This Bug’s For You: Part Two of Two
Well, I'm out of excuses. Most writers, and I'm one of the worst, are terrible procrastinators. No more pencils need sharpening, no toilets need cleaning, nobody's bleeding, no crews out working. Writers die a thousand little deaths every time a deadline approaches. With the 13 deadlines I face every month for various publications, averaging a deadline every 2 days, it shouldn't bother me too much when my time comes to check out -and I'll probably be late for even that and have to FAX myself to heaven amidst a flurry of excuses and apologies.
May I be allowed to digress for a moment? Being in business, we are able to read the economy to an extent based on such things as receivables aging, supplier problems, computer analyses and projections on products and services sold, etc. It really looks like a recession may be possible soon. Clients whose receivables formerly were as good as gold are now having a tough time keeping up payments, seemingly solid firms are going belly up, and many clients are choosing to repair existing equipment rather than replace it as they normally would. If a recession does happen, it would be well to be out of debt, have few receivables, and be in a strong cash position. This advice holds for the individual as well as the small business, and is a prudent course of action regardless of problems with the economy.
It seems like more and more of the industry, domestically and internationally, is dropping TELEX in favor of the FAX. We are going along with the crowd. Effective immediately, our FAX number is (410) 836-1190. If we can advise any of you on topics discussed in these series of articles, or for anything else allied to the cause, feel free to holler. Our voice mail system is accessed through (410) 879-4035. Thanks everyone who called with assault or flattery on part one of the TSCM series. Your feedback will help us help you through my articles and Police & Security News.
In part one in the last issue, for those of you who were sleeping, we discussed the very real problem of illegal electronic eavesdropping. Covered were certain ways of determining if you might be a target, and what your options were if you think you are. Our discussion focused on countermeasures - specifically in searching out and selecting a qualified TSCM (Technical Surveillance Counter Measures) team to 'sweep' your facility electronically and physically to uncover any concealed bugs or wiretaps. The information in part one was pretty heavy, so if you have a
serious interest in this subject, please be sure to read part one as well as this month's information. Call Police & Security News at (215) 538-1240 for a copy of the March/April issue containing part one if your copy was stolen.
The major point we developed in part one is that there are very, very few truly qualified TSCM professionals in the industry, in spite of heavy marketing and paranoia-inducing efforts by numerous shysters after the glamour and big bucks. The field is too serious for amateurs or groupies, and is extremely difficult to break into. TSCM work requires an extremely extensive, and intensive, commitment to the trade as well as a heavy investment in training and equipment.
This month we will concentrate on the equipment used by TSCM professionals. I'll mention a few sources of equipment for those of you whose requirements aren't serious enough to call in outside talent and want to buy equipment to do the work yourself. We'll also learn just a bit more on certain techniques of eavesdropping you should know something about.
OK. Tuck the napkin under your chin and let's go.
IR BUGS - There is a technique for transmitting room audio to a remote location by modulating an infrared LED (Light Emitting Diode) with the sound picked up by a concealed microphone. The infrared light is invisible to the naked eye, but has all the characteristics of visible light. I had thought previously that IR bugs were mostly hype, but I am smelling some hard evidence of their use on very high level espionage. IR bugs can be very small and usually can be located only through a physical search. Since they don't radiate an RF signal, and aren't wireline devices, the standard complement of TSCM equipment will not be effective.
Space is tight this month, so call me if you have a particular interest in these. Certain manufacturers offer IR probes for their TSCM gear. I have found that the range of these probes are so short that they are not of much use, although they are better than nothing. We have had very good results locating IR devices, even in a brightly lit room. by using our Dark Invader night vision devices with a 99% obscuration IR filter on the NVD. If you do not use a 99% filter you not only will not locate the IR transmitter but you probably will roast the intensifier in your night vision package. Most any night vision device should work as long as it is a passive device, not an active one. IR bugs are for the most part impractical, due to limitations on the receiving end, but I am starting to take them more seriously than I have previously.
IR bugs can also be located quite easily by using a CCD video camera with the IR cut filter removed. This might be the cheapest way, and is suitable for leaving in place permanently for continued protection. IR bugs, by the way, work best at night or in a darkened area, and usually will be located near a window. A lot of misinformation has been passed along over the years about laser bugs. From what I've seen, people credit the humble laser with all sorts of mysterious properties. Well, sorry to disappoint the self appointed surveillance experts, but even lasers cannot violate the laws of physics. Laser bugs basically are laboratory toys. The big boys don't worry about them. Moreover, they are very susceptible to inexpensive audio jamming techniques.
Laser interception techniques involve bouncing a laser beam off a window or other surface in the area under surveillance. The idea is that the surface will be vibrating in cadence by voices the eavesdropper is trying to recover, thus modulating the laser beam in step with the voices. The reflected laser beam is picked up by some optics coupled to a photocell which translates the modulated beam into an electrical signal the eavesdropper can then filter and record. Sounds good. We bought a laser a number of years ago (a Spectra Physics lab quality laser too, not a cheap piece of junk) and spent several thousand dollars on a development effort trying to make a system work. It did, after a fashion, but was pretty much useless in the field.
We were able to recover audio to an extent, but the relatively pipsqueak human voices were largely swamped by building noises, wind noise, noise from passing traffic and planes, and so on. The human noises are much weaker than the extraneous noise, especially when integrated over the large vibrating surface reflecting the beam. The laser used must operate at infrared, or the beam could be spotted. And IR means that it will be much more difficult for you to find the thing on the rebound. Additionally, the alignment of the laser head and receiving optics is extremely critical, requiring the use of fluid head tripods, a very stable, weighted base, etc. And, the angle with which you attack the reflecting surface is critical, restricting your options (angle of incidence equals the angle of reflection...). There is a German firm who advertises a laser monitoring device, in the $20,000 to $25,000 region. Don't worry about the things. They will be laboratory curiosities and groupie hype for quite a while yet.
On to equipment. As we mentioned last time, TSCM usually is divided into two separate technologies - telephone attacks, and RF attacks. Although rather generic, I will lump all non-telephone attacks under the heading RF (RF meaning Radio Frequency). In this context, RF will include IR, wired microphones and several others.
Usually, a sweep will involve both telephone and RF inspections, although they can be priced and conducted separately. And don't forget, in either case a physical inspection is equally as important as the electronic inspection. Many, many good electronic men are no good at conducting the vital physical search. Conversely, the best man on the physical with whom I've had the privilege of working couldn't put batteries in a flashlight without screwing up.
Since the following is so important, I'm going to repeat it one time and one time only: no amount of electronics equipment or talent will substitute for a physical search. Make sure anyone you contract to provide a sweep includes a thorough, and competent, physical search as well as an electronic sweep. Many, if not most, of the shyster sweep firms are not capable of running a physical at all and will not do it unless you insist, and then will fly through the job quickly. The shysters can't be bothered with the dog work, as a physical search can take hours, is filthy hard work, and so unglamourous as to be beneath them. Do not compromise on this point.
A number of devices are available to the professional. Some are of more utility than others, and not all equipment will necessarily be used on any given job. Most of us take everything because we never know what we'll run into, so don't feel cheated if some of the cases are not opened on your job. Don't be afraid to ask, though.
For telephone work, a number of firms swear by the telephone analyzer. A telephone analyzer is a compendium of equipment packaged together, used to conduct a number of tests intended to identify the various attacks on a telephone line, system or instrument. I own a Mason TT6, which cost the original purchaser around $5,000, and a Kaiser TA 1080D, which cost much less though I like it a lot more. I know both instruments inside and out, and never use either. In the hands of an expert, a telephone analyzer is capable of helping to uncover many telephone interception attempts.
Please note than an expert is not merely someone who has read the instruction manual, nor is an expert someone who has attended a seminar somewhere and received a certificate to hang on the wall. An expert, in the context of this series of articles, is someone who has a recent, diversified portfolio of both formal and OJT, has a mature electronics and telephonic communications background, the proper respect for and commitment to the trade, and who has spent hundreds of hours in the field sweeping every possible configuration of telephone system. Most professional telephone analyzers are valuable tools in the hands of someone who knows what he is doing. Most also will blow up an electronic phone system without a second chance if the slightest error is made, like switches set wrong, improper cable hookups, etc.
The Kaiser outputs one thousand volts during a series of tests designed to activate high voltage triggered hookswitch bypasses. That same thousand volts doesn't care if it is applied to your body or to sensitive solid state electronics found in an increasing number of business telephone systems. You will not want to face your client if you blow up his telephone system on a late night sweep. It has happened so many times to amateurs that we don't bother to discuss it any more.
An expert can make use of a telephone analyzer. To anyone else, they're dangerous. A true expert also doesn't need one. I don't care for them personally, and choose to use discrete pieces of equipment to accomplish the same end results. If you know what you're doing and want to use one, fine. If you really know what you're doing, though, you might want to do something different.
Good used telephone analyzers are readily available through certain suppliers. I'll mention some at the end of this article.
Voltage, current and resistance measurements can tell you a lot about what's going on with the phone lines. A decent VOM (Volt Ohm Milliammeter, pronounced separately as V-O-M, not as a word like VOMit) can be had for under a hundred dollars. It will not replicate all the functions of a telephone analyzer but will tell an expert a lot. Maybe I'm old fashioned, but I prefer a good analog VOM, like a Simpson 260, to the new digital ones. If you're looking for quick signals of something switching, a digital can't follow as fast as an analog meter. To each his own, though. Most people in the business didn't even get into the game until after analog meters were practically obsolete. Do any of you still own a VTVM?
Some of the tests performed by a telephone analyzer are to test for interception techniques that worked only in the pre-ESS central office days. If you need the details of this explained to you, don't fool with sweeping anyone's phones except your own. Quality telephone analyzers are produced by Mason, Dektor and ISA. Marty Kaiser has dropped his 1080, which should tell you something. All are available used.
A more sophisticated system sends pulses of energy down the telephone wires. These pulses are then reflected from electrical junctions along the wire back to the source. If a wiretap is inserted it will appear as a new electrical junction. This approach is usable only in situations where a good history of the system installation is known since the reflections from existing equipment would not indicate improper additions to the system. This technology is called time domain reflectometry and is too complex to be performed by other than highly skilled personnel.
There are a number of toys mass marketed to the yuppie consumer that connect to the telephone and blink colored lights when they allegedly smell a tap. All are completely worthless. I will be pleased to retract this statement if any manufacturer can demonstrate a device that will detect anything other than an extension phone off the hook, like a butt set or Radio Shack line start recorder interface. Most all of us in the business are in agreement on these. They're dangerous as well as worthless because they tend to generate a false sense of security.
For RF work, with some overlap into telephone, many more devices are available. Some are worthless, some are indispensible. As with telephone work, personal preference is a factor. Some pieces of RF sweep equipment are either easy to operate or impressive to the client, so therefore find their way into amateur circles.
Basic to RF sweeping are various types of radio receivers. They range from simple RF field detectors to computerized scanning receivers which locate and demodulate practically anything a twisted mind could devise. Please be careful here, as this is the area where more useless junk is palmed off on the uninformed than anywhere else in this field. RF detectors, generically known as "diode" detectors, are inexpensive devices that will indicate by lights, clicks, or a meter when they are in the presence of an RF field. Once they squawk, the operator can zero in on the source of the RF energy (which may or may not be a bug), by progressively reducing the unit's sensitivity and collapsing the antenna. As he makes the receiver less sensitive, it must be closer to the source to hear it.
Eventually the sensitivity is reduced to inches, placing the unit very near the source. Diode detectors are a staple in any sweep kit, but only as a supplement to the real thing or for a quick and dirty check. There are very good units of this type for a few hundred dollars. There are also worthless ones for thousands. Though it's in a simple plastic box, one of the best I've ever used is about the cheapest. Conversely, the multi-thousand dollar unit was completely non functional on a high powered transmitter a few feet away (see last month's article). Diode detectors are not always sensitive across the entire spectrum. Do not trust a demo by the supplier as demos are frequently fixed, by using a test transmitter on the frequency where the demo device is most sensitive.
Actual performance in the field might be less impressive. We have been very successful improving the sensitivity of many of these devices by replacing the inexpensive diodes with top of the line hot carrier diodes. Everyone should have some sort of diode detector in his bag of tricks. Buy on referrals from industry professionals, not on price. Do not plan on using one as your only piece of test equipment, though.
I covered the non linear junction detector pretty thoroughly in the last issue, so I will not repeat myself much. They work, but have limited applications although they are built up pretty big. They are very expensive, impressive pieces of equipment. Unless your funds are unlimited, the five figures asked for these devices is much better spent elsewhere.
The most basic tool for RF sweeps is a good wideband, tunable receiver. Expect to pay from maybe $1000 for a starter unit to maybe twenty times that for a new top of the line receiver. The Mason A2 and A3 series are generally accepted to be the best, although many lesser priced units will be just as effective in the proper hands. The Masons are usually sought after by the ex-government types who trained on one during their career and want to stick with what they have come to trust. That's perfectly fine; the Mason is a good piece.
Used Masons surface every so often, many times either because somebody upgraded, bought the receiver for a one time use, or because they dropped their money into something they couldn't effectively use. When selecting a receiver, make sure it covers from the several Gigahertz region (higher is better), down to a few Megahertz, with no holes in the coverage. Several antennas should be provided, as one antenna cannot be efficient over the wide chunk of spectrum a good receiver should cover.
Experienced operators tune from the top down, as they frequently will find numerous harmonics from cheap transmitters above (but not below) the fundamental frequency of the transmitter. Harmonics are found at multiples of the transmitters' frequency. An example, for a 50 MHz transmitter, would be the second harmonic at 100 MHz, the third at 150 MHz, the fourth at 200 MHZ, and so forth. So you can see that by tuning from the highest frequency down you will have many more opportunities to tune the alien signal than if you went from the bottom up. Remember that harmonics are always higher in frequency than the primary signal. Harmonics get weaker as they increase, but tiny transmitters often don't have the room for filtering that larger ones do, and will leak harmonic energy up to maybe the fourth or even fifth harmonic.
Certain fancy receivers are available which automatically scan the spectrum and lock onto the strongest signal. If you get a good one, from Scanlock, Technical Services Agency (the TSA in Fort Washington, Maryland - be careful as there is another company by the same name with a completely different product line), or maybe one or two others, they can do a good job. If you don't know what you are doing, though, you will miss a lot of what really is there. Beware of the junk oriental imports packaged in a briefcase and glowingly described in glossy color literature. Beware, also, of a certain company that gives you a hard sell. The real stuff sells itself, and generally only is advertised to the trade, not to the consumer.
The bottom line with a receiver is that you scan as much of the RF spectrum as you can, and identify each and every signal you find. This will include broadcast radio and TV stations, taxis, police, business, cordless phones, paging services, military, and hundreds more. Signals will be AM, wide and narrow band FM, maybe SSB, video, color and sync signals, subcarriers, pulses - you must know something about every type of modulation. There is a lot more to communications than AM and FM. You must determine the reason for every single signal you hear, and eliminate it as a possible hostile transmitter.
This situation is extremely difficult as you will find literally hundreds of signals throughout the spectrum that you will know nothing about. Experience is the only thing that will help you here. I have seen technicians slide right by suspicious signals that should have had them wetting their pants. A needle in a haystack.
A necessary accessory to the receiver is the spectrum analyzer. A spectrum analyzer displays, on a screen, a visual representation of a chunk of spectrum, on either side of where the receiver is listening. The spectrum analyzer gives you eyes where the receiver only gives you ears, and is mandatory to uncovering certain clever bugging techniques that a receiver alone will miss. Once you get competent in using one of these boxes you will have a lot of confidence in your RF sweep work.
A number of TSCM types try to sell certain spectrum analyzers which are not suited for TSCM work. AVCOM, IFR, and others were designed as pieces of test equipment for repairing communications equipment, and for this purpose they have no equal. The service monitor/spectrum analyzer we use for aligning the radios we sell (not the ones we use for TSCM), is one of the best on the market. Its receiver has a sensitivity of 2 microvolts, which is 2 millionths of a volt.
Not bad. Our TSCM receiver has a sensitivity of 2 TENTHS of a microvolt at the same frequency. Which would be better for locating very low powered transmitters? The communications spectrum analyzers are high profit items for the resellers, and are of very limited utility for debugging. The same holds true for frequency counters, which the resellers claim will display the exact transmitting frequency of a bug. Well, they do display a transmitters' frequency if you get enough signal. Our lab quality counter needs a 3 watt handheld radio transmitting within a few inches of its antenna to read frequency. A typical surveillance transmitter concealed in a room might be transmitting with a power of 50 milliwatts, which is one twentieth of a watt. The frequency counter would have to be touching the antenna of an average bug before it would read - and then you wouldn't need the counter, would you?
If some outfit was selling or recommending communications type spectrum analyzers, service monitors, grid dip oscillators or frequency counters for countersurveillance use, I would mistrust anything else they had to say. Such bleatings show a complete lack of understanding of the situation. If these people were selling cars they'd be locked up. Selling TSCM service or equipment, though, they're accepted as gurus.
Avoid, also, "shortwave" receivers, multiband radios, or other equipment not specifically intended for debugging. With very few exceptions, they're worthless.
Pay special attention to the following frequencies when tuning: 78 - 120 MHz, 46 - 49 MHz, 144 - 174 MHz, 420 - 512 MHz. Call me if you want to know why. Carrier current devices are a real threat. Carrier current transmitters send signals along the AC power lines to a listening post nearby. The listening post conceivably could be several buildings away. Transmitters here are inexpensive, readily available, and effective. Wireless intercoms from consumer electronics stores are what we find most often. Fortunately, though, several inexpensive devices are available to TSCM types which are very effective at locating carrier current transmitters. New or used, good carrier current detectors are around for under a few hundred dollars. Call us for sources.
Watch using those cordless phones. Your conversations are broadcast for several blocks in every direction, in the 46 - 49 MHZ band.
Hard wired microphones can be located by hanging an appropriate line amplifier on any suspect wiring in the vicinity and listening for feedback, or by physically searching to each end of a cable pair. Any line amplifier you use must be capable of powering the line itself, in case there is a microphone somewhere which requires power. Hang a meter on a suspect wire pair first, though, to make sure it's not AC power wiring. Pay special attention to innocent speakers which might be used as microphones in reverse. Are all the ceiling speakers frying your cerebrum with Muzak except the one in the boardroom? Be suspicious.
For those of you with real heavy duty requirements, portable X ray systems are available which give you Superman's capabilities to see into suspect packages. I wouldn't mind having one, but they're way too expensive for the limited use they would see with me. And, to be honest, I'm ignorant enough about radiation to be scared of it. On one occasion, an associate paid a hospital emergency room $75 to X ray a lamp. It would have been nice to have had his own portable machine, but he could get the hospital to X ray almost a hundred pieces for what his own machine would cost. If you would like to check this equipment out, contact Keith Kretchmer, who is the vice president of MinXray, at (312) 869-4321. They are the leading manufacturer of portable x ray equipment for security use. Keith is knowledgeable and will work with you.
The major point I would like to impress on you is that, while equipment is necessary for any debugging, training is vastly more important. Merely owning the equipment doesn't mean much. If I sell you a violin, are you a musician? If your requirements are serious, please consider calling in outside talent. If you don't like their fees and want to try to do the work yourself, more power to you. Just realize that it's very unlikely you will be worth anything unless and until you make a major commitment to classroom training and apprenticeship. And remember my feelings that to be a good countersurveillance man, you must have spent some portion of your life eavesdropping professionally. Especially, don't let yourself be sold a goody box by some seminar conductor, high pressure firm with fancy color literature or some mysterious foreigner with a stack of xeroxes and expensive, "modified" equipment.
Of course, if you have money burning a hole in your pocket and want to show off expensive toys to your friends, have at it. There are worse ways to spend your money. Please don't pollute the industry, though, with amateur efforts in a serious business.
Good used equipment, from simple pieces to the finest the industry has to offer, is available from Sherwood Communications Ltd. Contact them at (215) 357-9065. We are service providers, not equipment manufacturers, but feel free to call us here at SWS Security at (410) 879-4035 if you would like to discuss a specific piece or need referrals to the professional vendors. There are several individuals who manufacture top quality, reasonably priced sweep gear, but I will not release their names until I prequalify you, as they don't want to be bothered unless you're serious. Call us also if you're interested in training and we'll let you know what is available. The courses by Ray Jarvis or through Texas A&M are very good - even seasoned professionals should benefit from either of these. And for one on one training, Sherwood can share the benefit of years of experience. Remember, though, that no training happens in a hurry, and a two day seminar is at best only an introduction to a complex science.
There's much more I could share on the topic of bugs, taps, and countermeasures. We've burned two issues already. If you want to hear more, let Al at Police & Security News know and it will be revealed unto you. Without feedback, we don't know if we're delving too deeply into a topic or whether we're not sharing all that we should. How deep should we go? Let somebody know, as reader input is taken seriously. Also, how about topics for future columns?
We'll look forward to meeting some of you at the Secret Service show, May 13, 14 and 15 in Beltsville, Maryland. This show is restricted to law enforcement only, and you must show a badge to get in. If you're a vendor and would like to exhibit, though, give me a call and I'll see if we can get you in. We, obviously, don't show countermeasures here; rather attendees will see the very latest in hi tech surveillance and weaponry. Good deal for exhibitors, too, as it's a very cheap show to do, and the Treasury boys treat exhibitors like royalty. Look for UAS and SWS to be sharing several booths in the lower classroom building by the pistol range. We'll be at the Philly police academy in July, too, so look for us there if you don't make Beltsville.
One last thing: Good night, Mrs. Calabash, wherever you are...
Copyright (C) April 1988 by Steve Uhrig, SWS Security. All rights reserved.