Using SDRs for Signals Intelligence (SIGINT)
by Per Vices
Signals intelligence (SIGINT) is an umbrella term for collecting and analyzing information through the monitoring of radio frequency signals. In the era of remote and wireless communications, intercepting radio information is crucial in any application involving the malicious use of the RF spectrum, including military surveillance, homeland security, and monitoring of illegal RF transmissions. In this article, we discuss the basic concepts of SIGINT/COMINT, the requirements for system design, how software-defined radio (SDR) can contribute to the performance, and the various applications of SDR-based SIGINT.
By detecting strange signals in a hostile electromagnetic environment, SIGINT systems can rapidly adapt to emerging threats, locate unknown and/or illegal devices, and counteract against adversarial interference. SIGINT requires a large variety of devices, techniques, and algorithms for RF signal detection, measurement, processing, exploitation, and manipulation.
The most fundamental component in a SIGINT system is the spectrum analyzer. SIGINT requires the capturing of wideband spectrum data with a high dynamic range, minimum information loss, and free of noise, which makes high performance SDRs a necessity.
What is SIGINT?
The detection and analysis of RF data for intelligence purposes, including military awareness, public safety, security, and command and control systems, is called SIGINT. The term includes signals used for communication and for general electronic purposes, with the first being classified as communications intelligence (COMINT) and the second as electronics intelligence (ELINT).
The first use of SIGINT occurred during the First World War, when the radio communications of the German military were intercepted by the British for information gathering. This gave the British military major advantages in battle, forcing both sides to use encryption techniques to protect sensitive information. As encryption and data protection evolved, new SIGINT technologies were developed, including decryption, traffic analysis, and geolocation, to extract useful intelligence and guide warfare decision making.
By providing access to the RF spectrum, SIGINT became a crucial component in electronic warfare (EW). The main objective in EW is to obtain control over the spectrum, giving allies the ability to exploit and manipulate the RF environment and counteract against any adversarial access to it. This includes communication and radar jamming, radar deception, spoofing, electronic masking, and spectrum management. Therefore, SIGINT is often associated with EW systems.
In modern warfare, most military equipment is connected to the electromagnetic spectrum in some way, including radio communication devices, aircraft radars, GPS-guided missiles, and unmanned aerial systems (UAS). In this context, SIGINT can provide geolocation of enemy RF equipment, as well as the nature of the device, the frequency, and even the data being transmitted. After interception, the information can be used to attack the device (done through jamming, spoofing, or physical destruction) or to implement countermeasures for self-protection. Moreover, having access to the adversary signals can provide a powerful insight into the enemy’s capabilities and actions, giving the allies the upper hand in decision making. As RF technology evolves, malicious EW devices become more and more powerful, increasing the importance of reliable SIGINT techniques.
There are several examples of SIGINT attacks in recent events. One of the most common techniques used in attacks is satellite-based eavesdropping. This technique was used in 2009 by Iraqi hackers to eavesdrop on the video data from the Predator U.S. drone that was being transmitted to the central unit. The most notable aspect was that a $26 software package (the Russian SkyGrabber) was able to hack a U.S. drone transmitting sensitive information, showing the importance of proper SIGINT implementation.
Iraqi forces also used GPS jamming devices in 2013 during Operation Iraqi Freedom, all of which were located and destroyed. Jamming can be easily performed using off-the-shelf devices, which is concerning given that detection and location are challenging. However, one of the most problematic hacker attacks involves satellite hijacking through the TT&C (telemetry, tracking, and command) system, which can provide control over the equipment. The technique was used in 2009 by Brazilian civilians, including professors, truckers, technicians, and farmers, to hijack UHF bands used by Navy satellite communication.
One of the most common methods within SIGINT is signal encryption, which avoids eavesdropping by setting both receiver and transmitter with mutual authentication algorithms to interpret data without leaking it to third parties. Hardware-oriented approaches such as narrow-beam transmissions are also very useful. In this method, the transmitted signal is focused in a narrow area around the receiver, reducing the chance of detection and interception by external agents. Frequency hopping, where the transmission carrier is constantly being switched to avoid hacking and jamming is another example.
SIGINT RF Requirements and System Designs
Several requirements are common to almost any SIGINT application. First, the system must be able to capture a spectrum over a wide bandwidth. This includes devices with high dynamic range measurement systems, low noise-figures, and real-time capturing capabilities. Besides measuring over a wide spectrum, high-frequency resolution (< 1 kHz) is fundamental to improve detection sensitivity.
Moreover, the device should provide large memory and very high digital throughput for data storage, especially when the intercepted data cannot be immediately decrypted. SIGINT also requires the use of powerful DSP algorithms, including fast Fourier transformation (FFT), direct down-conversion (DDC), and detecting pulse descriptor words (PDWs). Due to the need to perform complex parallel processing in near real-time, SIGINT systems need a powerful FPGA in the digital stage.
SIGINT systems can assume a variety of sizes, architectures, and complexities. They can be employed in compact mobile devices for local applications on the battlefield, can be integrated into conventional aircraft and unmanned aerial vehicles (UAVs), and be installed in massive facilities for defense and governmental purposes such as the Royal Air Force (RAF) installation at Menwith Hill.
The type of application will affect greatly the SWaP (size, weight, and power) requirements, but the general architecture is common to most SIGINT systems (Figure 1). The first components are the antenna and the RF front-end that are responsible for signal reception, amplification, filtering, and tuning. Both are designed according to the aspects of the desired signal and application, such as power, carrier frequency, frequency range, noise, bandwidth, and SWaP. The RF circuit is interfaced with the digital processing unit through an analog-to-digital converter (ADC), that converts the analog signal into binary information. The binary signal is then processed by the digital unit, which is often implemented by an FPGA or a GPU.
In this stage, several different functions can be performed, including DSP functions, DDC, PDW, AI algorithms, and data packaging. The FPGA then can either store the data into a memory unit or transmit it directly to the host. The host also controls and programs the FPGA. All the basic blocks shown in Figure 1 can be developed using a single and off-the-shelf SDR.
SDRs for SIGINT/COMINT
As the name suggests, SDRs are radio systems designed to implement as many functions as possible in the digital domain. This improves the flexibility and adaptability of the device, as well as reduces engineering costs significantly by allowing the use of off-the-shelf equipment for very different applications. The basic architecture of the SDR consists of a RF front-end (RFFE), a mixed-signal interface, and a digital backend (Figure 2).
The RFFE performs the receive and transmit functions over a wide range of tuning ranges. The performance of an SDR is significantly defined by the limitations of the RFFE, including dynamic range, minimum detectable signal power, number of channels, and bandwidth. The highest bandwidth SDR in the market can achieve up to 3 GHz of instantaneous bandwidth per multiple independent Rx and Tx channels. The RFFE is connected to the digital backend via ADCs and digital-to-analog converters (DACs).
The digital backend, typically implemented with an FPGA with onboard DSP capabilities, performs all the signal processing and application-specific algorithms, including modulation, demodulation, up-down-conversion, and data packetization over optical links. By focusing on software-defined functions, SDRs provide the flexibility necessary for various SIGINT applications with different SWaP requirements.
In SIGINT applications, there are some specific requirements that SDR systems must provide. The most critical one is the need for high instantaneous bandwidth to capture large portions of the spectrum in real-time. Therefore, a high sampling frequency is required. Also, Multiple-Input Multiple-Output (MIMO) RFFEs are essential to managing data from many antennas, each one dealing with different frequency bands and signal sources.
Thus, high-end SIGINT devices are only feasible with the application of MIMO SDRs. Advanced FPGAs can be used to perform embedded SIGINT algorithms for target finding, data decryption and deciphering, and data packetization for Ethernet transmission. The SDR should also be capable of integrating DSP analysis tools, such as GNU Radio, Octave, and dedicated software.
On the RFFE side, it is important that the number of LNAs and non-linear components is minimized to improve the MIMO capabilities and ensure that most of the processing is performed via software. ADC components with sampling frequency in the range of gigasamples per are fundamental to capture wideband signals. In ADCs, one of the most important parameters is its spurious-free dynamic range (SFDR) that quantifies its ability to distinguish a carrier frequency from noise and harmonics so ADCs with a high SFDR can detect weaker signals in a noisy environment. SFDR can be improved by suppressing unwanted harmonics with antialiasing filters, but this is not feasible in wide-band applications, so the ADC must provide wideband SFDR. Finally, the RFFE should implement adequate anti-imaging and anti-aliasing filters to eliminate unwanted frequencies.
On the digital backend, the FPGA must be capable of running the Coordinate Rotation Digital Computer (CORDIC) algorithm for basic DSP functions, which includes digital up-down-conversion and filtering. In addition to digital processing, the SDR must transmit vast amounts of data, with high-sampling rates, to the SIGINT network.
Therefore, optical transceivers are fundamental to managing the data traffic. There are some high-end SDRs with embedded fiber modules, including the Cyan SDR from Per Vices. Finally, the backend FPGA must provide support for data packetization via Ethernet protocols, compliant with VITA 49 payloads. VITA 49 is a transport standard created to communicate data obtained from a radio receiver.
The last portion of the SIGINT system is the host, which is often overlooked in spectrum monitoring applications. The host system is responsible for managing data storage for future SIGINT analysis so it must be able to handle large amounts of I/Q data to prevent data loss. Consequently, very high-speed network interface cards (NICs) with FPGA acceleration are needed to handle multiple high-speed optical links. The host must also have equipment with high-end peripherals such as NVMe drives, DDR4 (or DDR5) RAM, and high-performance GPUs.
Applications of SIGINT
As electronic devices are becoming more and more connected, SIGINT systems are being used in a wide range of applications, ranging from life-and-death military situations to daily and less critical civilian applications. For instance, SIGINT devices can be used in public safety monitoring, including the detection of smuggled cellphones in prisons. By analyzing the RF environment inside a prison facility, it is possible to identify and estimate the approximate location of illegal cellphones and RF transmitters, significantly reducing the need for random searches and inspections.
A similar technique can be used around airports to detect illegal interference signals, although significantly more complex due to the wider range of possible frequencies. Spectrum monitoring in airports is crucial to rapidly detect and eliminate sources of interference that can jeopardize communications between airplanes and air traffic control. In military applications, SIGINT is applied in situation awareness around secure infrastructures, enemy device geolocation, homeland security, and general EW strategies.
SIGINT can even be used to monitor RF activity from space, using spectrum analyzers embedded into satellites. For instance, the American company HawkEye 360 collects RF data using three small satellites with onboard SDR-based systems and sells the intelligence for a variety of applications, including defense, telecommunications, and maritime activity.
One of the most important use cases of SIGINT technologies is the geolocation of RF sources. It can be used in search-and-rescue for friendly forces or to locate and destroy enemy equipment. One of the most applied techniques in SIGINT geolocation is the Time Difference of Arrival (TDOA). In this method, the signal is measured by three or more RF receivers. The receivers are distributed at different locations in space, so the signal takes different amounts of time to reach each antenna. By synchronizing the SDRs in time, the captured data of each receiver can be compared and aligned to obtain the time shift between data packages. This shift is then used to estimate the difference in distance between the target and a pair of antennas, which results in a set of curves corresponding to all possible target locations for each pair. If three receivers are used, three curves are generated. Finally, the intersection point of the three curves corresponds to the location of the target (Figure 3). TDOA systems provide high spatial accuracy of less than 100 m in very short time spans.
Another example of SIGINT application is the identification and reverse-engineering of an unknown signal. In this case, the objective is to obtain as much information as possible about the signal, including pulse shape, frequency content, and bandwidth. By analyzing the signal in the frequency domain, through FFT, the SIGINT system can estimate the symbol rate and the modulation scheme of the transmission.
Once the modulation protocol is identified, it simply becomes a matter of demodulation and decoding to obtain information. Although brute-force methods are common to obtain information about the modulation, advanced AI algorithms can also be embedded into the FPGA, which are able to identify the modulation method and break into signal protection layers, such as frequency hopping and encryption.
(1678)
