Saturday, 18 August 2018

Using nmcli to create 802.1x EAP-TTLS connections

The GUI of NetworkManager is pretty user friendly, when it comes to create easily 802.1x connection configurations (WPA2 Enterprise). In a command line environment (non-GUI setups) that kind of connections should be created and handled by using the TUI tool nmcli. When invoked, that tool communicates with the locally running NetworkManager daemon.

It is rather strange that on many Internet user forums an easy thing to do, like creating and exploring 802.1x connection by using nmcli, is declared mission impossible, and wpa_supplicant is pointed out as the only available tool for connecting to WPA2 Enterprise hotspot infrastructure. The goal of this post is to show that nmcli is capable of doing that natively.

To create 802.1x connection in command line mode the nmcli tool need to be invoked correctly. It is not practical to enter the nmcli interactive shell for describing the connection parameters one by one. The easiest way is to create the connection description at once by executing a single command line. Note that some of the options passed as arguments to nmcli are in fact critical, even if they are not considered as such by the syntax checker. For instance, the process of tunnelling the plain-text password requires a positive verification of the RADIUS X.509 certificate to resist the mighty "man-in-the-middle" kind of attacks. Therefore, a copy of the CA X.509 certificate need to be stored locally, as text file (preferably in PEM format).

The example bellow shows how to define all the parameters of a 802.1x connection, required for using "eduroam" hotspot (more about Eduroam):

$ sudo nmcli connection add type wifi con-name "eduroam" ifname wlan0 ssid "eduroam" -- wifi-sec.key-mgmt wpa-eap 802-1x.eap ttls 802-1x.phase2-auth pap 802-1x.identity "" 802-1x.anonymous-identity "" "/home/user/CA-wifi.crt" 802-1x.password 3423sd3easd32e2

Note the use of full path to the CA X.509 certificate file given above (/home/user/CA-wifi.crt). Declaring a relative path instead need to be avoided.

In case of a successful execution of the command line, the connection "eduroam" will appear as available in the list of suported connections:

$ nmcli c s

Once listed there, the connection can be activated by executing:

$ sudo nmcli c up eduroam

and in case of successful activation, the usual kind of message will appear on the display:

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)

It is very good idea to clear the shell history in order to prevent the password from disclosure, since it is part of the command line defining the connection.

The example given above has been tested on the latest CentOS 7, Red Hat Enterprise Linux 7, Scientific Linux 7, and Ubuntu 18.04.1 LTS.

Sunday, 12 August 2018

Talking seriously about the "number radio stations"

Since early 90's I have been involved in many disputes and technical discussions regarding the nature of the shortwave oddity known to many as "number radio stations". In order to save my time and stop repeating the same kind of information every time, I have created and posted the text bellow. Consider this publication kind of technical resume and analysis, and DO NOT expect to find inside conspiracy theories, extraterrestrial contact evidences, radio transmissions from other starts and galaxies, talks about shadow governments, and similar kind of nonsense.


  1. What do they call "number radio station"
  2. How to spot voice broadcasting number radio stations
  3. Who is behind the number radio stations
  4. Whom the number radio stations broadcast to
  5. What kind of communication protocol do the number stations use
  6. Example: Creating an encrypted message of a fixed length
  7. Appendix A. The synthetic alphabet and the code book

1. What do they call "number radio station"

The term "number radio station" emerged during Cold War years to classify the sources of some widely observed shortwave oddities - anonymous one-way broadcasts, which purpose and content cannot be understood, mostly intercepted outside the regular shortwave bands. Different number radio stations employed different broadcast protocols, including plain voice, Morse code, X.25, or some other (usually very unique) protocols. During the last years of the Cold War and early 90's, the amount of detected number radio stations reached some peak, and then, during the late 90's, sharply started to decrease. Nowadays, only few number radio stations broadcasting voice messages can be spotted. The main reason for that decline is the developing and expanding of Internet. More information regarding the number radio station history, methods of their detection, and classifications of their broadcasts, can be found on the web page of "The Conet Project".

2. How to spot voice broadcasting number radio stations

Before becoming involved in number radio stations spotting, one should pass some self-training process to receive an idea about their sound profiles. Collections of number radio station audio records could be found free of charge online, since many shortwave enthusiasts are used to upload their records on Youtube (1, 2, 3, 4).

There are two ways to perform the spotting:

  1. By using some of the publicly accessible online WebSDR devices.
  2. By buying sensitive shortwave receiver or SDR device (like KiwiSDR or similar).

Having SDR and its software, is the best easy-to-perform way for spotting and recording radio broadcasts, mostly because of the "waterfall" function implemented there, that shows the current occupation of the shortwave frequencies and the type of the broadcasts (digital, voice, Morse). The "waterfall" helps to detect fast and precisely unusual broadcasts with certain type of modulation, that might deserve special attention and might be possible candidates for number radio station broadcasts.

What makes the voice broadcasting number radio stations distinguishable, is their specific voice message content. Both trained and non-trained radio listeners classify the number radio station voice broadcasts containing oddities, because the patterns they can detect there are rather unique and cannot be observed elsewhere (not in the broadcasts coming from the commercial radio stations, two-way maritime communications, radio pirates, or automatic weather information systems). Those unique voice patterns are seemingly meaningless sequences of numbers and (or) letters, pronounced more often by a female voice, who also divides the numbers and letters into groups by making specific pauses and changes in the pronunciation. In addition to the pattern recognition, many of the number radio stations use very unusual voice signs (IDs). Those of the listeners devoted to track the activity of the number radio stations by recording the content of the broadcast messages, very often find that any unique group of numbers and letters is being repeatedly pronounced, as if they are part of the radio station schedule. So it seems like that the one organizing the broadcasts wants to be very sure that the messages are intercepted by the target listeners. The target listeners are those people or organizations (or even computers) who can understand and decrypt the messages.

The voice messages transmitted by the number radio stations are either composed in advance by using speech generator or read by real operator (human). That fact might be not a surprise, taking into account the advantage of the voice messages - they can be easily intercepted and recorded by the target listeners using simple equipment: shortwave radio receiver, pen or pencil, and piece of paper. In most (but not all) cases, the transmitted voice messages are read by a female voice and that is done deliberately to make the messages understandable even if there is a moderate level of interfering radio noise (the female voices occupy the upper band of the sound frequencies). To help the target listeners to identify their number station, every station strictly sticks to its unique audio fingerprint. That fingerprint usually includes: (i) unique identity signal that usually appears at the begin of the broadcast, (ii) specific (computer generated) voice reading the messages, and (iii) specific language of the messages (English, German, Russian, Czech, Polish, Bulgarian, Mandarin, Cantonese, Korean). Some special audio signals or reserved words might be also part of the message transmission to separate the groups of numbers (or words) there. The members of the target audience are usually trained in advance to easily identify that specific fingerprint and be able to locate the number station broadcasts by scanning fast the shortwave bands, in case the transmitter needs to change the frequency or the frequency is not known a priori.

3. Who is behind the number radio stations

The fact that no organization has ever admitted running a number radio station, does not mean that it is not possible to make a reasonable and logical suggestion upon who is capable of building and supporting such kind of special and "shady" infrastructure. Every owner and operator of a number radio station should be able to:

  1. broadcast on shortwaves by using high output power anonymously, without possessing a license to do so;
  2. organizing the broadcast as one-way communication to keep the target listeners untraceable;
  3. do (1) and (2) for infinitely long time without being questioned and investigated.

Those abilities could be obviously in possession of someone with long-lasting government support, because their expression deliberately and repeatedly violate lots of legal and technical norms, and contradict the international agreements regulating the high-power broadcasts on shortwave frequencies. Without strong government support the number radio station transmitters will be quickly located and confiscated, and their owner and operators may face arrest, trial, severe fines, and even imprisonment. Therefore, in most cases the number radio stations are operated by organizations sponsored and baked by some government - intelligence agencies and army units. There is always a possibility that some of the number radio stations are operated by criminal syndicates who can broadcast from "state-within-a-state" areas, which are not controlled by the governments.

There are strong arguments in favor of the connection between the most well documented number radio stations and certain governments, especially during the Cold War and 90's. Most of the well known number radio stations from that times have been discovered due to their broadcasts efficiency and persistency (stable schedule, intensive and well directed signal that is easy to detect). Running efficient number station with great coverage, always requires very experienced staff with deep knowledge in shortwave signal propagation, and significant budget (to build effective transmission site at the right place). Such kind of assets are unlikely to become in possession of radio amateurs and enthusiasts, willing to create a prank and conspiracy. For instance, the members of the technical staff who work for the owner of the number station, must be capable of doing some unique research and tests in advance (before even start building the broadcast station). First, they have to search and locate short wave frequencies that are of interest (useful for the signal propagation, located outside the short wave broadcasting bands), and not being actively exploited by anyone else. Once those frequencies are finally located, they need to become "occupied" by running beacons or test broadcasts. Later, the staff might need to repeat that procedure again and again if the currently occupied frequencies become actively jammed or some long-lasting interference occurred. Note that the aim of the occupation is to "mark" the frequency already taken and prevent someone else from using it. Having the required frequencies located and occupied, the technical staff should concentrate its efforts in direction to solve the most difficult problem - the parameterization. The parameterization requires to have the output power, the antenna type, its direction, and the signal propagation properly estimated in advance, to provide reliable reception in the are where the listeners are located. If the numeric radio station goal is to cover with strong signal different areas, far from each other, some very expensive set of special antennas and transmitters should be used.

There are some specific details, related to the number broadcast stations, that somehow remain not discussed enough. Suppose the number radio stations are really devices for sending encrypted messages to the field agents. How do the field agents receive the broadcasts without rising suspicion? It is quite clear that possessing specially constructed highly sensitive shortwave radio receiver, equipped with directed outdoor antenna, is a compromise. Therefore, to remain anonymous, the agents should use very standard shortwave radio receiver, which anyone around can buy and possess. It is true that nowadays almost no one buys and keeps shortwave radio receiver, because the modern communications are digital and based on Internet, but during the Cold War the radio receivers were something that every family has in their possession. But the suggested use of standard shortwave radio receivers rises the question "how do the number radio station operators were able to create strong signal in the area where the agents were located". After all, if the signal strength is low, then the agents cannot hear well the messages and having number radio station broadcast is pointless. The answer is that the most number radio stations transmissions are well directed to cover with strong signal certain areas. In those areas the strong signal is easy to intercept with a standard radio receiver. One can see how different antennas for shortwave broadcast support (presumably installed at the transmission site), can create different type signal propagation and covering different areas, even if the position of the transmission site remains the same:

One can see in all those diagrams linked above, that all areas covered with high signal strength are really wide and it is not possible to use the area shape and position to suggest where exactly are the target listeners (the field agents). Depending on the conditions and the presence of jamming, more than one transmission site could be needed to sustain the schedule of the broadcasts and the coverage. To run number station regularly successfully, a feedback containing information regarding the quality of reception close to the target audience, is required. That kind of information allows to correct adequately and fast the output power, to change the type of antenna or its direction, and select the most proper frequency, in attempt to increase the reception quality in the area of interest. The feedback could also discover the presence of radio jamming. Since the target listeners by default have to remain undercover, they might not participate in the process of submitting the feedback. Therefore, the feedback should be provided by someone who is in the area of reception, but does not have an easy to trace connection to the target listeners and unlikely to be arrested and questioned. During the Cold War, the easiest and classical way to receive a feedback of that kind was through the staff at the embassies and consulates, located in the area of reception. The feedback should be combined with some data from chirp signal reception (see also "R-S-T-systems") to adjust the broadcasts. Such a feedback procedure also points to government backed organizations. It rarely could be handle by a private enterprise.

Some of the active number radio station transmitters have been successfully tracked by shortwave enthusiasts and their locations became revealed, by implementing well planned procedure of "T-hunting". Locating a shortwave transmitter which is far away from the receiver, generally requires three or more operational high-sensitive shortwave receivers, equipped with input signal level meter, all positioned as far as possible away from each other (but not too far from the transmitter), and connected to outdoor directional antennas, which direction can be (manually or automatically) changed. Ideally, the positions of the receiver should "surround" the hunted transmitter. Once the number radio station broadcast is detected, the operators of the receivers set them to listen to that broadcast and start changing the direction of the antennas, until the best reception (highest possible input signal level) is achieved. That might be a slow process. Finally, all the directions detected by the receivers, should to be projected together on a map in attempt to plot the area where the transmitter is located onto. The one creating the plot should be perfectly aware that the Earth has elliptic shape, and plot the direction vectors as curves using the Earth surface curvature profile, not as straight lines, unless the transmitter is located less than several hundred kilometers away from the receivers. Note that when performing a shortwave T-hunting, the more receivers are involved into the hunting, the more precise the location of the area where the transmitter is positioned is estimated. Someone might argue that two receivers are perfectly enough for tracing the transmitter location, since the Law of cosines requires only two angles (two directions) and the distance between the locations where the angles are measured. But even if such a statement is correct mathematically, it is totally idealistic and does not take into account the complexity of the signal propagation (find details here, and here). The lower is the frequency used by the hunted transmitter, the higher is the location estimation error, the more signal direction measures at different locations are required to minimize the transmitter position variance.

The "Lincolnshire poacher" number station transmitter became successfully T-hunted. Its transmission site was located inside the area where RAF air base Akrotiri is. Because the air base area is controlled by the British army, one might suggest that the "Lincolnshire poacher" was most probably an essential part of the infrastructure used by MI6 for sending messages to the British agents and representatives in Europe, Middle East, and Africa. "Lincolnshire poacher" is not operational anymore (seems like even the antennas were removed).

The exact locations of most number radio stations transmission sites, built and exploited during the Cold War years, are unknown. Those sites were closed in early 90's when the shortwave radio enthusiasts did not have the level of coordination for T-hunting. Apart from documenting the broadcasts (schedule, audio records, the observed signal level), the shortwave enthusiasts did not do locate precisely the transmission sites. They knew only which country a particular broadcast is coming from: Federal Republic of Germany, German Democratic Republic (the Eastern Germany before the unification of Germany), Italy, Poland, Czech Republic, Bulgaria, Hungary, USSR. Taiwan is found to be the Asian country with longest tradition in running voice broadcasting number radio stations, mainly during 80's and 90's, and occasionally even today, but their activity is not well documented (their area of operations was and remains Mainland China and their transmission direction and output power are dedicated to service only that specific area). It is unthinkable for an independent private enterprise to run and operate a number radio station in any of the countries listed above before or after the Cold War, which is in favor of the hypothesis that most of the number radio stations are run by state-owned agencies.

One of the previous location of the famous UVB-76 "buzzer" number radio station transmitters has been discovered by T-hunting. Some of the Russian shortwave enthusiasts, involved into the hunting, managed to visit the building, used before to host the transmitter and antennas. They found there abandoned soviet military radio equipment and logs. Some of the currently active UVB-76 transmission sites are also located and reported. It seems like UCB-76 uses more than two transmission sites.

After the unification of Germany, a large number of speech generators were found abandoned inside the communication centers used by Stasi. By comparing the speech they produce to the one found in the audio records documenting the activity of the East German number radio stations during the Cold War, it is easy to uncover Stasi as number radio stations operator.

4. Whom the number radio stations broadcast to

It is explained above why the intelligence services and military are the most suspected organizations responsible for running most of the known number radio stations. In case that explanation is true, the target listeners of the number radio station broadcasts are agents or military units. If the hypothesis that some of the number radio stations are run by drug cartels, is true, there audience might consist of drug dealers (suppliers) or drug producers.

Some of the target listeners must be very experienced. Some of the number radio stations use to broadcast by using Single-side band modulation (SSB), either LSB or USB, to effectively extend the coverage of the broadcasts. Starting from 80's, some of the advanced shortwave radio receivers has been shipper with modules for receiving SSB broadcast. But even having the module built-in, some experience in the tuning is required. Due to the lack of evidences, it not clear who is the target listeners of the SSB radio broadcast, transmitted by some of the number radio stations. For some of the field agents having receiver with SSB reception might be dangerous. One other side, if the target listener is an embassy, military unit, or some large enterprise, it is natural for them to be able to deal with receiving SSB broadcasts. Note that to receive SSB without obtaining special receiver, it is possible to use any regular shortwave receiver in combination with low-power and very simple shortwave transmitter, used to cause an interference. The transmitter does not need to be incorporated into the circuit of the receiver. It should be used as a stand-alone device. It might be used by field agents.

5. What kind of communication protocol do the number stations use

This is the most intriguing question when it comes to explain what do the voice messages really contain and what kind of protocol was used for hiding the real content. Unfortunately, no information regarding the content of the messages has ever been made public. Still, one can make a good guess how the messages are being encrypted and how could they be decrypted. Of course, without having the decryption key, even if the protocol for composing the messages is known in details, their content will remain unknown. The good news is that almost everyone good in finding, tracing, analyzing, and reproducing data modes, might be perfectly capable to guess the protocol implemented for creating the encrypted messages and mimic it.

To make their communication unbreakable, the number radio station operators have to use encryption key which is different for every message and cannot be related to the clear text. The most secure way to do that is to employ the one-time pad (OTP) based encryption. By using a pad the clear text is encrypted letter by letter (including spaces, commas, and other kind of "special" symbols). The result is an encrypted message block consists of a sequences (in groups) of numbers or/and letters. Without having the same pad at the receiver, those groups cannot be turned back into the original clear text of the message, even theoretically. If it is implemented properly, the OTP based method for message encryption does not create patterns in the encrypted text and it is resistant to any kind of known crypto analysis.

Different type of content requires different symbol sets, called "alphabets". For instance, a given alphabet for encrypting standard text messages can contain all English letters, the digits from 0 to 9, empty spaces, special symbols (like ".", ",", "/", "#", "$", and many more). If the content to encrypt contains only numbers, an alphabet containing mostly numbers shoyld be implemented. The symbols are randomly taken from the alphabet sets to compose an OTP. Any collection of one-time pads is called "code book". Every used symbol in the pad have to be marked properly, so it cannot be used twice. After the encrypted message is created, the pad used for encrypting the content needs to be destroyed immediately and effectively.

Sometimes it is not possible to use carefully generated OTP. For example, if the field agent cannot carry or receive regularly code books, the messages can be encrypted and decrypted by using as a pad some very usual book (like "The Hound of The Baskervilles" or some cook recipe book), that can be found in every book store of library. By using this method, every symbols of the message is represented (encrypted) as a sequence of three numbers: (i) the number of the page, (ii) the number of the row, (iii) the number of the position in the row of the symbol to encrypt. The number radio station operator and the field agent have to agree in advance on which book to use (title, edition, publisher).

To make the encrypted messages impossible to analyze by any third party organization, all transmitted messages have the same size. That means that inside the message there is a specific combination of symbols saying "here is the end of the message", so all digits of the message from that position to the end (to the fixes size), are just some random integer numbers or encrypted empty spaces, taken from the currently used pad. In addition to that and to prevent even guessing if the message content is related to some event, the broadcasts need to be made regular, based on specific schedule which never changes. In this case some or most of the messages should be sent empty, but only those having the decryption key can prove that and skip the decryption of the entire messages.

Given bellow is an example illustrating the use of code book and OTP.

Example: Creating an encrypted message of a fixed length

Let us encrypt the clear text message:

Hello World 1 2 3

by using the code book of 12 pads, message block length of 30 4-digit groups, provided in Appendix A, and adopting "/=" as a string terminating the actual message text flow. All groups describing a symbol positioned after the termination string, are not considered part of the message.

The clear text encryption is organized as follows:

  1. Choose a pad containing (at least once) the sought symbol.
  2. Randomly select one of the double-digit pad ID numbers printed bellow the pad.
  3. Select the cell containing the sought symbol inside the pad table, take the corresponding row and column number.
  4. Compose the group by concatenating the pad ID number selected in (2), and the numbers of row and column, taken in (3). Do not use the same group again while using the same code book.

One can perform step (4) the other way round - to put first the row and column numbers, and the pad ID number afterwards.

The result is a sequence of 17 4-digit groups:


Another 13 groups of 4-digit random integer numbers need to be appended to this message to match the required message length of 30 groups:


Note that the groups 4234, 0293, 0332, 9283, 2203, 7043, 7273, 8001, 2437, 0042, 9417, 5207, 4100, 4922, 1389, 4044, 5672, 1211, 0969, 4742 are just randomly generated integer numbers (they are not based on the code book pad content and they are not part of the plain text message).

At this point the message groups composed above can be broadcasted by the operator of the numeric radio station.

If you are interested in constructing a small prototype of a number station to broadcast the encrypted message, this video tutorial explains how to do so by using Raspberry Pi device and Python application.

Appendix A. The synthetic alphabet and the code book

Table A1. The synthetic alphabet providing symbol space for generating the pads in the code book. All empty cells in the tables are also part of the alphabet. The goal of repeating given symbol in the alphabet is to distort the probability to repeatedly insert that particular symbol in the pads. Note that the symbols "█" are not part of the alphabet.



Table A2. Code book of 12 pads. Each pad contains 100 symbols. The symbols are randomly selected from the synthetic alphabet symbol set given in Table A1.
Pad number: 01
1r=)hp+ / d
2v i9vS)SH*
3(XgSke bvE
5 %J5H@L#0
6 m( %(+(#,
8WQ q9QO#k
92dH/K)q) /
ID: 74 50 30 21 66 37 23 00
Pad number: 02
0(tODO .w#.
4,I 6%@.dxT
5B*b*M,O /(
6P%) - rS#-
81 H47,eBz9
9bGdp9z Z/a
ID: 04 39 55 51 38 03 72 32 10
Pad number: 03
0@) (+Qwe N
1*5zu@ j#6%
2S%#Y)Tl7 H
3pv+/ amer
4.X- iHYy.+
5)=V.) f#N,
8/89)l @YQ
ID: 11 84 36 92 89 52 27 97
Pad number: 04
0T,.Ha, qi@
3qj)Vv --EF
4=l7E pfJA
5J )ZL3(=K)
6/. 2U.D.Z-
8r#,L +uwlA
ID: 95 77 19 42 88 16 46 96
Pad number: 05
1,yYz J qM
2JNpZ* FBh*
3 N%HpZ@c(z
6 -#H+AA,)N
7+,O/vu f *
8) .FcdDvc,
9V Yj@JHanj
ID: 67 26 87 56 68 33 28 79
Pad number: 06
1)g( #w .qY
2 D jvJB *
51YTtY8 ny)
6p,VUI- mWf
7T gQqKRpwZ
9S3)p )Pz()
ID: 69 48 82 41 91 02 20 99 75
Pad number: 07
1 =A, 5=qNe
5* ZG apVyA
6/y,* U)G
8qI/TS N +
9) s/F aOs+
ID: 86 85 47 35 90 78 73 18
Pad number: 08
0@H5mq=h# J
1 /U*B p mJ
3C-/yL%(i I
4yFU. tDQVy
5suYFV q@z
6s3 (KcdIHT
ID: 34 98 15 08 53 13 58 09 81
Pad number: 09
0@-C@c =p.e
1atq l Wu+A
2 @d YXtYOb
5q d,qfI-,
7qE.Got e/j
8+.Wj,J d d
ID: 71 01 25 17 64 22 07 83 93
Pad number: 10
0qLG =m.+B.
1ii2 7)tsog
2 4+dJa)-H.
3Qh@bI-, vp
4/(.,(qv @x
8#H -@DErG
9gp I,,nc-L
ID: 45 12 06 63 59 65 49 14
Pad number: 11
0 vQ5RKoL8/
2r,YizGC- *
5G.FB -CaNo
6v(W +OSdQ,
9*pc LP,em=
ID: 61 60 54 05 94 44 57 43
Pad number: 12
05I. q+j#f,
2z lpSwdiMF
4ArFYL#Y i+
6 hfvJFZqdx
8XQ%E, Qzx=
ID: 24 62 31 76 80 40 29 70