Locating Dangerous RF weapons
RF Weapons created by unidentified engineers populate the Internet and Corporate
and University Repositories. Going further Federal Government spends tens of
millions for RF weapon research. Many results are warehoused because other
research provided better or more appropriate solutions. These potential weapon
systems have never been indexed or cataloged. They are a threat to National
Security.
UNSOLICITED PROPOSAL
Basic Information
(1) Thomas V. Sobczak, Consultants
P.O. Box 0433
Baldwin, New York 11510
(516) 623-6295
(2) Contact point for technical personnel to contact for evaluation and
negotiation:
Thomas V. Sobczak, Ph.D., P.E.
Contact point for business personnel to contact for evaluation and
negotiation:
Thomas V. Sobczak, Ph.D., P.E.
(3) Study of Radio Frequency signal transmission mechanisms to introduce
malicious code into weapon system and management software.
(4) Submitted December 12, 1996
(5) We authorize Dr. Thomas V. Sobczak, Executive Vice President, to
represent Sobczak
_______________________________
Thomas V. Sobczak Pd.D.
Executive Vice President
TITLE: Study of Radio Frequency signal transmission mechanisms to introduce
malicious code into weapon system and management software
ABSTRACT:
Unimaginable electromagnetic hazards exist, are practical operational in use by hobbyists.
Hobbyists are using unsophisticated electronic components to transmit code that builds
signal jammers, signal/frequency saturation, signal manipulation and the attempt to take
control of existing systems. Sobczak proposes to baseline available technological
information about mechanisms to transmit code to disrupt electronic systems. This will help
in the validation of system vulnerability. System designers of RF and microwave use the
term "programmatic error" as a catch all for that which they do not explain. The nation's
electronic networks are at risk or under attack.
IDENTIFICATION AND SIGNIFICANCE OF THE PROBLEM
Virus kill potential is a topic of discussion among various levels of the electronic hobbyist
culture in both western and eastern defense cultures. Sobczak has monitored, collected
and structured significant amounts of text, algorithm, and equation dealing with signal
interception, jamming mechanisms, transceiver saturation and attempts at entering into and
controlling the operating system using modified RF transmissions. Sobczak has significant
quantities of malicious code that may be applicable as the medium to inject code into a
command, control or communications network.
Sobczak researches in the universe of applied not previously envisioned technology. We
have invested personal funds to confirm insight that proves the NSA concept and
methodology of trustworthiness is detrimental to the practice of security. Assumed
trustworthiness engenders a relaxed attitude toward security by the protected. Presently
it may be too late to stop an impending attack by enemies or terrorists using these
technologies. Programmatic time bombs exist hidden among the millions of lines of trusted
computer code that functions daily as a part of the existing management environment.
Americans have forgotten the basic ideas that led to success of the colonists in the
revolutionary war. British commanders complained when colonists fought from behind
trees and stone fences. Early Americans did not follow rules. They made rules fit the
situation. Sobczak believes hobbyists and terrorists have thrown away the rules.
Responsible managers have not accepted these new rules of aggression that now govern
conflict.
We believe it is significant:
1. If we introduce unanticipated technologies into a situation, with no prior
knowledge of or preparation for the aggression by friendly forces, the unanticipated
aggression will achieve decisive results against the interest of the friendly forces as they
are structured today.
2. The probability of western produced products involvement against western
technology in localized intrusions/incursions is high due to the large and growing inventory
of technology available worldwide Plans formulated by governments and multinational
corporations have not anticipated this probability. They are vulnerable to the threat posed.
3. The countermeasures' systems available to the nonmilitary operator will not be
useful against most re-engineered western technology. The use of tactics and counter
force require training. Extensive training is not generally available due to existing
budgetary constraints in organizations. They reduce the probability of success against an
electronic intrusion/incursion. It may be nil. Witness 184,000 incursions with only two
percent reported in the US DOD.
4. Western countermeasures equipments and security is geared to weapons of
assumed enemies. They are ineffective to assure survivability among equals. Therefore,
As modern weapons depend heavily on sophisticated technology and this sophistication
itself makes up a certain vulnerability, considering facing aggression without the advantage
of countermeasures is foolish. Sobczak is recognized (see Federal Computer Week,
September 18, 1989, Electronic Combat Reporter, March 23, 1990, Business Week, July
23, 1990, . . . , Newsweek, May 4, 1992, . . . ,and Time, June 5, 1995 ) as capable of
constructing the hardware and software necessary to assure survival.
American electronic countermeasures are years behind the power curve. Sobczak has
found, analyzed and experimented with solutions that might be secret. They share these
solutions in cyberspace. Aggressors exhibit a potential far beyond that for which we give
them credit. Sobczak has re-engineered a sampler of the technologies and been rated
excellent by AFSC/ESD, SAM/RSD and AF Weapons Lab concerning VIRUS weapons to
corrupt weapon systems. Security is at risk to the uncontrolled distribution of killer
technologies.
TECHNICAL OBJECTIVES
This Study will concentrate on identifying how we can integrate and use hobby store
components to affect the software controlling the operation of management
systems/networks.
Initially Sobczak will identify information sources to establish awareness about signal-
based weapons and countermeasures not developed by or for the military. We will
evaluate the results of this effort against technologies available domestically. A conclusion
as to the feasibility of using available hobbyist technologies to subvert systems will be
drawn. Documentation of sources in sufficient detail to assure acceptance by any
reviewing agency, will accompany this section of the final report.
Sobczak will use the information collected to produce validity studies that reference
occurrences identified as more recent than the samples included in the section of this
proposal titled, Study Related Experience. We will orient verification of occurrence to
media sources outside the community taking credit for the action. In this way the proof of
validity will emanate from unbiased sources. Sobczak will in no way violate the Intelligence
Oversight Act or the Civil Rights of individuals by our actions to prove the validity of our
concept.
The type of attack mechanism suitable to be employed in this effort will vary based upon
the sophistication required for penetration and "in system" execution parameters. A VIRUS
that shells the operating system to control a scan pattern generator will significantly differ
from an attempt to null or confuse the averaging mechanism of a bounded back signal for
command, control, communications and computer (C4) systems.
The final objective is creation of a matrix of strategies oriented to the injection of signals
for successful corruption of a weapon or communication system. We will state the
probability for success, based upon the information available to Sobczak
At the completion of the study, the sponsor will know the most feasible method for a
hobbyist or aggressor to inject code via a signal transmission to corrupt a system. This
study will provide the basis for the definition of countermeasures ranging from awareness
training to AI integrated hardware.
STUDY RELATED EXPERIENCE
Sobczak has been involved in research that produced our concept of VIRUS AS A
WEAPON since 1987. During that period we analyzed information from several hundred
Bulletin Board Systems in the United States, Western Europe, the Pacific Rim, the
Mid-East, South America, Eastern Europe and the old Soviet Union. What follows is a
small (less than 1%) portion of our data base concerning weapons to interdict
communications systems and networks. Sobczak has successfully reconstructed
experiments.
1. As early as the mid-seventies, Volkswagen developed a computer controlled fuel
injection valve control system. The car worked perfectly in Europe, but had unexplained
engine failures in the United States. The problem of engine failure was intermittent and
very short lived when it occurred. The cause of failures was RF transmission by Citizens
Band radio frequencies from either mobile or base stations.
2. Some GM cars had problems with electronic control systems when receiving a signal
in the two-meter range.
3. Other manufacturers' electronic controllers have problems caused by cellular phone
transmissions.
4. Reports from BBS in England say chip upset problems occurring in auto electronics
in the area around Coventry due to RF leaked from the transmitter used by Radio Four, a
commercial station transmitting on 1500 meters. The station antenna was radiating
unstable energy. When cars passed close to the station, the transmitter would disrupt
components and disrupt the chip within the electronic ignition.
As you examine these occurrences, you may see the opportunity small scale urban
electronic warfare.
5. Hackers disrupt Coast Guard radar regularly by creating dead spots.
6. They cause some fatal incidents by the same type of radio frequency power
emissions. High power output affected an attack helicopter in use by two different U.S.
armed services. The helicopter, known as the AH-64, Blackhawk or the naval version
named Seahawk, is the operational state of the art in low level air combat. The problem
is composed of two parts.
First, an advanced design employs a unique horizontal stabilizer to help the helicopter
improve its performance envelope. They control the stabilizer through a series of
electronically activated systems managed by a microprocessor that in turn was controlled
from the cockpit through a series of computer code based expert systems that optimize the
ability to fly by wire electronically. A physical connection between the craft's flight controls
and the pilot of the craft is missing.
Second, unknown, unaccepted and deadly, is radio frequency interference stemming from
several different sources. One source is a common brand citizens band radio with an
illegal power output. It is available to almost every long distance truck driver in America.
An incident occurred when a helicopter flew near a commercial RF transmission tower.
This caused the discovery of the RF problem. The U.S. Army at Ft. Rucker, at AVCOM
in St. Louis and at Ft Eustis R & D Center instructed pilots that flights near microwave
antennas or shipboard radar may cause "uncommanded" and unanticipated altitude and
attitude changes.
This problem was not considered possible in an electronically manipulated battlefield.
Hacker's helpers working for the U.S. Navy at Warminster, PA and Lakehurst, NJ and the
Army at West Point VA. supplied most of this information
The electronic controls of the craft were subject to signal manipulation. The designers
failed to shield electronics from both background signals and/or potential directed uses of
radio frequency energy as weapons of warfare by partisans in limited urban actions. The
Navy may not be as hardened today as the Army if leaked data from LABCOM's VAL at
Fort Monmouth, NJ is reasonable.
As the foregoing is known to the public, what is to stop directed RF or microwave energy
from becoming a new, invisible, tactic to cause major disruptions of computer /
communications systems currently in use. Sobczak research shows hackers are making
this potential real.
SDI and the USAF Weapons Laboratory have "black" high powered "burn them up"
microwave beam and pulse weapons under development. Weapons of this nature are
very large scale and require vast amounts of energy. A directed RF beam aimed at
un-tempest'ed buildings cuts through walls, doors, and windows as if they were not there.
A specifically derived pulse can short out most commercial electrical, telecommunications,
computer operations, and any other devices that contain transistors or semiconductors.
Research shows many ways to use technology to gather and alter electronic pulses. Best
known and easiest to duplicate is the interruption of signals from a Home Box Office
satellite and the insertion of a message that stated its subscription rate was excessive.
That incident instilled fear in telecommunications industry managers. It proved that
anything in the transmitted signal universe is fair game for attackers. The takeovers were
for 22 and 90 seconds respectively.
HAM radio operators can contact both American and other repeater satellites. While
generating high powered signals in the mid range of 1-10 Ghz is expensive, it is not a
technical obstacle. Surplus military equipment is easy to obtain. All that we need is a
moderate size dish and few tens of watts at microwave frequencies to produce an effective
jamming station. MIRAGE, an Sobczak experiment addresses the issue of the telemetry
channel. A derived signal probably cannot override true signals, but jamming or saturating
the signal will affect the operation, stability and potentially the orbit of the target.
The possibility to intercept and harvest vast amounts of knowledge is available to those
who wish to gather such. The business of distributing this knowledge in third world nations
and to our enemies is yet to be explored by American security agencies. It is happening.
Sobczak could use an off the shelf satellite dish. Dishes range from 6 to 12 feet wide.
Commercial frequencies transmit a multiplicity of information. In addition multi-site
conference services are available as are privately organized meeting transmissions. We
may receive transmitted signals by using a dish antenna. Sensitive information that should
not be available, is made available and no one is the wiser. The satellite transmits the
signals over a wide area to anyone who can receive them. The President on unsecured
cellular and Air Force One are a constant target for information collecting hobbyists.
Another development offers satellite band coverage, plus Ku and C BANDS using a small
dish. Its circuit board fits inside an IBM PC. The unit down blocks 950 MHz to 1.45 Ghz.
It offers a maximum baud rate of 115,600 bps, with frequency, bandwidth, video and audio
selectable formats. We can connect it to the VideoCipher II, B-Mac and Oak Orion
descrambling systems. Hacker descrambler and decryption software systems exceed the
fondest dreams of a signal collector.
Signal reconstruction devices are now available through the mails in plan form. We
developed a device to receive signals from cable television systems. The device takes a
signal that "leaks" from cable TV system transmissions. It adds the sync signal needed by
the television set to display the received signals on its VDT. We can revive any weak
signal reception.
To provide a better understanding of interception equipment, let us review some devices
prevalent in the hacker community. One such device is known as the Sync Amplifier. Plans
for similar devices, are available from a hacker BBS in New Mexico near USAF Phillips lab.
Besides the plans, text offers' information about computer crime and countermeasures in
a signal oriented operation. One can learn how signal systems are penetrated and/or
receive BBS advice about intrusion. Password defeats, TEMPEST short circuits, crosstalk
amplifier designs and a phreaking term's glossary are available.
They design the sync amplifier to restore and regenerate the sync and colorburst signals
and ignore all information appearing during either the vertical or horizontal blanking. It
takes a weak signal shapes or matches it and then boosts output to a manageable level.
They return that collected signal to the sender modified by special circuit logic in the
systems intruded on.
A few devices help in the restoring and restructure of the video and audio. One device
helps to adjust the brightness changes, vertical jumping and jittering, and video noise.
This unit can help in the filtering and structuring of induced commercially weak signals. It
can take a boosted signal presented to it and recreate it in useable form. Some may see
this only as a filter for signal processing with a focal point on the actual copy-guard
techniques, but such a device incorporated into a RF weapon will help signal restructuring
in a concept we call "blending."
Our experiments find that the simplicity of homemade equipments optimizes the Military
Standards detailed on BBS. The electronics building blocks would consist of comparators,
signal detectors, data separator gates, A to D - D to A converters, data amplifiers and
signal converters. A better version RF weapon may be a modified slow scan system with
error correction and signal smoothing circuits. This unit will work on telephone lines and
standard radio channels. Since the unit accepts signals from multiple input sources, there
will be no problem in adapting the unit to accept cleaned up analog signals from a modified
digitizer circuit.
There are two types of monitors used today. The first, called composite and the second
TTL. TTL logic controls the VDT screen and its pattern. The composite screen is nothing
more than a television set or Apple computer type of monitor. A beam of electrons does
the construction of the picture scanned across the screen at a rate of 262 lines per second.
(Frequency modulation offers an additional opportunity to affect users.) Most of the
screens are of a composite nature making the ability to receive a radio signal emission
practical. The potential of setting up a pseudo Davidov wave is intriguing. The signal in
PANDORA was sinusoidal.
Hackers have the capability to collect and/or modify RF and microwave signals if they have
an antenna on the roof and attached to receiving equipment. Most commercial units have
attached signal amplification circuits to adjust for the ever growing background noise
generated by normal commercial stations and reception characteristics. One can read the
specific signal information generated in any locality as easily as tuning a radio receiver.
Consider the number of microprocessors in a standard command and control environment.
Next imagine the possible effect of a hobbyist ELINT OR SIGINT operation. A host of
vulnerabilities is opened in the surveillance information gathering operation. Common
sense has created a completely wide open way of monitoring the daily practices and
transactional actions of a target with complete impunity and security. Such areas are
completely unguarded due to the lack of knowledge or belief in the potential for successful
signal manipulation by a hobbyist.
We have seen a wide spectrum of emitted signals with a strong signal between 9.0 and
9.250-mhz for the display of standard text scrolling. Better signal display was found at the
lower frequencies of 9-mhz. Monitor frequencies were found around 11 through 19.5 - 20-
mhz. Printer frequencies are between 140 and 200-mhz. We detected disk operations
in the ranges of 88 to 250-mhz. Overall frequency generation was from four through 500-
mhz. The modem was found between 28 and 300-mhz. Overall, discovery of radiated or
transmitted signals by means of common radio technology could lead to the weapons and
countermeasures of tomorrow.
The opportunity exists to use common ham transceivers for such operations. With simple
modifications some can transmit on all frequencies from 1.6 to 30Mhz. The weapon offers
the possibility for disruption of internal signals used to process information and has the
possibility of causing other logic related systems to act or not act without reason.
The foregoing is possible against military and commercial electronic systems. Malicious
intent is a problem against civilian targets such as computer installations, bank and
operations support structures by the possible override of security systems and any other
systems that manipulated frequencies can affect.
This capability is within the range of any person with the intent to create mischief. The
equipment is nothing of major technical wonderment, just a few simple block circuits
integrated to produce the requested result. All of the described equipments or plans are
in the hands of free thinkers and aggressors. Most military technologists do not have
knowledge about how hackers/terrorists have designed such systems and may be used to
corrupt other systems. They state that the foregoing is not possible.
CURRENT STAFF RESUMES
The following is the resume of the key contributors to the success of this Unsolicited
Proposal.
Chief Scientist: Thomas V. Sobczak -- BA, Social Science, St. Johns U.,
Brooklyn, NY; MBA, Management, Hofstra U., Hempstead, NY; Ph.D., Management,
Sussex College, England; Visiting Professor & lecturer; Fellow - Society of Manufacturing
Engineers; Fellow - Institute for the Advancement of Engineering (IAE); Fellow Institution
of Production Engineer (England); Certified Manufacturing Engineer (SME); Licensed
Professional Engineer; Author, Counselor and Advisor; Appointee: NATO CSA and DOC
NDER; Member, CASA Technical Council.
PROPOSAL
Phase One - Develop the Baseline Knowledge
Sobczak will survey the Internet/BBS universe worldwide to define the topics used for
injection of signals into both western and other equipments.
Sobczak using the resources at its disposal and without violating any existing Federal Law
or Statute will produce a detailed report concerning each item found. Beyond technical
information, the report will include that geopolitical information necessary to the sponsor
to rank requirements for Phase Two.
Phase Two - Designing Counter Force
Sobczak will determine the available knowledge base concerning vulnerabilities and
methods to exploit vulnerabilities of the equipments defined in Phase One. Sobczak will
analyze and structure the information collected to learn if we can generate a response
matrix that integrates threat countermeasures. Sobczak will generate the matrix and a plan
to develop a proof of concept for demonstration purposes. Sobczak will provide an
analysis of risk by equipment citing the vulnerability causing the risk and defining the
appropriate countermeasure to eliminate the vulnerability.
Phase Three - Development of Injection Equipments.
Project Cost Estimate, Study Schedule and Management Plan available upon request.