Identifying Transmitters with CTCSS Fingerprinting
Oona Räisänen is a RF hacker and enthusiast who has in the past brought us posts about decoding burger pagers in restaurants, decoding wireless bus signs and FM-RDS with SDR’s like the RTL-SDR. This time she has written an interesting post that shows how she can “fingerprint” radio transmitters by analysing their CTCSS transmissions. CTCSS is short for “Continuous Tone-Coded Squelch System” and is a low frequency tone added on to some transmissions used in handheld radio systems shared by several distinct groups. The CTCSS tone prevents users of a shared system from having to listen to other users talking if they are not part of the same group with the same CTCSS tone frequency. CTCSS provides no means for actually individually identifying a radio.
Oona wanted to see if she could fingerprint and thus identify individual radios by their CTCSS tone by looking at identifying features such as small variances in CTCSS tone power and frequency. The idea is that each radio will have minute differences in the exact tone and power produced by the CTCSS circuitry, due to differences in the crystal oscillators and component tolerances. Oona used an RTL-SDR to record CTCSS data from a conversation on a local handheld radio network. Then by plotting the frequency vs power data on a heatmap graph she was able to find 8 different clusters of points, which potentially identifies 8 individual handheld radios.
With the individual radios identifiable by their cluster centers, each cluster can be assigned a name. Now each subsequent transmission can be compared to each cluster center, and assigned to the closest matching cluster, thus matching a new unknown transmission with a known radio. This makes it easier for someone listening in with no context to follow a conversation.