Sabotage and Disclosure of Flight Test and Other Reasons & Methods

DOI 10.5162/ettc2018/6.2

Sabotage and Disclosure of Flight Test and other reasons & methods to intercept, jam or spoof telemetry

Michael Niewöhner COMPLETER.NET Sales & Engineering GmbH, www.completer.net, [email protected]

Abstract The paper deals with the reasons for jamming and spoofing telemetry and GPS, but also with methods from the world of electronic warfare, which may not (yet) be relevant or known in the domain of flight test. The lecture will also give a closer look at and deeper insight in the possibilities of intercepting and evaluating telemetry data and the possibilities that arise from this, even if the contents are encrypted. FISINT (Foreign Instrumentation Signals Intelligence) is an area of signals intelligence (SIGINT), that plays a subordinate role in electronic warfare and military intelligence but is very interesting to intelligence agencies and beneficial to other organizations.

Key words: Jamming, Spoofing, Telemetry, GPS, FISINT

EW can be applied from air, sea, land, and space The world of Electronic by manned and unmanned systems, and can Warfare (EW) and Signals target humans, communications, radar, or other assets. Electronic Warfare has several Intelligence (SIGINT) subdivisions.

Electronic warfare (EW) is any action involving Electronic Attack (EA) the use of the electromagnetic spectrum or EA involves the use of electromagnetic energy, directed energy to control the spectrum, attack of directed energy, or anti/radiation weapons to an enemy, or impede enemy assaults via the attack personnel, facilities, or equipment with the spectrum. The purpose of electronic warfare is to intent of degrading, neutralizing, or destroying deny the opponent the advantage of and ensure enemy combat capability. In the case of friendly unimpeded access to the EM spectrum. electromagnetic energy, this action is referred to

Figure 1: Taxonomy for Electronic Attack Measures

The European Test and Telemetry Conference – ettc2018 123 DOI 10.5162/ettc2018/6.2

as jamming and can be performed on communications systems or radar systems. Intercepting and Locating Electronic Protection (EP) Telemetry emissions EP involves actions taken to protect personnel, Foreign instrumentation signals intelligence facilities, and equipment from any effects of (FISINT) was formerly known as TELINT or friendly or enemy use of the electromagnetic telemetry intelligence. FISINT entails the spectrum that degrade, neutralize, or destroy collection and analysis of telemetry data from a friendly combat capability. missile or aircraft tests. Electronic Warfare Support (ES) Telemetry communication is mainly one- ES is involving actions tasked by, or under direct directional transmission from instrumented control of, an operational commander to search device to a telemetry receiver in a control station for, intercept, identify, and locate or localize (mobile/fixed). Different applications are sources of intentional and unintentional radiated Meteorology, Oil and gas industry, Motor racing, electromagnetic energy for immediate threat Transportation, Agriculture, Water management, recognition, targeting, planning, and conduct of Swimming pools, Energy monitoring, Resource future operations. distribution, Medicine/Healthcare, Fishery and wildlife research and management, Retail, These measures begin with systems designed Energy providers, Falconry, Law Enforcement and operators trained to make Electronic and Mining. All of those are of minor interest for Intercepts (ELINT) and then classification and intelligence authorities. Of more interest are the analysis broadly known as Signals intelligence usage in the Aerospace, Defense and Space from such detection to return information and Domain. perhaps actionable intelligence to the commander. Telemetry is used in complex systems such as missiles, RPVs, spacecraft, oil rigs, and The purpose of ES tasking is threat recognition chemical plants since it allows the automatic and other tactical actions such as threat monitoring, alerting, and record-keeping avoidance and homing. However, the same necessary for efficient and safe operation. assets and resources that are tasked with ES can simultaneously collect intelligence that Space agencies such as ISRO, NASA, ESA and meets other collection requirements. other agencies use telemetry and/ or tele- command systems to collect data from Signals Intelligence (SIGINT) spacecraft and satellites. Telemetry is vital in the SIGINT is derived from the direction finding, development of missiles, satellites and aircraft processing, and analysis of intercepted enemy because the system might be destroyed during communications, electronics and foreign or after the test. Engineers need critical system instrumentation signals. It provides the parameters to analyze and improve the commander valuable, near-real-time intelligence performance of the system. In the absence of on enemy intentions, readiness status, and telemetry, this data would often be unavailable. disposition by intercepting and locating enemy command, maneuver, fire support, Space Science reconnaissance, and logistic emitters. Telemetry is used by manned or unmanned spacecraft for data transmission. Distances of Any nation has a political interest to gain more than 10 billion kilometers have been information superiority against its potential covered, e.g., by Voyager 1. threats. Therefore, most of them operate strategic intelligence systems with monitoring Rocketry and locating capabilities as well as evaluating In rocketry, telemetry equipment forms an and reporting functions. integral part of the rocket range assets used to The vital interest of nations is formation of monitor the position and health of a launch strategy, policy, and military plans and vehicle to determine range safety flight operations at the national and theatre levels. termination criteria. Problems include the Strategic intelligence concentrates on the extreme environment (temperature, acceleration national political, economic, and military and vibration), the energy supply, antenna considerations of states or nations. It identifies alignment and (at long distances, e.g., in the support for governments, the ability of states spaceflight) signal travel time. or nations to mobilize for war, the national Flight testing political objectives, and the personalities of Today nearly every type of aircraft, missiles, or national leaders. It predicts other nations’ spacecraft carries a wireless telemetry system responses to own theatre operations.

The European Test and Telemetry Conference – ettc2018 124 DOI 10.5162/ettc2018/6.2

as it is tested. Aeronautical mobile telemetry is positions over time, the flying speed can be used for the safety of the pilots and persons on calculated and tracked. With some intelligence the ground during flight tests. Telemetry from an systems, even the flying height (elevation of the on-board flight test instrumentation system is the signal compared to position) can be found out. primary source of real-time measurement and The fact, that a telemetry emission is sending status information transmitted during the testing continuously makes it easy to track the exact of manned and unmanned aircraft. flying route of the aircraft. If communication is bi- Intercepted telemetry was an important source of directional, the structure and setup of ground intelligence for the United States and UK when stations could be disclosed. As transmitted Russian missiles were tested. Telemetry was power is relatively high, and the object is also a source for the Russians, who operated transmitting from a high position, the interception listening ships in Cardigan Bay to eavesdrop on station can be far away from the aircraft. UK missile tests performed in the area. Coming back to the encryption, the content is Telemetry communication in aircraft / missile relatively safe against real-time decryption. testing is according to IRIG 106 standard an Nevertheless, all traffic can be recorded and FQPSK / SOQPSK signal with a PCM signal decrypted with high performance computers encoded. Such telemetry mainly operates in L- later. Band, S-Band and C-Band. Nowadays it moves Finally, all such information helps enemy forces more and more in the direction of C-Band. Due to plan jamming and spoofing procedures for to the fact, that transmission is one-directional, future flight tests. there is no possibility for error-correction. Consequently, the requirements for the quality of the signal are high. Electronic Attack (EA) for The users of this sort of telemetry are Air Force telemetry and GPS Bases, Aircraft Industry and general defense industry. Jamming is the deliberate radiation, re-radiation, or reflection of electromagnetic energy for Evaluating Telemetry disrupting enemy use of electronic devices, equipment, or systems. It degrades emissions communications by reducing or denying the enemy’s ability to pass key information at critical Telemetry emissions are mainly encrypted. This times and can cause enemy operators to should secure the content of the transmitted become irritated, confused, or misled during data. What is not known widely is, that this does offensive, defensive of retrograde operations. not protect against interception, analysis and When applied successfully, jamming can evaluation. Putting together several intelligence contribute to the failure of those actions which sources, a clear picture of the monitored emitter depend on communication using the could be put together. electromagnetic spectrum. By triangulation, the position of an emitter can be ES is the primary source of information used to identified very accurate. By comparing different identify and develop jamming targets. It helps to

Figure 2: Jammer Parameters

The European Test and Telemetry Conference – ettc2018 125 DOI 10.5162/ettc2018/6.2

identify the enemy’s locations and intentions and follow on quickly after the initial transmission, thereby identify valuable jamming targets. then again it might be part of the command Indiscriminate jamming wastes resources could network and so on. impede friendly communications or could attract For effective jamming operations, the planning countermeasures such as artillery fire. function needs all information about function, Consequently, jamming operators/ systems position in a net, position on the battlefield and need to know exactly who, what frequency, ability to affect the combat plan. For those where and when to jam. reasons, the planning of jamming operations Enemy nets, which routinely pass information of shall be in responsibility of the tactical leader. intelligence value, should be identified and monitored, other nets, such as those having a highly tactical value to the enemy but little or no intelligence value to friendly forces, could be attacked with jammers. Enemy secure communications may also be jammed with the intention of drawing the enemy into clear voice communication.

The process may be along the following lines. An intercept DF network picks up a transmission that is determined not to be from own forces or Figure 3: Jamming Principles from neutral operators. Analysis identifies One main principle that regularly gets forgotten specific parameters for the situation such as: is that it is possible to deny the interception of a signal by jamming, but not the transmission. - transmission central frequency Different methods of jamming are briefly - 3-dB and IO-dB bandwidth explained in the following section. - modulation scheme in use Spot Jamming - signal strength at the detecting receiver(s) Spot jamming occurs when a jammer focuses all - direction or localization position if known its power on a single frequency. While this would severely degrade the ability to track on the - times of transmissions jammed frequency, frequency agile radar would - how frequently the channel is used hardly be affected because the jammer can only jam one frequency. While multiple jammers - duration of transmissions could possibly jam a range of frequencies, this - association with other systems (activity would consume a great deal of resources to analysis) have any effect on frequency-agile radar and would probably still be ineffective. Spot jamming This is where the behavior of an enemy network is used to jam a pre-selected frequency that has is studied to determine its structure specific been determined as a target of interest. identifying features such as frequency instability, operator Morse behavior, the same voice on Once the transmission is determined to be a high successive intercepts or transmission of priority target, an EW tasking mission may be formatted messages. issued to the spot jammer. This will include the technical parameters and any other pertinent These factors can be analyzed with the benefit information, such as the duration of the jamming of knowledge already known, such as task. The actions of the jammer detachment will association with known weapon systems and be to tune the jammer to the required frequency technical parameters of known enemy systems. and bandwidth if this is adjustable. The antenna The detected transmission may for example be will be pointed in the direction of the enemy associated with a specific air defense command receiver. Before jamming, the channel can be system or be of a type known to be used for listened on to determine whether it is still command and control. Transmission behavior transmitting (there is no point in jamming an may also reveal the relative importance of the unoccupied channel). If it is still in use, then channel. If is frequently used, then it may be an jamming can commence. The jamming can important command and control channel. If it is consist of un-modulated or modulated noise. Un- noticed before artillery shells arrive, then it may modulated noise will raise the noise floor of the be the artillery command network. If troop enemy receiver, preventing them being able to movements are correlated with the communicate. Modulated noise does the same transmissions, then again it may be a command thing but also disrupts audio reception of the net. If other transmissions on other frequencies

The European Test and Telemetry Conference – ettc2018 126 DOI 10.5162/ettc2018/6.2

transmission signal making it impossible for the continuously in time. Performing partial-band receiving operator to hear the message. jamming against an Orthogonal Frequency- Periodically, the jamming signal will be turned off Division Multiplexing (OFDM) waveform does so that the jammer operators can listen to not make sense because strong forward error determine whether the enemy is still using the correction could allow the data to be channel or have changed to a different one. reconstructed from the unjammed subcarriers. Sweep Jamming Responsive Jamming Sweep jamming is when a jammer's full power is Responsive jammers have an RF detection shifted from one frequency to another. While this capability that allows them to scan for threats has the advantage of being able to jam multiple and jam those of interest. frequencies in quick succession, it does not Adaptive Jamming affect them all at the same time, and thus limits the effectiveness of this type of jamming. Adaptive jamming is an extension of responsive Although, depending on the error checking in the jamming but with the potential to jam several device(s) this can render a wide range of devices targets at the same time. It provides an improved effectively useless method to achieve the same effects as barrage jamming but in a far more focused manner. Barrage Jamming Repeater Jamming (Follower Jamming; Barrage jamming is the jamming of multiple Responsive Jamming; Reactive Jamming) frequencies at once by a single jammer. The advantage is that multiple frequencies can be Repeater jamming is the simplest form of jammed simultaneously; however, the jamming correlated jamming when the jammer has no effect can be limited because this requires the knowledge of the protocol. In repeater jamming, jammer to spread its full power between these the jammer transmits when it senses energy on frequencies, as the number of frequencies the channel. This may be in the form of the covered increases the less effectively each is jammer re-transmitting what it receives with jammed. noise added or sensing a series of subchannels and transmitting noise when it senses energy on Barrage jamming is the simplest form of jamming one or more subchannels. and is usually deﬁned as a jammer which transmits noise-like energy across the entire Smart Jamming (Pilot jamming; Equalization portion of spectrum occupied by the target with Jamming) 100% duty cycle in time. Thus, it is non- Smart jamming is the term used to describe correlated and non-protocol-aware. Barrage jamming aimed at network vulnerabilities rather jamming has been shown game theoretically and than simply raising the noise floor or causing information theoretically to be the best a jammer unacceptable audio or data performance. can do in the absence of any knowledge of the Methods of smart jamming are aimed at types of target signal. network such as GSM, UMTS, paging systems and many others. Barrage jamming is used to deny the enemy of the use of a portion of spectrum. This can be A smart jammer designed to attack GSM will because enemy forces are frequently changing have less or even no effect against other channels or that they are using full frequency networks that may be present, so it is important hopping systems. Compared to spot jammers, to be able to identify the exact type of network barrage jammers need to supply jamming power for it to work. Some network vulnerabilities into many channels rather than just one. On the include: pilot channels; synchronization rather simplistic assumption that the barrage channels, time slots or data; paging channels or jammers deliver the same jamming power into time slots; error correction checksums; each jammed channel and that the effective acknowledgement or Not Acknowledged jamming power has the same effect as the spot messages. jammer, it is easy to calculate the power reduction for the number of channels jammed. The purpose of smart jamming is to prevent normal performance of a network. This may be Partial Band Jamming by denying subscribers the ability to log on to the When jamming a single-carrier signal, it has network by causing base station overload, been shown that jamming gains can be achieved disrupting signals telling subscribers that they by not jamming the entire signal in the frequency have a call, preventing successful call initiation domain, but rather jamming a fraction of the or disrupting communications once a link is signal. This is known as partial-band jamming, established by causing the system to and it is usually considered a non-correlated successively re-send packets of data due to Not jamming attack because the jammer transmits Acknowledged or error checksum faults. This

The European Test and Telemetry Conference – ettc2018 127 DOI 10.5162/ettc2018/6.2

type of jamming is relatively new compared to more synchronization signals. This jamming the other methods. technique is unique in the sense that it may only prevent radios from establishing a Equalization jamming involves targeting any communications link, and thus it won’t cause mechanism related to equalization. Known data immediate Denial of Service (DOS). symbols (reference symbols) are inserted into the transmitted waveform to estimate the However, synchronization signals tend to be channel’s frequency response and equalize the very sparse with respect to the entire signal, thus effect of the channel at the receiver prior to providing a significant jamming gain. demodulation. These known symbols are called Synchronization jamming must be protocol- pilot symbols in multicarrier communications aware, to know where the synchronization signal such as OFDM or single-carrier frequency is located. It must be time-correlated, assuming division multiple access (SC-FDMA) and the synchronization signal is multiplexed in time channel sounding symbols in multiple-input and with data and other signaling. multiple-output (MIMO) systems. For example, in AGC Jamming OFDM, pilot tone jamming is simply the process of jamming pilot tones, which may reside on The automatic gain control (AGC) mechanism in certain subcarriers (in the case of 802.11) or may a receiver adjusts the input gain in such way that be multiplexed in time and frequency with data the received signal comes in at a proper level to (in the case of LTE). best utilize the range of the analogue-to-digital converter(s). Pilot jamming is protocol-aware because the jammer must know where the pilots are located. A jamming attack that targets the AGC If the pilots occur on a dedicated subcarrier then mechanism is one that uses a very low duty the attack is non-correlated, but if they are cycle (e.g.,2%) but with extremely high multiplexed in time then it must be correlated to instantaneous power. By not transmitting surgically jam the pilots. It was found that pilot continuously, the jammer can save power and jamming can be energy efficient and similar remain harder to detect in some situations. AGC degradation in target receivers Bit Error Rate jamming is non-correlated, although the specific (BER) can be achieved using roughly one-tenth period and duty cycle used are important of the energy. parameters. Aside from the assumption/knowledge that the target receiver The pilot jamming process is similar in the case uses AGC, it is non-protocol-aware. of SC-FDMA, which is the single-carrier variant of OFDM and used in the uplink of the LTE air- Protocol-Aware Jamming interface. In MIMO systems, known reference The term protocol-aware simply means the signals are used for channel sounding and thus jammer is aware of the protocol of the target can be jammed if they are known by the jammer signal. Information about the signal’s protocol is a priori. Another special kind of equalization obtained during the Signal Awareness step and jamming attack involves jamming the cyclic used in the Attack Selection decision-making. prefix (CP) of a multicarrier waveform such as For example, the jammer may identify that a OFDM or SC-FDMA. These waveforms use a signal is a Wi-Fi or LTE signal, which due to the CP to mitigate inter-symbol interference (ISI) and open nature of specifications allows the jammer inter-channel interference (ICI). CP also ensures to know almost everything about the PHY and that the convolution of the channel impulse MAC layers. response with the modulated symbols has the form of a circular convolution, which is essential A jammer could use a priori knowledge of the for simple one-tap equalization in the receiver. protocol to exploit weaknesses in the protocol These crucial roles played by the CP make SC- and launch a jamming attack that is more FDMA particularly vulnerable to jamming attacks effective and may be harder to detect than non- through CP. protocol-aware jamming. For example, the jammer may only know a signal uses OFDM with Synchronization Jamming pilots in certain locations, which would be For a communications link to function, the considered protocol-aware if it knew exactly receiver must synchronize to the incoming signal where the pilots were placed. in both time and frequency. To aid in this task, a In most wireless protocols, the data takes up the synchronization signal, or synchronization largest portion of time and frequency resources. symbols, are usually designed into the PHY layer Thus, when targeting something besides the protocol. For example, in LTE there are two data, it will likely result in an attack that uses less different synchronization signals that each power and is harder to detect (if the targeted appear every 5ms. Synchronization jamming is mechanism is essential for communications). simply the process of surgically jamming one or Possible mechanisms that could be targeted in a

The European Test and Telemetry Conference – ettc2018 128 DOI 10.5162/ettc2018/6.2

protocol-aware attack (taken from open happened. Especially as the occurred problem is literature) include Control not reproduceable in the lab. channels/subchannels, Control frames or packets (e.g., ACKs), Pilots (reference symbols), Expressions Synchronization signals and Cyclic preﬁx in OFDM. [1] Intelligence collection management (ICM) is the process of managing and organizing the Possible protection collection of intelligence from various sources. The collection department of an intelligence measures organization may attempt basic validation of what it collects but is not supposed to analyze its There are different possibilities to protect own significance. flight tests against jamming and spoofing. First, [2] Signals Intelligence (SIGINT) results from the level of confidentiality should be very high. collecting, locating, processing, analyzing, and As explained, jamming should be planned and if reporting intercepted communications and non- planning time is reduced by missing a priori communications (for example, radars) emitters. knowledge like flight plans, the probability of SIGINT provides the commander with valuable, being jammed is reduced significantly. But this is often NRT intelligence and targeting information on enemy intentions, readiness status, and probably not new knowledge. dispositions by intercepting and locating enemy Technically it is most beneficial to have command, maneuver, fire support, alternative communication means on board, as reconnaissance, air defense, and logistics every military unit should do. If one is jammed, emitters. SIGINT operations require efficient collection management and synchronization to the system can take evasive measures and effectively overcome and exploit enemy efforts to switch to another communication means. protect his critical communications and weapons Also, it is helpful to raise own power of the systems through emissions control, received signal. As explained, the jammer can communications operating procedures, encryption, and deception. SIGINT is subdivided deny receiving but not transmitting. So, if the into: communications intelligence (COMINT); original signal is much stronger than the jamming electronic intelligence (ELINT); and Foreign signal, the probability of being jammed is lower. instrumentation signals intelligence (FISINT). This could be done by high power emitters, but on other hand, this would make it easy to [3] FISINT (Foreign instrumentation signals intelligence) is a sub-category of SIGINT, intercept and thereby evaluate your flight test. monitoring primarily non-human communication. Another possibility is, to operate a receiver Foreign instrumentation signals include (but not network in the flight test area, so that the aircraft limited to) telemetry (TELINT), tracking systems, has a short distance to the receiver station. and video data links. TELINT is an important part Therefore, you would need more small, remote of national means of technical verification for controlled and transportable receivers/ antennas arms control. for reasonable prices. [4] In military telecommunications, the terms Electronic Support (ES) or Electronic Support Resume Measures (ESM) describe the division of electronic warfare involving actions taken under Military intelligence and intelligence agencies direct control of an operational commander to are interested in monitoring telemetry detect, intercept, identify, locate, record, and/or communication, as they gain insight on new analyze sources of radiated electromagnetic weapon system development, the structure and energy for the purposes of immediate threat capabilities of foreign forces and generate target recognition (such as warning that fire control RADAR has locked on a combat vehicle, ship, or knowledge at a very early state. Jamming and aircraft) or longer-term operational planning. Spoofing are methods to deny beneficial usage Thus, Electronic Support provides a source of of the electromagnetic spectrum. information required for decisions involving Electronic Protection (EP), Electronic Attack (EA), In Flight Test Surrounding, currently the risk of avoidance, targeting, and other tactical being jammed is much smaller than the risk of employment of forces. Electronic Support data being intercepted and analyzed. However, can be used to produce signals intelligence sometimes you have malfunctioning in your flight (SIGINT), communications intelligence (COMINT) test campaigns it might also be a smart, protocol- and electronics intelligence (ELINT). aware jammer and you will be wondering what

The European Test and Telemetry Conference – ettc2018 129