Signals exploitation isn’t the oldest profession, but it’s a far older trick than people tend to imagine. History is replete with examples of famous messengers thwarting interception; the whole concept of running 26.2 miles is named after one such incidence. But hiding messages inside the message of others, through technological means? Surely, that must be a modern phenomena.
It is, if we accept a definition of modern that extends back as far as the 1830s.
Consider, if you will, the story of the Blanc Brothers, traders in Bordeaux with a vested interest in receiving financial information about the markets in Paris before any of their competitors. As relayed in a tale that swept the internet last year, the brothers took advantage of an existing signal network, the Chappe Optical Telegraph.
I’m Kelsey D. Atherton, reporting from Socorro, New Mexico, and I’m going to talk about adversaries in the loop.
While simplistic by modern standards, the Optical Telegraph could relay messages in minutes over great distances. The infrastructure itself was extensive; human operators crewed towers spaced every six to nine miles, where they received signals, transcribed them, and then relayed them to towers further down the chain using the positioning of a wooden crossbeam with indicators on each end. The hack, as comically detailed in depth at the Sophos Naked Security blog, involved a conspiring tower agent and the edit function in the message relay system.
By transmitting a signalling message, followed by a “please disregard” code, the Blanc brothers were able to hitch-hike data on a military intelligence network, a plot that worked from 1834 to 1836 until their accomplish got sick and had to turn the station over to a new operator, who wanted no part of the plot and instead revealed it to authorities. Without a law on the books specifically against hacking the network, the brothers walked and, presumably, abandoned the crime.
What was extremely novel 185 years ago is now the default assumption of people managing communication networks. The fidelity and integrity of signals, the possible paths of injection through human compromise, the harmful code self-erasing to avoid detection, all of this is the baseline of risk in 2019.
It is also a parable of the limitations of security through obscurity. The messages remained undetected in part because no one sought to look for them, but also in part because there was no audit by interested parties to see if, hey, maybe the logs reveal something that the end message obscures. Obscurity as a security strategy at best buys time, but it isn’t a guarantee even of that. With more eyes on the code, it’s possible the Blancs would have been found before their accomplice gave the game away.
Obscurity, after all, only works when people don't know what to look for.