Massive Multi-Channel Demodulation (M2CD)

Summary

Excerpt From Introduction to Wireless Threat Intelligence Webinar/
CTO Dr. Brett Walkenhorst Explains Massive Multi-Channel Demodulation (M2CD) /
In this excerpt from the webinar, CTO Dr. Brett Walkenhorst talks about “massive multi-channel demodulation,”. A lesser-known element of Bluetooth Low Energy (BLE) technology is addressed by this function. BLE uses forty channels in the spectrum, three of which are used for advertising. It is difficult to keep an eye on all traffic because devices connect and converse on the remaining thirty-seven channels, even though the majority of sniffers concentrate on these advertising channels. Bastille’s method uses RF sensors to record the whole spectrum. On the backend, the data is then demodulated, decoded, and disambiguated to locate and identify each device on a network separately.

Video Transcript

Another key differentiator for us is this thing that we call massive multichannel demodulation. This refers to an aspect of Bluetooth that many people may not know, The way this works for bluetooth low energy, we have forty channels throughout our spectrum, and three of them are dedicated advertising channels.

Now what most sniffers will do is park on one of those advertising channels, and most devices when they advertise will just stop from pop across those three sending the same packets and listening for responses. So if I have a a sniffing device just sitting on one advertising channel, probably gonna see all of the advertising, but I'm not gonna see anything else because as soon as devices connect, they've discovered one another through this advertising mechanism.

They connect then They establish a process by which they're gonna hop around in frequency. Now they're gonna be running on the other thirty seven channels. And they won't be on the advertising channel at all. All their traffic is occurring on the others and they're hopping around. So it's difficult to follow any given network.

There are sniffers that can do that, but they can only follow one network. Here at S Steel, we need to see everything and we need to be able to see all the data traffic, not just the advertising So what we do first of all is with our very capable RF sensors, we take it all in.

With the big vacuum cleaner, we just suck in the whole spectrum. And we on the back end, then we're demodulating and decoding all of that data, and then we're disambiguating it, on the back end. So that we can individually locate and identify the centrals and peripherals on each individual network.

So there's a lot of lot of challenges associated with that. There's been a lot of work to build up that capability. But that's some key IP that we have that that allows us to see paired Bluetooth devices. And that's critical because if all I can see is advertising, then when Bluetooth devices actually become a threat when there is a potential data exfiltration issue.

That's that's that only occurs when they've connected. And if I can't see that, I've lost the ability to bring, my detection capabilities to bear on this wireless threat. I have to be able to see these devices when they're connected. Otherwise, I've I've just kind of given out. So I think that's really critical.