We get letters... I received the following electronic mail message recently:
I wrote a couple weeks back about information on how a digital data interpreter works, and since that time I have been all over the Internet trying to find some basic information. I know that there are manufacturers of those devices and that they limit their sales to "qualified personnel." There also seems to be some kind of invisible veil of secrecy surrounding this subject -- it's almost like a taboo to discuss this kind of technology. Where can a fellow get any type of straight dope on this stuff?
The digital data interpreter (DDI) the writer is asking about refers to a class of devices that decode the data stream transmitted in cellular telephone systems. This data stream includes the numbers dialed by the user, channel assignments, security identifiers, and other information relating to the flow and control of the phone call. (For an introduction to cellular signaling, see the December 1996 PCS Front Line column.)
"Professional" DDI units used by law enforcement agencies are usually self-contained briefcase-style setups and cost thousands of dollars. Since the task of decoding the data stream is relatively simple and straightforward (after all, every analog cellular telephone ever manufactured does it), identical results have been obtained from low-cost models produced over the years by a handful of small companies and hobbyists. These DDI units are typically a small box of electronics being fed signals from an 800 MHz receiver and delivering a decoded stream of messages to a computer.
Manufacturers of the "professional" units aren't interested in talking to individuals unless they represent government organizations with large budgets, and the small companies and hobbyists are somewhat reluctant to discuss the particulars of what they're doing.
Their nervousness revolves around the interpretation of a part of the Crime Control and Safe Streets Act of 1968 (amended by the Electronic Communications Privacy Act of 1986). Codified in Title 18 of the United States Code, the more familiar section 2511 makes it illegal to listen to cellular (and since 1994, cordless) telephones, as well as certain other radio frequency emissions. As has been covered numerous times in the past, this section of the law has been heavily influenced by the cellular telephone industry, who want to be able to tell their customers that no one can listen in. Having an expectation of privacy while using a radio broadcast device defies logic and physics, but that's the law.
A less well-known section, 2512, is addressed to another group. Any person who "manufactures, assembles, possesses, or sells any device that is primarily useful for the purpose of the surreptitious interception of ... communications" is subject to five years in prison and a hefty fine. In the original law a description of what constituted "primarily useful" was specified under the heading "Title III," and now such restricted items are referred to as "Title III" devices.
Exceptions granted in section 2512 are limited to "an officer, agent, or employee of, or a person under contract with," a communications provider, or federal, state or local government.
Until recently it had been understood that manufacturers of Title III equipment were acting as "a person under contract" to law enforcement or other government agencies, and were protected from prosecution. This is no longer the case, at least for some individuals, as demonstrated recently.
Gilbert Walz and Jude Daggett, the owners of Tech Support Systems and Countersurveillance in California, were indicted for violation of section 2512 in March of 1996 for allegedly manufacturing and selling cellular, fax, and pager interception equipment. Their trial took a strange turn when, on the advice of a government agency official, the judge classified some of the evidence for national security reasons. Prior to their arrest, Tech Support Systems had exported Title III equipment to such countries as Mexico, Italy, Brazil, South Korea, and the Philippines, and counted a number of embassies in Washington, D.C., as customers. According to a former employee these foreign sales were detailed in monthly reports to the Central Intelligence Agency. The Commerce Department had granted export licenses to Tech Support Systems for sales to private companies overseas, including more than $100,000 worth of cellular interception gear to an Italian firm. For quite some time Walz had also attempted to get clarification from federal prosecutors on the legality of their equipment and operation, but could not get a clear answer.
Curiously, a number of large corporations including Westinghouse and Harris regularly advertise Title III devices but don't seem to come under the same scrutiny as did Tech Support Systems. In addition, media maven and computer security researcher Tsutomu Shimomura, who was involved in the pursuit and capture of Kevin Mitnick, describes an interface and software program that turns his OKI 900 cellular telephone into a tool which is clearly "primarily useful for the surreptitious interception" of cellular telephone calls, but no action has been taken against him or those who manufacture, sell, etc., such devices. Such unequal and arbitrary enforcement of Title 18 further undermines respect for the law and encourages the spread of fear, uncertainty, and doubt (FUD), which in the end appears to be the goal.
As the electronic mail author notes, a "veil of secrecy" seems to surround these devices because of the uncertainty about what is legal and what is not. If manufacture or even possession of such devices subjects a person to prosecution under 2512, it's no wonder such circumspect behavior is the result. This legal limbo should be familiar to anyone considering owning or using a scanner capable of receiving cellular frequencies. Since the law is so poorly written and prosecution so selective, everyone is at risk.
The standards for the Advanced Mobile Phone System (AMPS), the analog system in North America, are spelled out in Electronics Industries Association document EIA/TIA-553. In order to produce compatible telephones and base stations, manufacturers must follow this standard.
The 832 cellular control channels allocated in the United States are divided into two types, voice and control. Voice channels carry data only briefly, during a process known as hand-off or when the base station sends a control message to the phone during the course of a conversation. The audio is muted and a burst of data is sent from the base station, interrupting the conversation for less than one second.
Control channels carry data all of the time. The forward control channel, transmitted from a base station to the mobile phone, is continuous and carries a number of different kinds of messages, the format of which are spelled out in exacting detail in the EIA specification. The reverse control channel is shared by a number of mobiles, each of whom transmit brief messages to the nearest base station. In addition, since a mobile transmits at a maximum of three watts (0.6 watts for handhelds) and base stations transmit at tens or hundreds of watts, it is much easier to receive the forward channel than reverse channel.
Cellular telephone service providers are sensitive about discussions of reverse channel monitoring, not for reasons of privacy but because messages on this channel often contain mobile identification number (MIN) and electronic serial number (ESN) numbers. As detailed in the January 1997 PCS Front Line column, these ESN/MIN pairs are used to perpetrate fraud by cellular "bandits."
If you were to accidentally overhear a forward control channel (abbreviated FOCC) you'd hear a steady stream of bledle-bledle-bledle from the speaker. This is the data stream that the mobiles are listening to while not engaged in a conversation.
FREQUENCY SHIFT KEYING
Bits are transmitted using a form of modulation known as binary frequency shift keying (FSK), which means that the digital ones and zeroes are sent as two different frequencies. In the AMPS system a bit with a value of one is represented as a signal 8 kHz above the center frequency of the channel and a bit with a value of zero is represented as a signal 8 kHz below the center frequency. These bits are sent at a rate of 10 thousand (10 kilobits) per second.
Hobby decoding usually begins with a scanner or communications receiver tuned to the proper frequency in FM mode. For signals with relatively high data rates, better results are achieved using the discriminator output rather than the speaker or line out due to the effects of filtering in the audio circuitry.
The discriminator output is fed to a FSK decoder, which are in common use for decoding a variety of radio formats including ACARS and digital amateur radio. Bob Evans covers a number of these formats and services in his Monitoring Times Digital Digest column. Several firms produce such FSK decoders (the Optoelectronics Optolinx has one built-in), or you could make your own at very low cost using a simple 741 op amp circuit known as a zero crossing detector or "data slicer." FSK signals may also be decoded using a sound card and the appropriate software in a personal computer.
The ones and zeroes from the FSK decoder must be further decoded as noted in the EIA specification. For various technical reasons, most of which involve making the receiver's job easier, cellular transmitters encode the data bits in a special way.
Each transmitted bit is sent using what is known as Manchester encoding. Each data bit is represented by a signal transition in the middle of each bit period (at 10,000 bits per second, a bit period is a tenth of a millisecond long). A data bit of one is sent as a signal transition from 0 to 1 and a data bit of zero is sent as a signal transition from 1 to 0. A feature of this biphase encoding is that it is self-clocking, that is, the receiver can synchronize to the transmitter from the data stream alone. Manchester encoding is also used in magnetic stripe cards, which is why you can swipe your card at a variety of speeds and the machine can successfully read it.
Decoding Manchester data involves extracting the clock signal (10 kHz) and deriving the information bits. One hardware approach is to feed the incoming Manchester data into a phase-locked loop (such as a 4046 integrated circuit) and use the output to detect the transitions, which occur either once or twice for each bit period. An alternate approach is to feed the incoming data into the decoding circuitry of a cellular telephone. If the FSK decoding is done in software using a sound card, information bits can be derived using digital signal processing techniques.
With the information bits in hand it is then a matter of formatting them into message groups. The forward control channel is made up of three "information streams," called stream A, stream B, and a busy/idle stream that indicates the availability of the reverse channel. Cellular telephones with an even MIN listen to stream A and phones with an odd MIN listen to stream B. All phones listen to the busy/idle stream. Messages in stream A and stream B consist of one or more 40-bit words repeated five times. The details are too involved to spell out here but are available in the EIA standard and in a more readable format in my forthcoming book from Index Publishing.
That's all for this month, but more information is available on the PCS Front Line website at http://www.grove.net/~dan, and I am reachable by electronic mail at firstname.lastname@example.org. Until next month, happy monitoring!
Click here for the index page.
Click here for the main page.
Updated May 1, 2003