DEFCON 25 – Spies in the Skies

DEFCON 25 – Spies in the Skies

Editor’s Note: The slides we presented at DEFCON 25 are at the bottom of this story which details what we spoke about and more.

The Spies in the Skies

Law enforcement agencies have used aircraft for decades to conduct surveillance, but modern radio, camera, and electronics technology has dramatically expanded the power and scope of police surveillance capabilities.

The Iraq War and other conflicts have spurred the development of mass surveillance technologies and techniques that are now widely available to domestic police.

The FBI, DEA and other agencies flew powerful surveillance aircraft over cities for years in relative secrecy before breaking in to public attention in 2015.

This presentation was introduced at DEFCON 25 and discusses the capabilities of these aircraft, the discovery of the FBI and others’ surveillance fleets and continued efforts to shed light on aerial surveillance.

We are releasing a way for detecting surveillance indicators in real time based on multilateration of aggregated ADS-B data and introduce code for detecting surveillance indicators from flight behavior.

The History of the #SkySpies

Law enforcement has been utilizing aircraft for years for a variety of policing matters. The New York Police Department were early adopters and began using aircraft in 1919.

However, stories of black helicopters and undercover planes kept the story of aerial surveillance out of the mainstream and pushed it into the world of conspiracy theory.

In 2015, a renewed interest began to occur. People like John Wiesman began investigating aircraft performing seemingly pointless loops for hours at a time.

The North Star Post’s founder Sam Richards began investigating the matter himself and interest continued to grow.

Eventually Sam discovered over 100 tail numbers belonging to front companies owned by the FBI and a week later it was reported by the Associated Press.

The cat was out of the bag.

Senator Al Franken sent a letter to then acting Attorney General Loretta Lynch and FBI Director James Comey demanding answers to the plethora of questions the discovery raised.

Many of the questions remain unanswered.

These questions become even harder to answer with law enforcement engaging in more complex techniques to hide their aircraft.

Many federal agencies use the state of Delaware’s relaxed corporation laws to create front companies with no address or contact information.

The Delaware Corporation Commission’s office has over 2,000 planes registered to it including Google’s drone program dubbed Ashfloyd LLC.

But Freedom of Information Act requests and other public records have continued and will continue to allow the public to learn more about these aircraft and aerial surveillance.

What We Know

Law enforcement officials have kept mum on the capabilities, technology and usage of these aircraft. However, there are plenty of things we do know.

Firstly, law enforcement uses a wide array of aircraft to fit different needs.

The most common aircraft owned by police departments across the nation are helicopters. Police use them to “deter” crime, survey crime scenes, assist in traffic control and chase suspects.

But helicopters are loud and generally fly low.

The next most popular platform used by law enforcement are small fixed wing planes like Cessnas.

Cessnas have been used extensively by federal law enforcement to conduct surveillance of targets and of protests.

Aboard these fixed wing aircraft are advanced camera systems originally designed to be used to fight the war on terror.

The most popular of these camera systems is made by L3 Communications. The Wescam series of cameras have a zoom ratio up to 120x and have advanced infrared sensors.

The most popular of these cameras is the MX-20 which is used on most law enforcement aircraft.

The MX-20 is the same camera system used on Predator drones used overseas. The laser designator which would be used for missiles on a drone is used to help police more easily keep track of a target.

Another popular system used is FLIR or forward looking infrared.

These cameras can see through walls which prompted a Supreme Court decision that found using them to look into a residence was a search and required a warrant.

But cameras aren’t the entirety of the aerial surveillance bag of tricks.

The FBI has admitted to using cell site simulators, also known as Stingrays, aboard their aircraft.

Cell site simulators trick phones into thinking the device is a legitimate cell tower allowing for tracking, downloading of information and in some cases can turn a phone into a passive listening device.

Records obtained by the North Star Post of a surveillance plane used by Customs and Border Protection found devices installed only referred to as “LETC antenna”.

LETC stands for law enforcement technical collection. A representative from CBP said they are used to “collect signals across the electromagnetic spectrum.”

The electromagnetic spectrum is a large place and contains everything from remote control cars to cell phones and x-ray machines. CBP would not comment further on the specifics of this collection.

Tracking the Sky Spies

For the past few years journalists, activists and hobbyists have tracked the planes by finding tail numbers and looking up historical radar data.

Technologist Jason Hernandez felt there could be a better way instead of just waiting around for interesting flights to appear or by manually checking tail numbers.

We wanted to find a way to not only see surveillance flights within the United States but abroad as well.

Due to the unique flight patters of surveillance planes, data collected over years of reporting and other knowledge allowed for Jason to create a system that would find and log likely surveillance flights.

With a Raspberry Pi 1B+, an RTL-SDR radio, antenna and internet connection you too can track these aircraft in your area.

Most aircraft are now being required to use a system called ADS-B, which stands for Automatic Dependent Surveillance-Broadcast.

ADS-B is a system that determines an aircraft’s position via satellite navigation and broadcasts it, enabling it to be tracked by air traffic controllers and hobbyists alike.

By applying a scorecard to different flights the application filters out other aircraft which have more linear flight paths that are not indicative of surveillance patterns.

The program runs within a Virtual Radar Server and the flight data is queued in RabbitMQ and composed in Redis. Completed flights are then stored for retrospective analysis.

Flight paths for each suspicious aircraft are exported as JSON files and uploaded to an AWS S3. The flight paths are then viewable in a basic leaflet.js web map.

Please check it out at Pull requests and suggestions are welcome.

You can see our presentation below: