SWS Security
White Papers
"In God We Trust. All Others We Monitor."


electronic bug

                                                       This Bug’s For You:  Part One of Two

This two-part series of articles will discuss the current threat to our privacy from bugging, wiretapping and other electronic surveillance. Emphasis will be on defense techniques and equipment, directed at both the end user and resellers of such protection. Myths will be dispelled, scams will be discussed. An overview of equipment and techniques used will be given, with the objective of teaching a prospective user how properly to evaluate and purchase eavesdropping countermeasures.

It's a hot topic nowadays. We hear about it everywhere, from consumer magazines to security newsletters, from seminar entrepreneurs to self appointed counterintelligence experts. Threats from bugging and tapping are in the public eye. Yes, security and privacy of our affairs are at risk.
But how bad, really, is the problem?

Electronic invasions of privacy are not uncommon. I wouldn't doubt that in Baltimore, the nearest big city, there are 50 to 100 illegal operations being conducted, and maybe a very few legitimate ones. Realize, though, that none of us active in this field could possibly have any direct knowledge as to the extent of illegal attacks, although we can extrapolate based on what we have seen. I guess now would be as good a time as any to define, for the purposes of these articles, what we will mean by legitimate (legal) vs. illegal eavesdropping.

It is dangerous for either me or Police and Security News to render what could be construed as legal advice. Therefore we will make the standard disclaimer and advise you to consult competent legal counsel for an opinion if you have any question as to what is or is not permissible. In general, though, it is a violation of federal, state and usually local law to intercept (meaning record, monitor, tamper with, etc.) written, oral or data communications without the permission of all parties involved. If anything, we will err on the side of being more conservative rather than liberal.

Even though numerous and flagrant violations of the various laws are apparent, prosecution can be instituted at any time, especially in response to a specific complaint or periodic general enforcement efforts. Don't assume that because you see "surveillance" equipment advertised in pulp magazines it's safe to purchase and use such equipment. Thinly veiled semantics such as "baby monitors" don't protect you. More about all this later. Applicable statutes are Title III of the Omnibus Crime Control and Safe Streets Act of 1968 as amended, sections 18 USC 2510, 2511, 2512 and 2513. See also 47 USC 605, Public Law 90-351, and all applicable state and local statutes. The whole thing generically is referred to in the trade as Title III.

I'm rather long of tooth in this game and, in my opinion and experience, the threat to the average Joe Sixpack is greatly exaggerated. That doesn't mean there isn't a threat, mind you, but keep reading. In reviewing the dozens of articles, video documentaries, seminar schedules and so forth that continually cross my desk, I notice they all have something in common: most are backed, in some way which may or may not be obvious, by persons who will profit in direct proportion to the paranoia they can induce in their prospective clients. I realize that last sentence is a mouthful, but read it again. Please keep that thought in mind as you digest the rest of this series.

I've rewritten this paragraph several times. Each time I take a broader view, because I don't want to sound too cynical. I will say this: Don't be worried about the $25 "surveillance" transmitters marketed extensively to Walter Mitty. Same goes for wireless mikes and the whole series of toys claimed to transmit the "slightest sound" over some fantastic range. All of these devices drift, have power outputs in the single digit milliwatt range (a milliwatt is 1/1000 of a watt), and generally will not penetrate the first wall. Maybe you could get the claimed quarter mile range if the things were hung from the top of a tower and you were a quarter mile away line of sight with a lab quality receiver. A more realistic range is 25 to 50 FEET. We will refer to these devices as "modulated oscillators". They are pretty much no threat at all. It's kind of a shame that these devices are so readily available, as they're just as illegal even though they don't work. Why take a risk when there's nothing to gain? Personally, I would be hesitant to be on the books of some of these companies. That's just an invitation to scrutiny if they are shut down and their records seized.

The wireless babysitters available from "the local electronics store" and others are a problem. These units transmit, for real, either in the 46-49 MHZ band where cordless phones live or directly via the AC power line to a companion receiver. Note that here I am referring to systems that are sold with both a transmitter and their own receiver vice the toys which transmit to any FM broadcast receiver. They work, some well enough to be a problem. All of us in the privacy protection business have pulled quantities of these out from where they have been planted. The last couple we found we just dropped in the trash. There are rather easy methods to identify and locate these devices, though, so don't lose any sleep. We'll cover the details later.

By the way, the terms "bugs" and "taps" have been worn so thin by the press that they are rarely used in the professional arena. I will use them here, though, since we're trying to communicate rather than be semantic snobs. Wireline, or telephone related, tapping devices are also very common. Transmitter-related devices are almost all modulated oscillators as described above. Tape recorder line start units work, after a fashion, and are a threat. All the line starts can be built for less than ten bucks, although the magazine and electronics store prices vary greatly. Don't worry about these either.

So how about the serious stuff? Well, yes. It's available although very expensive. Even if you're a legitimate user quality electronic surveillance equipment is not all that prevalent.

If you are involved in any of the following, there is a definite possibility that you will be on the receiving end of electronic surveillance:

# Union negotiations, either party
# Acquisitions or mergers
# Highly competitive product or service
# New product development
# At or near the top in your particular industry
# Restricted technology (defense contractors)
Fact, not paranoia. As we say, though, just 'cause you're paranoid doesn't mean they aren't really after you... The above is based on my company's experiences where suspicions turned out to be justified.

If you have reason to believe your privacy is threatened, you need the services of a countersurveillance professional. You need to locate someone competent in TSCM, which translates into Technical Surveillance CounterMeasures. The TSCM consultant will work with you to assess the threat and perform a series of services to determine whether you are on the receiving end of surveillance operations.

The consultant you call in might determine that you need a "sweep". A sweep, as it is called, is an inspection of a facility designed to identify and locate any hidden surveillance devices. Let's discuss sweeps.

There are several basic eavesdropping techniques, all of which must be considered separately in a comprehensive sweep. All require different skills, equipment and procedures. One is called an "RF" sweep. RF stands for Radio Frequency, and refers to anything involving a radio transmitter, including power line transmissions. This is the one most people picture when discussing sweeps, but the least likely to be a threat. Second is Wire Communications Intercepts (WCI), also called telephone taps by the people who act like they know what they're talking about. Thirdly, direct wired concealed microphones are a consideration. We'll discuss more later.

Your TSCM man should begin by asking you numerous questions, usually in person. These questions are designed to draw out from you enough information for him to make a reasonable assessment that 1) You have a genuine need for his services and are not just a loony who watched too much TV, 2) Which one(s) of the several attacks are likely, and 3) That you're not a druggie or otherwise involved in anything illegal. Dealing with a TSCM man is sort of like working with your lawyer or accountant - you must be straight with him or he can't help you.

It's got to be said sooner or later that many, probably most, of the guys peddling sweep services are incompetent. A large percentage are outright thieves who have no real capability to perform TSCM but who are lured into the field by promises of big bucks. Include in this category the hotdogs who are caught up in the glamour of the whole thing. Also among the incompetents are the vast majority of burglar alarm companies, telephone installers, security guard companies and private detectives who "just can't turn down the money", and who regularly get calls from the general public who don't know where to find the real thing. I apologize in advance to the extremely few detective agencies who genuinely have TSCM capability. You know who you are, and you shouldn't take offense at my statements. Rather, you should take offense at the charlatans who are ripping off the poor guys really in need. The bottom line is that it's very easy to get ripped off, and very difficult to find a competent TSCM man.

There is a very visible, very glamourous, multinational firm who frequently is consulted by the public because their advertising works. This firm will show the prospective client a number of "bugs" their team allegedly has uncovered during sweeps. I seem to recall a transmitter built into the base of a desk stapler. It was totally phony. Perhaps it could fool the public, but any engineer would recognize all three transistor leads connected together, a complete absence of RF components, and general BS.

The same was true of their "belt buckle transmitter". A demo, in their showroom by their salesman of their sweep equipment, failed to identify an operating ONE WATT body wire worn by one of the attendees witnessing the demo. Remember that one watt equals 1,000 milliwatts. A typical surveillance transmitter might have an output of maybe 50 milliwatts. This firm manufactures their own line of extremely expensive, essentially
worthless TSCM gear that seems designed primarily as a video game, complete with an impressive light display and sound effects. The innocent public, unfortunately, equates the functionality of sweep equipment with the number of blinking lights.

This same firm, by the way, solicits "dealers" for their products and services. A mid-five figure investment in their equipment will buy you the privilege of being lied to and ignored unless you come up with even more money. In the words of a colleague, "The world is littered with carcasses they've left behind".

While we're discussing qualifications of a TSCM professional, you should understand that it's pretty much mandatory for a countersurveillance man to have had experience on the other side of the fence. How can someone who's never conducted technical surveillance for a living expect to know much about countering sophisticated attacks? The vast majority of those who claim to be in the TSCM biz have never even seen a genuine bug, much less found hidden ones through their own efforts.

Writing, teaching, advertising or visibility in the industry does not in any way substitute for true covert experience, usually with a federal agency. The guys who have been there can't talk details, and the guys who haven't will die of old age before they pick up enough on the outside to be truly effective at TSCM. A lot of TSCM wannabees will fill your ear with their war stories. The true professionals don't talk much. Is it true that empty barrels make the most noise?

Even though TSCM providers must of necessity keep mum about their clients, any of them should be able to offer at least a few solid industry references. Be sure their reference isn't their brother in law playing a cloak and dagger game of secrecy for your benefit. If they give excuses instead of solid references, or refer vaguely to "Fortune 500" clients, move on.

In a very few instances, there are firms who service extremely delicate accounts. If the TSCM team hides behind this when asked for references, request sanitized copies of their written reports to their clients. These could serve as an indicator of the quality of their work. Elite firms such as this, though, can be counted on one hand, and maintain a very low profile.

How prevalent are good countermeasures firms? Well, this is a tight business. Most of us know each other and communicate regularly. I would estimate that there are less than fifty truly well trained and well equipped TSCM teams in the private sector. At least half of them are so low profile that you are unlikely ever to see mention of them in the media, seminars, or advertising. Feel free to call my office for local referrals if you wish.

By the way, beware of the "franchises" that are starting up. Regardless of how well meaning some of these new guys might be, and how impressive a list of equipment or fluff they proffer, this is a serious business and no place for beginners. If you're about to fall victim to one of these offers, keep in mind that it takes many, many years to get established. If an established firm conducts 15 or 20 genuine sweeps a year, they're lucky. TSCM work is always a sideline even for the professionals, who pay the bills by selling equipment or some effort allied to the field. Although the equipment inventory in no way relates to the quality of services available, TSCM gear is necessary to perform the service. With a typical minimum investment of $35,000 - $50,000 in equipment, the payback would be so slow as to make the field a very poor investment. Unless, as I mentioned above, you're so caught up in the glamour of the whole thing that you're willing to operate at a loss, probably indefinitely.

The last thing I'll say about selecting a sweep team is to ensure that the prospective vendor has a solid engineering and practical background. TSCM is not purely a theoretical science. An extensive knowledge of how intercept devices themselves function, though, and how they are installed and configured, is vital. Here is where you want to be dazzled with brilliance, not baffled with goat droppings. I lied. The previous paragraph was not the last thing I will say about finding the right guys to trust with your privacy. Don't hesitate to ask pointed technical questions, which you should be in a position to do if you've done your homework. Be suspicious if you don't get responsive answers. Many times the ripoff artists are so ignorant that they can't even discuss their equipment or proposed techniques intelligently. Insist that they communicate with you in terms you can understand. Have them define technical terms, buzzwords, and make them speak English, not alphabet soup. Don't accept any nonsense about "proprietary" information - you deserve to know what you're being asked to pay for. Any competent professional will be rightly proud of his skills, and will be capable of explaining his work so that any reasonably educated man can understand.

Don't hesitate to check around if you have any doubt about the individual with whom you are negotiating for services. Your guy should welcome this.
If you have already absorbed the information in this series of articles and still are unsure, feel free to call our office.

The more informed you are the less likely you are to be cheated.

Where were we? OK. You think you might have a leak. By checking around you've selected a TSCM consultant, and the two of you have examined and cross examined each other. We will assume you have located a competent man, so from here on out we will take for granted that he knows what he is doing and will not cheat you.

Somewhere the two of you must discuss fees. It is unusual for rates to be quoted sight unseen except in very general terms. Fees vary widely depending on a number of factors. Some of them are:

$ Travel and living expenses
$ The firm's reputation (real or imagined)
$ How much the firm has invested in training, equipment, marketing
$ Overhead (do they show up in limousines?)
$ Competitor's rates
$ Estimated manhours to do the job right, based on previous experience
$ Physical risk involved if a sensitive job
$ Potential liability if they screw up
$ A fair profit
$ How greedy or hungry the firm is, which can vary from week to week

Rates for an RF sweep are usually a set fee per square foot, as are physical searches for microphones. Telephone work can be quoted as a certain amount per instrument, system or CO (Central Office) line. Sometimes you will find a group who charges by the hour. This is OK as long as you both understand precisely what services are to be rendered. It is a mark of a professional to work off a standard rate card. A pro should insist on a walkthrough of the facility before quoting any firm price, however. If he does not do this, he will be tempted to cut corners if the job is more than he envisioned.

Don't be offended if your consultant requests full payment up front. Most of us do, especially for first time clients. With any type of service work, the provider has little recourse should the client welch. The value of services rendered diminishes exponentially as time passes, and someone buying a sweep on credit may feel he has an excuse not to pay if nothing is found. Also, do not be offended if the consultant you contact prequalifies you before discussing his fees. We get one or two calls a month from competitors calling under a pretext trying to find out what we charge. You think you're clever, and you think we didn't know. Boy, did we lie to you! As a matter of fact, we have found that prospective clients who are overly concerned about fees are the ones who will cause us more grief than they're worth. In virtually every instance where we actually did uncover surveillance devices, the client didn't know what he was paying until he got the invoice. And then he didn't care.

A total TSCM package costs. Don't be surprised at a healthy four, or even five figure fee. By the same token, don't expect much other than a dog and pony show for a few hundred dollars. Unfortunately, the shysters charge top dollar right up there with the big boys, so the fee structure is no indicator at all as to the quality of the work.

There was a notable case here in the Washington, D.C. area last year. A well known and allegedly competent sweep team (if you don't believe they're competent, just ask them) received, in advance, a five figure fee to run an area sweep of a Fortune 500 executive office. After a few hours of poking around by a representative of the sweep firm who, according to the client, appeared so unfamiliar with the equipment that he didn't even know where to connect all the cables, pronounced the place clean. The client was suspicious, so he immediately called in a second, independent, sweep team. The second team practically tripped over a concealed microphone before they had even set up their equipment. This sort of thing is not uncommon. As there are no guarantees, the client had no recourse against the first company. The original sweep team had come highly recommended from an out of state detective agency.

Beware of any firm who guarantees they will find something. There are firms who promise this, and sure enough they do. Whatever they "find" wasn't there before they showed up. The one notable firm who does this uses the tactic as a reason to sell you a sweep contract, or some of their equipment for your own use.

Beware, also, of any firm who claims they can find everything there is to find. This is a claim made by many amateurs, and no professionals. Finding a hidden transmitter, microphone or whatever is worse than finding a needle in a haystack. Maybe it's like trying to find a needle which may or may not be there, is disguised as a piece of hay, and you're wearing Kevlar trousers.

Sophisticated transmitters (OK, bugs) are available which can be turned on and off remotely. Good procedure on the part of the eavesdropper will call for him to deactivate the bug during off hours. This will not only save batteries but will reduce the possibility of the thing being discovered. For this reason, we like to run our sweeps during normal business hours if at all possible. To be pragmatic, though, it's difficult to hide the activity from the employees. Much of the time an employee is involved in the espionage, so you don't want to tip him off. When the sweep is conducted is a judgement call on the part of both the sweep team and the client.

This next part is important, so pay attention. Virtually every sweep is composed of two parts - the actual TSCM search and a physical search. Sometimes this is a way to separate the men from the boys. For every device we've found with the electronics, we've found ten during the physical. The physical is absolutely necessary, and the only way to find many hard wired, concealed microphones. Dead transmitters (previously planted, currently inoperative due to dead batteries or remote shutdown) can only be located with either a physical or via a device known as an NLJ (Non Linear Junction detector). An NLJ is unreasonably expensive piece of equipment which does work, but is looked down upon by many real pros. Although I'll cover the NLJ in more detail later in this series, here I'll say that its primary utility is in putting on a dog and pony show for the client. It looks impressive, and fills the uninitiated's mental image of what sweep equipment should look like. There must be a million pieces of literature for every actual unit in the field, as they're not that popular. The primary market for the NLJ seems to be the wealthy TSCM hopeful, many of whom have more money than they have brains. The NLJ works, but is considered by many to be the lazy man's toy. Pardon the digression - and I'm an opinionated SOB, aren't I?

Back to the physical search. It's necessary, and believe me, it's dog work. Ask my guys. The physical search involves a thorough examination of anywhere a device could be hidden in a facility. This includes furniture, appliances, electrical fixtures (a favorite hiding place), air ducts, office equipment, inside hollow doors or walls, above drop ceilings, below raised floors, inside or behind art objects, clocks, emergency lights, smoke detectors - the list goes on and on. My guys who regularly do sweeps will start all crisp and clean in business dress. By the end of the job they will be dusty and sweaty and stripped down to T shirts. Glamourous, huh? There are a number of tricks of the trade for physical searches which I won't discuss in an open forum, but sweep teams who know what they're doing will have their own, usually written, procedure. In a serious sweep most of us use a checklist to be sure we don't forget anything, and to assist us in compiling the written report. Ask any prospective TSCM team to describe what they do in a physical search. No sexy tools here. More like a stepladder, flashlights, and mirrors. Guys we train on sweeps pay their dues by running the physicals their first few times out.

One job we ran last year involved something like 60,000 square feet and maybe 35 telephone instruments. One of my men found several hookswitch bypasses (telephone) in a physical inspection while I was still setting up for the RF sweep. We would have found the hookswitch bypasses when we ran the electronic sweep on the phones, but the physical found them first.

Do not underestimate the necessity for a physical. Many of the pretty boys can't be bothered to get their hands dirty, so be sure you are getting the whole thing. Our clients sometimes wonder why we ask where we can change into grubbies. On my very first sweep, back in ought-six, I wrecked a perfectly good blue suit when a mike line I was chasing led me through ceilings, elevator shafts, and down to an unbelievably filthy basement complete with rats, a dirt floor, and 4 foot ceilings. Incredibly, for me, I had just picked up a suit from the cleaners and was able to change before reporting back to the scene of the crime on mahogany row. There was absolutely no other way to trace the suspected line, and I just can't believe most guys would have bothered.

A few paragraphs back I spoke of setting up the RF sweep. An RF sweep needs to be conducted even when the only thing suspect is the telephone lines. There are techniques for bugging a phone where the instrument listens to room sounds even when the phone is hung up. Many telephone intercepts involve transmitters, so we prefer to run the RF first just to give us a bit of breathing room. Everybody has their own way of doing things, though.

We're about at the point where we need to discuss specific pieces of equipment, how they work, and why they are used. Let's break here until next time. Then we'll talk about some popular methods of eavesdropping and what equipment works (and doesn't work) to find them. Also, by then I will have feedback from some of you which, as always, will let me know what we can cover that will help you. Thanks for the inputs on the last series covering vehicle tracking systems. Our discussion of bumper beepers was like turning over a rock. All of a sudden the industry is spawning "experts" on vehicle tracking. Kind of funny. Well, maybe the series was worth the effort. What do you think? Was there anything I didn't cover, but should have? If so, we'll run a short sequel.

Remember, this column is for you. Let us know how we can help you take advantage of today's technology. Articles in this series were in response to specific reader requests. Every letter and phone call is discussed among the guys here at SWS and at Police & Security News. We got a real nice note from Bob McCrie of Security Letter, which will occupy a place of honor on the wall right next to the stuffed jackalope (due to the lack of a sufficient number of Valentine's cards...). Stay tuned for more - same bat time, same bat magazine.

Copyright (C) February 1988 by Steve Uhrig, SWS Security.

electronic bug
Part Two