use of those frequencies.
Trunked radio systems operate on the assumption that not all talkgroups will be in use at once. This allows for the channels to be shared by multiple talkgroups, achieving a more efficient use of the band. Rather than requiring all radios to be set to same frequency, thus monopolizing that frequency whether or not it’s actively in use, trunked systems allow for many users to share multiple frequencies. This means that far fewer frequencies are required to support the radio traffic, and therefore greater efficiency of spectrum allocation.
Talkgroups also allow for more granular assignment of user groups. This keeps conversations relevant to the group that needs to hear them. Consider a simple example of municipal refuse collection. In a traditional non-trunked system, the refuse collection department would be assigned a frequency, and all users would hear all transmissions. With talkgroups, several distinct groups can be created. There could be one talkgroup for all trash collectors, and another talkgroup for an overlapping subset of trash collectors such as those who only pick up recycling. When a communication is only relevant for the recycling group, the recycling talkgroup can be used, sparing the wider refuse collection group from having to hear the communication.
Trunked systems generally utilize a bank of channels for talking, and a control channel of some type. Depending on the type of system, the control channel may be either fixed (dedicated), or a random channel which changes (dynamic). Regardless of the type of trunking system and the control channel type, all trunked systems need a way to let users know on which frequency their talkgroup is on. The control computer sends a signal to all the radios which are part of the talkgroup, which instructs the radios assigned to that talkgroup to tune to a specific frequency.
In many, if not most, trunked systems, the transmission and reception will remain active on the same frequency until the communication sequence is complete. With these types of systems, even without a trunk-capable radio at your disposal, you can at least follow the conversation if you should come across one. Keep in mind, however, that without trunking support, it won’t be possible to know which talkgroup you have found, and you are in essence in the dark.
Other systems will change the frequency used for communication each time a user keys up. In these types of systems, it is generally very difficult, if not impossible, to follow a conversation unless you have a trunk-capable radio.
An additional advantage of trunking systems is that, should the allotted frequency become saturated, the controller can prioritize traffic. This is especially useful in municipal systems where there is limited spectrum available for multiple services. For example, in a given city, the Fire Department may have Priority over the Police Department, who may have priority over Animal Control, who may have priority over the Service Department, and so on.
Many trunked systems also have a feature where the radios (mobile, handhelds, and central dispatch) have an emergency button. When the emergency button is pressed, the system will drop lower priority users and traffic from the system to allow the emergency traffic to get through.
Manufacturers of Trunked Radio Systems
There are five major types of trunked communication systems in wide use in the United States: Logic Trunked Radio (LTR), developed by the E.F. Johnson Company; Enhanced Digital Access Control System (EDACS), developed by General Electric (GE); Motolora’s Type I and Type II systems and P-25 which is an open standard developed by Association of Public-Safety Communications Officials (APCO). With the exception of P-25 all of these trunking systems are made by competing companies so the trunked systems are proprietary and not compatible with each other. The most popular system is probably Motorola’s. LTR is used primarily in single-site applications. P-25 systems are quickly gaining in popularity because it is an open standard that offers interoperability and the ability to use multiple manufacturers’ radios in the same system.
The larger and more complex the target is, the more likely it is that they would have deployed advanced radio systems. Trunked systems are common in government, as they allow municipal services such as fire, police, and service departments to share an allotted spectrum. In the commercial sector, trunked systems are deployed at large corporate campuses, amusement parks, and sporting arenas. Increasingly, companies are also lease space on an existing trunked system, instead of building out their own systems.
Monitoring Trunked Radio Systems
Listening in on trunked systems is more complex than listening to non-trunked systems. The penetration tester is likely familiar with packet switching in computer networks, and the operation of the trunked radio system is essentially like that of a packet switching network. There are scanners specifically designed to listen to trunked conversations, and you will need one to effectively listen to trunked traffic. Without a trunk-capable scanner, you may be able to pick up bits of conversations; however it is nearly impossible to consistently get the entire conversation. Selecting and the basics of using a trunked-capable scanner are covered in Chapter 7.
Tip
Trunking capable scanner often has complicated programming functions. The best reference for programming your scanner to work with trunked systems is your scanner owner’s manual.
Trunking systems that need to cover a wide area or multiple sites can be made up of multiple repeaters. Many states have created trunked networks using multiple repeaters that cover the entire state. In trunking terms each repeater or transmitter tower is referred to as a site. Multi-site trunked systems can be divided into two categories simulcast and SmartZone.
In a simulcast system a transmission that comes into the systems is broadcast by every site in the system. In a SmartZone system each unit checks into the nearest site in range so the sites have a list of all the units using them at any given moment. A SmartZone site only broadcast traffic if a user in the target talkgroup is using that specific site.
An analogy that is helpful to computer users familiar with Ethernet networks is to image a multi-site trunked radio system as an Ethernet hub or switch were each port on the hub or switch is a trunking site. In this analogy a simulcast system would be an Ethernet hub because traffic that comes into one port (site) is broadcast out to all the other ports (sites) in the system, it does not matter which talkgroup the traffic was destined for. All ports (sites) still see the traffic. A SmartZone system can be thought of as an Ethernet switch where traffic that comes in from one port (site) destined for a specific talkgroup is only broadcast to the ports (sites) where members of that talkgroup are connected.
As you can image, simulcast system make very poor use of valuable channels in large and complex systems. If you have a trunked system that spans over a state oftentimes there is no reason to broadcast police or fire traffic from one city to all the cities in a state. SmartZone systems make much better use of the limited number of channels in a large trunked system but only transmitting information if a user in that site is in the target talkgroup.
From a wireless reconnaissance point of view, the types of system used will affect what traffic you can hear, based off of which sites you can hear traffic from and which end users are using those sites. In a simulcast system you will hear all traffic in the trunked system no matter which tower you can monitor. In a SmartZone system you will miss traffic if there are no users of the target talkgroup checked into a tower that is within range. The easiest way to avoid this is to be within range of the site that is closest to your target. Most likely the talkgroup you are interested in will be in use near your target so units in that talkgroup will be checked into that site.
Summary
These fundamental concepts that we have explored in this chapter are essential knowledge for the penetration tester. Refer back to this chapter often to develop familiarity with these concepts. To review what we’ve covered:
Radio Frequency (RF) is a large part of the electromagnetic spectrum, from 3000 kHz to 300,000 MHz.
All electromagnetic signals move through a vacuum at the speed of light. Because of this, frequency and wavelength are inversely related to each other. Low-frequency waves have a high wavelength, and high-frequency waves have a short wavelength. If you know the frequency, you can determine the wavelength and vice versa.
The SuperHeterodyne design is the most common in modern radios. It consists of an antenna which feeds incoming signals into a “head end” (comprised of the RF Amplifier, Tuner, and Mixer), and from there is fed into the Demodulator for conversion, amplified by the audio amplifier, and finally output through a speaker.
A good antenna is critical to radio performance. The antenna’s length determines what frequency it is tuned to; shorter antennas will pick up higher frequency waves. The wave length is twice the length of the antenna. To know what length an antenna is tuned for what frequency, use the equation
FM is the most popular analog modulation type above 30 MHz, and is of the most interest to penetration tests for wireless recon.
Digital modulation types are becoming more common. This is a challenge, given that scanners currently have very poor support for digital formats.
Currently P-25 is the only digital modulation supported by scanners.
Simple radio systems consist of a transmitter and one or more receivers, or more commonly with the types of radios that are of interest to penetration testers, multiple transceivers.
Repeaters allow signals to be transmitted over a wider area by amplifying and rebroadcasting the input signal. Be sure to monitor the output frequency of a repeater in order to receive all the traffic.
Trunked radio systems are advanced networks that allow for multiple talkgroups to share a small band of channels, controlled by a trunking master, which acts like a switchboard to route transmissions to the appropriate listening party and conserve radio bandwidth.
Further Learning
Beyond what can be covered here, there is a great deal that cannot be adequately covered in a single chapter. Once you have a grasp of the fundamentals covered here, be sure to continue your education. We recommend a few next steps:
1. Get your amateur radio license: American Radio Relay League’s (ARRL) web site (http://www.arrl.org/) is a great source of information on how to get your amateur radio license.
2. Further reading: The American Relay Radio League (ARRL) puts out a lot of good books. Two that stand out are: Basic Radio: Understanding the Key Building Blocks by Joel R. Hallas and The ARRL Handbook for Radio Communication. The Handbook is a phonebook-sized tome, and is updated annually. Older editions can be found inexpensively secondhand. They do add and revise content each year, but much of the information in the old editions is still useful. Another very good read is The Art of Electronics by Paul Horowitz and Winfield Hill. This is not specific to radio, but will provide good background for general electronics which is important to radio.
3. Online courses: Many schools, notably the Massachusetts Institute of Technology, are releasing courses online for free. This is a great way to learn about these topics from top notch institutions for free. The MIT open courseware web site is http://mitx.mit.edu/. A good course to look into is 6.0002.x: Circuits & Electronics.
iTunes U [http://www.apple.com/education/itunes-u/] also has a number of recorded lectures if you search for radio and electronics courses.