Hez Hacked Israeli Radios

Defense Technology.org ^ | 9/19/06 | n/a

[LS]

This is downright shocking, if true. "Hezbollah guerrillas were able to hack into Israeli radio communications during last month's battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults," Newsday reports.

Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.

The Israeli military refused to comment on whether its radio communications were compromised, citing security concerns. But a former Israeli general, who spoke on the condition of anonymity, said Hezbollah's ability to secretly hack into military transmissions had "disastrous" consequences for the Israeli offensive.

Like most modern militaries, Israeli forces use a practice known as "frequency-hopping" - rapidly switching among dozens of frequencies per second - to prevent radio messages from being jammed or intercepted. It also uses encryption devices to make it difficult for enemy forces to decipher transmissions even if they are intercepted. The Israelis mostly rely on a U.S.-designed communication system called the Single Channel Ground and Airborne Radio System.

With frequency-hopping and encryption, most radio communications become very difficult to hack. But troops in the battlefield sometimes make mistakes in following secure radio procedures and can give an enemy a way to break into the frequency-hopping patterns. That might have happened during some battles between Israel and Hezbollah, according to the Lebanese official. Hezbollah teams likely also had sophisticated reconnaissance devices that could intercept radio signals even while they were frequency-hopping.

During one raid in southern Lebanon, Israeli special forces said they found a Hezbollah office equipped with jamming and eavesdropping devices. It was my impression that this kind of signal interception was really, really hard to do -- especially for an irregular force like Hezbollah. I know there are some radio and commsec gurus who read the site regularly. Weigh in here, guys.

Or maybe the article itself contains the seed of what actually happened. "Besides radio transmissions, the official said Hezbollah also monitored cell phone calls among Israeli troops," Newsday notes. A raided Hezbollah base had list of "cell phone numbers for Israeli commanders."

Cells are, of course, way easier to intercept. "Israeli forces were under strict orders not to divulge sensitive information over the phone." But maybe they talked anyway. Maybe they thought Hezbollah would never be sophisticated enough to grab their calls. Weeks ago, the Times of London and Asia Times had hints of this. Apparently using techniques learnt from their paymasters in Iran, they were even able to crack the codes and follow the fast-changing frequencies of Israeli radio communications, intercepting reports of the casualties they had inflicted again and again. This enabled them to dominate the media war by announcing Israeli fatalities first.

[taxcontrol]

I would say desperate would be a better choice of terms. Often things dont work out the way they are planned and alternative means of communication is necessary.

[LibLieSlayer]

True enough.

LLS

[Blue State Insurgent]

Just like in 41' when some Americans thought the Japanese couldn't fly straight because of poor eyesight.

[Blue State Insurgent]

Looks like we code use the service of the Navajo code talkers again.

[Jeff Gordon]

The ability to hack the US Armed Forces encrypted frequency hopping radios has been around since the late 90's. Political contract issues has kept the problem in the field.

[Jeremiah Jr]

The Israelis mostly rely on a U.S.-designed communication system called the Single Channel Ground and Airborne Radio System.

Well that explains it; maybe they (Hezbollah) had shopped at KADDB.

www.kaddb.com

[Cindy]

Ditto.

[Southack]

"Spread Spectrum and 128 bit encryption would stop this."

No, it wouldn't.

The article gets it wrong. Hezbollah wasn't intercepting channel hopping freqs, decrypting, and then translating from Hebrew to Arabic in real time.

They were doing something far simpler: they were DF'ing the Israelis.

Direction Finding radio transmission techniques have been around for a century. That's right; a century.

You transmit, two different enemy recievers then triangulate your position. Now they know where you were when you made your last broadcast.

If you think about it in civilian radar detector terms, two antennas on a single radar detector will let you know the direction and range of the police radar gun's last transmission (e.g. Valentine 1 units)...with a little computer processing.

With the right software you can have a realtime map of your enemy's movements (well, for each transmission made, at least).

It doesn't matter if your signal is encrypted (for DF purposes). That would just mean that you don't see the mph figure on the police radar, by analogy. And it doesn't matter if your signal is spread spectrum (i.e. channel hopping). Why? Because you are still broadcasting radio energy from your same antenna.

What Israel failed to do in their offensive was to spoof their own Spread Spectrum, encrypted tank transmissions (e.g. with a couple of UAV's in areas away from the actual tank assaults). Simple spoofing would spread out Hezbollah's anti-tank defenses into areas where Israeli tanks were not venturing.

That being said, contrary to the nonsense in the news, Israel did quite well on the battlefield, anyway. Hezbollah is not itching for a repeat of the pounding that they received. Nor is Hamas.

[Southack]

c # 28

[Hawthorn]

> The ability to hack the US Armed Forces encrypted frequency hopping radios has been around since the late 90's. Political contract issues has kept the problem in the field. <

Please tell us more. Or refer to information sources.

[Southack]

"My opinion is that following the frequency hopping is not that technically difficult and if weak encryption was used, then with the sponsorship of Iran, the Hezzies would have the capability to listen in. BTW, one of the warning signs that your encryption has been broken is when the other side stops or significantly reduces jamming efforts. You see, if they are jamming you, they can't listen in."

I agree. Frequency hopping is easily detected by common spectrum analyzers. Once detected, Direction Finding (DF'ing) the source of those freq-hop broadcasts is a well known tactic.

A stronger signal typically means that the transmitter (in this case, Israeli tanks) is moving closer. A weakening signal, moving further away.

It's not complicated.

[No2much3]

This is why you always take out your opponents CCC (Command, Control, Communication) before you start the ground attack.

Damn this is so basic that some general should be held accountable.

NO2

[Jeff Gordon]

Sorry. My sources are private. The information is supposed to be public record although I have never bothered to look them up.

[WizWom]

The combat radios in use now were designed by ITT in the 90s; my dad was part of the project.

They use a common frequency pattern for typical communications; their encryption keys are provided on a one-time pad basis, but replacing that pad should units be lost in the field would be prohibitive.

What does this mean? It means that should a radio be compromised, the channel or channels that radio was programmed for would need to be sequestered until the OTP chips could be distributed. So, if a unit commander's set is stolen, then the unit has no secure comm. There are some anti-tamper devices, but, of course, they cannot be too aggresive, or the troops technicians would not be able to do the needed OTP replacement as needed.

As for the frequency-hopping being tracable by direction finding, it's designed to be random noise digital signalling. so to direction find it, you'd need to know the FSK OTP already to differentiate it from the background.

Note that that version has been superceeded in the US military by a cellular type system, since it offers more channels and is less able to be jammed.

[Justa]

I think a more likely scenario would be the capture of an Israeli radio and code book from a destroyed AFV whereupon the freq.s and change-freq.s are passed on to other Hezbollah units which had their own SINCGARS-compatable radios.

The short prep time for the battle and Israel's heavy reliance on reserve units inevitably guaranteed poor COMSEC procedures. It's better to have some spillage than a whole bunch of units out of comms.

[BIGLOOK]

In a Tac situation, can see it happen but quickly halted.

Taking care of business....

[Marine_Uncle]

I have no problem with your simple triangulation methodology which as you indicate has been used for a long time. Those preaching the encryption deciphering element of the article forget to realize one has to have the key codes. And with channel hoping one is at a double jeopardy, because they would have to have a computer issueing continues new key combos by a given argorithm, not readily known for starters, and by the time the computer might actually assemble the right key code chances are the channel would change and they never would get a message of any length if at all.
I take such articles with a grain of salt.

[Southack]

"As for the frequency-hopping being tracable by direction finding, it's designed to be random noise digital signalling. so to direction find it, you'd need to know the FSK OTP already to differentiate it from the background."

Nope.

Radio communication contents can be digital if desired, but the physical electromagnetic radio transmission wave itself is always analog.

Look up at the stars tonight. Some of those stars transmit radio waves (which are analog by definition) at seemingly random frequencies and times.

Yet a typical college astronomy student can sweep a spectrum analyzer over any such star and quickly see on an oscilloscope the "random" frequencies on which the star is emitting radio waves.

In fact, the student can sweep the spectrum analyzer over black sky to "discover" stars that aren't even seen.

Now, does it matter if there is data digitally encrypted/encoded on any of those radio frequencies/waves? Not for the purpose of discovering the direction of said transmitter.

...

Pause

...and likewise, such digital encryption matters not to a DF team...said team being interested only in the fact that your antenna is emitting energy.

Energy can be tracked. That's what DF'ing is all about.

And if you are moving, then the directional antenna that is tracking you won't even care about background noise. Won't matter.

Likewise, changing frequencies will change where on the spectrum your energy is detected, but it won't change the fact that the energy you are emitting is being detected.

And if two antenna's detect your radio transmission frequency, then it becomes a simple matter to determine your location.

[jveritas]

I do not believe it.

[LibLieSlayer]

Frequency hopping Repeaters and low power xmitters and directional antennas in the field would make direction finding much harder.

Antennas exist which send almost 100% of their RF Radiation straight up (Military already uses these in the HF spectrum). This would allow a secure path (unless the hezbo's used UAV's to grab the signal by intersecting the RF beam). Satellites would have worked well here under the situation that you describe, using these highly directional antennas. ELF would also work as it seems to come from more than one direction, making their tactics useless.

I based my comment on the data within this article. You seem to have more or better intel about what actually happened.

LLS