OPSEC and RF Security

Modern radios are made to be used by people with little training or experience. Usually if two radios are set to the same frequency, two people can start using them effectively in very little time. Radios are used in warehouses, department stores, hotels, film sets, and a myriad of other locations. The information in this blog may seem to be overkill, but these procedures are intended to work in a high threat environment where bad radio procedures put lives at risks. Here, we will look at some of the security implications that come about from radio use.


Operational Security, (OPSEC) is the process of keeping information that could be used against you from your adversaries. There are several broad categories of information that we will focus on. We want to deny our enemies information that can reveal the following information:

1) Capabilities. By knowing what your group is capable of, an enemy can act so as to negate your strengths, or deny you employing your capabilities to their fullest effect. If an enemy knows you are capable of shooting down helicopters, they will limit their use of helicopters in your area of operations to deny your group those kills.

2) Limitations. By knowing what your group is not capable of, an opponent can exploit those limits for their own gain. If your opponent knows you can not shoot down helicopters, they may use more helicopters to move about, so as to avoid ground based IED’s, and ambushes.

3) Identification. Personal and functional identification can both help an adversary against you. a)Functional identification is identifying the purpose of a group or unit. Observing a bunch of men in uniform is some information, but being able to determine if they are a logistics company, vs a medical treatment team, vs special forces unit all dictate different reactions.
b) Personal identification is identifying individual people within a group. Knowing that the commander of a unit is Captain John Doe, of 1234 main street, Anytown, would allow an adversary to possibly pressure or otherwise compromise Captain Doe’s family, and thus gain an advantage.

4) Location. Knowing where a unit is allows an opposition force (OPFOR) to maneuver to intercept, block, avoid, attack, or follow that group. If OPFOR knows you are based on north ridge of Candy Mountain they can plan an appropriate attack.

5) Intentions. Knowing what a group plans to do allows for the enemy to take actions to reduce the effectiveness of those actions. If your enemy knows you plan to attack an outpost tomorrow at dawn, they can move in reinforcements, or set a trap, or move to intercept before you arrive, ect…

6) Activities. Knowing what you are doing at the current time allows your adversary to adjust their plans accordingly. If your adversary knows you are currently setting up a camp, then they can probably assume you are not about to attack them, and operations they carry out at that time are safer to execute.

7) Effects of enemy action. Knowing what effect their own actions have had on your group will allow an enemy to adjust their planning and operations to better effect. If an enemy knows that their last attack was very effective, then they will continue to carry out the same kind of attacks, where as if an attack had little or no effect, they may change their methods.

Information from any of the above categories may also give the enemy information in other categories. Knowing your intent to go to a certain position at some time in the future, reveals a future location. Identifying a units function hints at some capabilities and limitations. That is why it is crucial for OPSEC to protect this information.

Imagine the following radio exchange between an infantry platoon, B1, and their command, B6:

B6: “Team 1, Team 1, this is command, do you copy? Over.

B1: “Command, this is Team 1, go ahead. Over.

B6: “Hey Bob, we took a licking from OPFOR yesterday out by Candy Mountain. They destroyed our HF radio, so we do not have any long range commo at the moment. Well, anyway, we are going to attack their outpost on the north side of Happy Valley tomorrow morning. Rendezvous at Grid 1213141589 at 0500. We will place the mortars just east of that location, and attack at 0600. Over.

B1: “Roger, We copy all that, Frank. We will head out tonight, and layup about an hour south of the rendezvous, until 0400, and then head in. see ya there, and stay safe. Over

B6: “Roger that Bob. Team 1, this is command. Over and out

The above exchange is full of OPSEC violations. Personal ID of Frank, and Bob; functional ID. of command and team; capabilities of having mortars, limitations of command not having a HF radio; locations of the rendezvous, layup, and mortar positions, intent of their plan and the effect of the previous attack. It is a goldmine of information for the OPFOR. Based on this information, the OPFOR can ambush Team 1 in route to their layup, or rendezvous, or sabotage the mortar position, or attack the rendezvous before Team 1 links up, or reinforce their outpost, or vacate it and lay traps, ect…

We can mitigate these OPSEC violations by following the standard operating procedures (SOP’s) found in Volume 1 of the Signals Handbook.    By only transmitting what is necessary, and by following the proper format, The above exchange becomes the following:

B6: “Bravo 1, Bravo 1, This is Bravo 6, Over.

B1: “Bravo 6, This is Bravo 1, go ahead, Over

B6: “Rally at Grid 121314589, at 0500. Over.

B1: “Wilco, Out.

We can see with this new exchange, we have eliminated a lot of the OPSEC compromises. There is still a location, and some intent, but it is a lot less actionable than the first exchange. Any additional information about the attack, or mortar positions can be exchanged by B1 and B6 in person at the rendezvous.

By following good SOP’s we can reduce, but not entirely eliminate OPSEC compromises. We can further reduce our OPSEC compromises by employing good COMSEC.


Communications Security (COMSEC) is the process of protecting the content of our communications. There are a number of approaches that can be used to implement COMSEC, from technological to procedural. Technological methods include encrypted radios, frequency hopping radios, steganography (hiding communications within other messages), and certain bands or modes of radio communication. Procedural methods include using codewords, codebooks, and manual encryption.
Good COMSEC lets us achieve better OPSEC.

Looking at the exchange above, we see that the OPSEC compromises still there are the grid location, and time to be there. Since “Bravo 1” and “Bravo 6” are following army convention then it also hints that B6 is command, compromising functional identification, so just by adding code names and DRYAD based encryption (As discussed in Volume 1 ) we can remove the rest of the OPSEC compromises:

B6: “Whirlwind, Whirlwind, This is Thunderhead. Over.

B1: “Thunderhead, this is Whirlwind. Go ahead. Over.

B6: “Rally at grid I set Charlie, November, Quebec, Yankee, Alpha, Foxtrot, Juliett, X-Ray, Bravo, Hotel, at time, I set: Lima, India, November, Foxtrot, Victor. Over.

B1: “Wilco. Out.

Now our transmission only tells them that we will be going somewhere, sometime. By using the DRYAD encryption we are denying them information about location and time. If we deem that even that little bit of information is too much of a compromise of OPSEC, we can either encrypt the whole message via a one time pad, or use the a codebook and the DRYAD sheet to also encrypt the “rally” and “time” parts of the message.


Another part of the OPSEC plan should include transmission security (TRANSEC.) Because an opponent may be using signals intelligence, (SIGINT) we need to take measures to minimize the radio signals they can detect. The longer a radio is transmitting, the greater chance the opponent’s SIGINT element will detect it, and possibly radio locate, or radio direction find the transmitting radio.

The simple fact that a radio transmission is being received at all, may give a rough idea of the location of the transmitter, and radiolocation can pinpoint it, compromising the location. This is a breach of OPSEC. Even if everything is encrypted, link analysis (keeping track of who talks to who) can allow an analyst to get some general functional identification of units, such as defining what element is the command and control element. This breach of OPSEC would allow a small enemy force to determine which unit to attack yields the biggest reward.

There are a number of methods that help improve TRANSEC. The most important method is to only transmit when absolutely necessary for the mission, or the security of other friendly or allied units.

When transmissions must be made, keeping them short helps TRANSEC, as well as changing frequencies at regular intervals. Use the lowest transmit power needed to make the communication. Use directional antennas. Use unusual bands or modes.

D) Threat SIGINT Capabilities

The United States armed forces employ high levels of TRANSEC and COMSEC technology, and procedures when operating in a hostile environment. Those technologies and procedures are supported by thousands of personnel at every echelon of the force. Unfortunately, a small team does not have the resources to execute every COMSEC and TRANSEC measure. For the purpose of this handbook, we will divide threat forces SIGINT capability into 5 categories.

1) None. When there is no adversary or opponent, there is no one to offer any SIGINT threat. We operate in this condition for some administration and camp duties. It is also appropriate for training that is not focused on communications. For example, range safety officers communicating with each other over a large rifle range.
We do not need to take any special precautions in a no SIGINT threat environment.

2) Low. We consider it a low SIGINT threat when we do not have a defined opponent, or our opponent is not likely to have any active SIGINT capability. A looting gang in the aftermath of a natural disaster would be an example of a low SIGINT threat. In this environment, our biggest danger is “inadvertant SIGINT” If some people in the threat group are using some commonly available radios such as FRS/GMRS or CB radios, and our group also uses those same types of radios, then there is a chance that we accidentally end up on the same channel as the threat group, and they may hear our transmissions.
Precautions to take in a low SIGINT threat environment include using radio SOP’s to keep transmissions short and to the point. Code words and code names generally provides enough COMSEC to foil any OPFOR listening to our transmissions. If available, use radios that are not as common as CB, and FRS/GMRS.

3) Medium. We define a medium SIGINT threat as a group that has nascent SIGINT capabilities. This may include professional criminal organizations, or other small tactical teams/groups. The equipment used would most likely be one or several handheld radio scanners. Most commercially available radio scanners these days can scan or search the VHF and UHF radio bands, and can listen to FM analog voice transmissions. Some of the newer (and more expensive) scanners can also decode the APCO/P25 digital voice transmissions that many public safety agencies are switching to. If the public safety agency is using encryption on their radios, however, the scanner cannot decode it. Medium SIGINT threat groups may also have persistance, and record radio intercepts, and perform intelligence analysis on radio activity. Basic link analysis may be employed.
Precautions that should be taken against medium SIGINT threats include using radios that do not use analog FM voice, or P25 digital. Using unusual frequencies, and of course keeping transmissions to a minimum will help with TRANSEC. If you are able to use non-P25 digital modes, then code words and code names should suffice for COMSEC. If you must use analog or P25, then you should employ full COMSEC measures including one time pads, and DRYAD/code book encryption.

4) Advanced. Advanced SIGINT threats are groups that contain as members: radio experts, avid scanner hobbyist, or communications professionals with access to professional level equipment. They will have more capabilities than can be offered by just having scanners. They may have surveillance receivers, spectrum analyzers, frequency counters, wideband receivers, or computer based “software defined radio” (SDR) receivers. An advanced SIGINT capability may be able to decode any non-encrypted digital communications, and may have radio direction finding and radiolocation systems. They will also perform intelligence analysis on all radio activity.
Precautions against advanced capabilities include all “medium” precautions, but only employing full COMSEC. Nothing should be sent un-encrypted.

5) High/professional. High SIGINT threat opponents include professional military, and large government law enforcement agencies. They will have well funded SIGINT capabilities with multiple professional staff. They will be able to call on experts around the world and devote tremendous resources to breaking your OPSEC. They may have computer hackers, and technologists that can derive OPSEC information from other electronic sources.
Precautions against professional SIGINT threats: do not use computers or radios. If you absolutely must, then keep use to a minimum, and be crafty. Expect being crafty to fail.

Hack a TYT MD-380 radio for DMR scanner

Jailbreak firmware now available for cheap digital walkie-talkie allowing DMR scanning


In the last years, DMR and MOTOTRBO (a.k.a. TRBO a Motorola Solutions branded DMR Radios ) has become a very popular digital voice mode on the UHF and VHF bands and the MD380 radio is the latest cheap DMR walkie-talkie to come out of China.

The question is, is it any good? The longer answer is slightly more complicated, and involves discussing the difference in price between this radio and other more expensive, but higher quality, radios. But i can tell you that a group of hams here recently purchased the Beihaidao DMR radio (also sold under brands like Tytera, KERUIER or Retevis) and have been having excellent results with them.

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last Shmoocon, Travis Goodspeed presented his reverse engineering of the MD380 digital handheld radio.
The rest HERE! <— clickable link

What Radio?!?!


A lot of folks ask “What radio should I get?”
Without defining WHY they need a radio, it can be hard to give a good answer.

All Radios3

So lets look at the “why” of radio, and see how we can better narrow down our answers.

Tactical Communications:
When the mutant zombie bikers are approaching your home, and you have a small team, radios can become a force multiplier by coordinating different tactical elements. They allow you to communicate via short distances, beyond what you could do by shouting or hand signals.
Typically tactical communications will be carried out by handheld 2-way UHF.VHF radios. Included are FRS, GMRS, MURS, HAM, CB, ISM, SMR, and business band radios.
As the size and scope of operations increase, it may require the addition of larger base and mobile radios, repeaters, and relays.
We can sum up Tactical communications as communications that need to happen RIGHT NOW.

Not every communication, however, is “tactical” in nature. Some communications can be catogorized as more stragetic and planning in nature. Calling a freind 100 miles away to say “come over to my house when you get a chance”, or “meet me at 10:00pm tomorrow at the old bar” are more planning in nature. The communication does not have to happen right away. Additionally health and welfare messages, such as “Tell mom I am fine”, or “Happy birthday old man” can improve morale and reduce anxity. Finally, logistics fall into the category of strageic coms. “I need 12 cases of MRE’s and 1000 rounds of 5.56mm ammo” is an example.
Typically, Strategic coms are defined by the non-immediate nature, and longer ranges needed.
Using commercial infrastructure, we could use cell phones, land line phones, text messaging, email, and satellite phones.
We find that in times of disaster and crisis, commercial infrastructure may be overwhelmed, or non functioning, so we look to 2-way radio solutions. The most common is High Frequency (HF) ham radio. Typically HF ham uses a base or mobile radio and large (30 feet to 200 feet long) antennas.

About the only way to get long range with handheld radios is to connect to linked repeater systems, that may or may not be functioning, depending on the nature of the emergency.
There are some specialty methods of long range non-HF communications, but they generally require technical proficiency on both ends, and a lot of practice. They include troposcatter, moonbounce, hamsats, meteor scatter, etc. These are all ham techniques that can use smaller directional UHF/VHF antennas or transverters.
There is no solution to the “I want a handheld radio under $100 that I can talk to my cousin 200 miles away and does not need a license, or use commercial infrastructure.”

The final category of “why” we need a radio is for situational awareness. Knowing that the bridge on your planned route out has collapsed can save time and maybe even lives. Knowing where trouble is, and isn’t, what dangers have occured, and what problems others are having can all help in the decision making process.
Often over looked, but still valuable is a portable reciever that can listen to AM/FM radio and broadcast television. Local TV news can help keep informed as to major events, and can also pass on official messages covering anything from where emergency food and water can be picked up, road closures, curfews, evacuation areas, etc.
Satellite radio, Free over the air satellite television, and shortwave radio receivers can listen in to national and international events. That may or may not be relevant at the time but are nice options to have.
A UHF/VHF scanner (sometimes referred to as a police scanner) if properly setup and matching local public safety networks can allow you to hear first responders, and stuff that will never be broadcast on TV or commercial AM/FM radio. You can tell by tone and coordination if law enforcement are in control of riots, or are being out manuvered. You can tell how much disruption is happening based on the volume of calls and responses. Scanners can also listen in on business, railroad, and avaition frequencies, which may or may not help your situational awareness. Also having a scanner that can listen to common tactical 2-way radio frequencies may alert you that another group is operating in your area.

If you are in an area near interstate or arge highways, a CB radio on channel 19 can let you know road conditions. While it isn’t used as much as it used to be, most truckers still listen to channel 19 anc can pass on info regarding traffic, closures, speedtraps, wrecks, checkpoints, etc.

If you are near a large body of water, or ocean, having a handheld marine VHF radio can keep you abreast of what is happening with boats (although many scanners do cover marine frequencies.)


Finally a ham multiband HF radio, (even if you don’t have a licence and transmit) can be useful to listen to other hams in your area, and other areas, passing on information that is not going to be transmitted on official channels. (Most scanners do not cover ham HF frequencies)

In conclusion, there is no “one” radio that does it all. If you and your group are serious, you will have multiple radios to cover all of the different commo requirements.

Hope this helps

Chinese radio performance


QST magazine just published an article where they tested radios at ham conventions to see how well the radios met the compliance specifications set forth by the FCC.

The results: the cheap Chinese radios such as Baofeng, TYT, and Wouxun, all performed miserably, with sometimes half not meeting FCC standards.   But what does that actually mean?

Typically, the radios transmit “spurious emissions” which means they are emitting RF signal on frequencies outside where they are supposed to be transmitting.   That could show up as a wider bandwidth signal, such as a 25kHz signal actually taking up 35kHz or 40kHz, or it could manifest as harmonics and hash on other frequencies.

This has two effects.   First, because the transmitter is emitting on frequencies we are not expecting, we could be interfering  with other legitimate transmissions. (That is why the FCC has limits on spurious emissions in the first place)
Second, those inefficiencies are wasting RF power on signal that reduce the efficiency of our transmission.  If your radio is outputting two watts of power, but has lots of spurious emissions, only 1-1/2 watts may be on your actual frequency.

What does all this mean for the end user?
First, without specifically testing your particular radio, we don’t know if it meets specs or not.   If, however you are using a cheep Chinese radio, the chances approach fifty percent that your radio doesn’t meet spec.
If your radio is out of spec, it will still work.   When you transmit on a frequency, someone on the same frequency, and in range will still be able to hear you, and transmit back to you.   Everything will seem to be working.   You just will not get quite the range on your radio that someone with a more efficient radio will get, given everything else the same.   Does that matter?  It may, or may not.   It would most notable at the fringe of your range.

The other downside is that the spurious emissions may interfere with other radio users.   If you have a large group, adjacent channels may be interfered with by wider than spec bandwidth transmissions.   Depending on the frequencies involved, it may also interfere with other unrelated radio users, (which also increases your chance of being detected.)

Finally, if the interference is frequent or severe enough, it may result in the FCC getting involved, notices, and possibly even forfeiture of equipment. (Very rare, but still exists within the realm of possibility.)

The gun analogy:   A cheap Chinese radio will transmit radio waves just like a cheap, poorly put together rifle can shoot out bullets.   If all you need is to send bullets downrange, regardless of accuracy, then any rifle will do.   Likewise, if all you need to do is transmit some RF, any radio will do.   If you need better than 20MOA accuracy however, you might need a little better quality gun, and if you need better RF performance, you might want a better quality radio.  Sometimes you do get what you pay for, or in some cases, you don’t get what you don’t pay for.



Sparks31 upcoming classes!

Link Here!!!

From the link:

These classes are a combination of the beginner and intermediate courses.

The class will revolve around the basics of low power/qrp/covert operation with low-profile/improvised antennas, and communications monitoring focused for VHF/UHF COMINT.  It is strongly advised that the attendee have at least a general class ham license, as HF operation will be involved. If you don’t have a general license, you can do a COMINT/monitoring track on the Sunday FTX.

Topics to be discussed will include:

  • Considerations for III%er/Grid-Down Communications
  • Equipment Selection
  • Improvised Antennas
  • Low Profile/Covert Operations
  • Basic Cryptographic Systems and Techniques
  • Non-Radio Communications Options
  • IFF (Identification Friend/Foe) and Interoperability System Considerations
  • Basic Improvised Surveillance/Security Systems – Off The Shelf Solutions
  • VHF/UHF Communications Monitoring/COMINT (Communications Intelligence)  Equipment and Systems
  • Basic COMINT and COMINT Analysis

“Tactical” vs “Prepper” radio usage

All Radios3

One of the comments I frequently received when the Signals Handbook, Volume One was released, was that it was to “tactical” and military oriented.   Indeed, it was, because that is the intended audience.   After browsing through many radio and communication threads on various discussion forums, it seems that some folks can’t separate the different ways a radio can be used.   Radios are a valuable tool for “preppers” and other preparedness minded people.   They can be used to monitor the local, and national situation.   They can be used to call for help.   They can be used to notify friends, family, and loved ones of someones status and well being.   In short, they are a great prep tool.   But that is not all they can do.   Radios, and other signal methods can also be used for the protection and security of ones group.   It is this niche application that the signals handbooks are being developed.   Depending on the situation, any small group may face threats from the outside world.   It is this rare, but dangerous condition that the small team can be greatly aided by good COMSEC procedures, proper radio discipline, and a little bit of practice.

For more info on the prepper side of communications, check out Spark31’s “Grid Down Communications”

Link HERE!