NSA man says agency can track you through POWER LINES
Boffins throw cold water on electric eavesdropping claims raised in German media
Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids.
Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with.
The technique works by analysing the nearly inaudible 50 Hertz energy hum generated by power grids which is inadvertently captured by most audio recording devices. Investigators could strip away layers of audio until the bare hum remains. That hum can then be scrutinised for unnatural variations.
ENF analysis became topical this week when German outlet Heute.de reported an un-named former NSA staffer claimed the agency has used it to determine the physical location where a recording of TV interviews took place by matching captured energy hums with those previously recorded across the grid.
NSA operatives could therefore guess at a whistleblower's location.
Technology to conduct ENF is not exotic. Bandpass filters can detect variations in the 50Hz hum which would detect dips and rises as small as 0.001 Hz over 10 seconds.
That it is possible to geolocate variations in grid hum, which Heute.de reports the NSA and CIA can do, is more novel.
But experts are dubious the reports are correct.
"Let me start by saying that in principle it could well be possible to use ENF to determine the location a recording was made as well as the time it was made," Philip Harrison, an ENF forensics veteran of 18 years based in London told The Register.
"It's possible that there are some other aspects of the signal that vary by location that haven't been discovered yet, or perhaps the NSA have discovered them."
Harrison had performed ENF to verify audio recording presented as evidence in court showing that a undercover police recording of an illegal weapons deal had not been tampered with. In 2010, ENF was used in a high profile murder case in the UK. Blighty's Metropolitan Police Service have stockpiled a comprehensive database of electrical grid frequencies since 2005 to help with further cases.
Vulture South contacted Harrison and others about the ex-NSA agent's claims. Harrison saw three problems that were likely intractable for anyone other than the seemingly superhuman hackers at the NSA.
"Firstly," Harrison said, "the NSA would need to know over what geographic area the specific type of variation occurred".
Research published last month by the University of Porto, Portugal, (Real-Time Monitoring of ENF and THD Quality Parameters of the Electrical Grid in Portugal) examined local variation in the nation's power grid. It found fundamental differences in the structure of the harmonics of the 50 Hz which could be detected because Total Harmonic Distortion was strongly affected by local factors and had as a result little geographical consistency.
That research considered only a handful of locations meaning it was unclear how the features could vary between sub-stations or power stations, Harrison said. The NSA could know of other signal aspects that varied according to location, but that was speculative.
The second problem was the need to log ENF values and the secret signal sauce that allowed location to be determined. "This could mean hundreds or thousands of logging devices in a country if you want to be able to locate a recording accurately," he said.
The problem was a prodigious one because of the huge amount of frequency variation in local power grids. All manner of electrical devices could cause a dip or spike in neighbouring networks.
"You would need a tap on every one of thousands of transformers," said Ian Appleby, a former veteran of the Australian energy and defence sectors who maintained a comprehensive knowledge of electronics, but not of ENF. "In the industrial area where I used to be, my UPS (uninterruptible power supply) would freak out when nearby commercial places shut down causing a spike in frequency."
He doubted the feasibility of mapping a whole power grid considering these immense variables.
A third problem relates to the hit and miss process of extracting the relevant data from captured recordings.
"From my experience of casework this is the hardest part," Harrison said. "It's not always easy to get out the variation in 50 Hz since it is at such a low level in the signal, let alone trying to get more information out about the harmonics or some other aspect of the signal."
"So while it might be able to work in principle, actually applying it to a real-world recording could be a lot harder."
The audio and video equipment used to record whistle blowers could be identified, according to NSW-based Brian Stokes who had a background in the field but not ENF. He and other engineers agreed with Appleby's remarks.
"The possibilities of characterising the recording equipment such as microphone, input amplifier, etcetera are rather good, but the likelihood of determining the geographical location of the recording based upon artifacts of the mains supply, given the levels of filtration in DC supply design, sounds improbable."
If the NSA did have the technology, it was bad news for whistleblowers. The Heute.de source said they could nail a whistle blower in less than three weeks, even faster if they spoke at a monitored journalist's favourite haunt. ®
Vulture South offers a hat tip to security bod Heubert Seiwert for help translating the Heute.de article.
Sponsored: Global DDoS threat landscape report