- The missing business school courses. -
by Kevin D. Murray - CPP, CISM
Also available as a printable booklet with graphics.
Adobe Acrobat file
Detection of Electronic Eavesdropping Devices
The most visible part of the Counterespionage Consultant's job is the Electronic Countermeasures Sweep: the search for eavesdropping devices. It is also the task which is least understood by clients. A knowledgeable consultant will make removing the mystery the first priority. Expect to be educated on the countermeasures process, in terms equal to your prior knowledge level. Everything can, and should, be explained in lay-person terms. Deliberately hiding behind jargon, in any specialty, is rude and should always arouse your suspicions about the true competence of the speaker. From the consultant's viewpoint, the more you know, the more you will appreciate their efforts on your behalf.
Contrary to what may see advertised, there is no do-it-yourself magic bullet in eavesdropping detection. You can't dial a special phone number to see if your phone is tapped. There is not any one instrument which will detect all bugs for you. There is no gadget which will protect you from all wiretappers. Electronic eavesdropping detection is labor and equipment intensive hard work. When your consultant conducts inspections of your sensitive areas, don't be surprised if you meet 1 to 3 additional technicians, and see over $300,000 worth of electronic test equipment. This is how it is really done.
Sweep Inspection Procedures & Test Instrumentation
The Background Interview.
Upon arrival the consultant should conduct a background interview with you to obtain an overview of your security concerns. (This discussion will not be held within the areas to be inspected.) Just like a doctor, your consultant will want to fully understand the symptoms and circumstances that preceded your call for assistance.
A Survey of Current Security Measures.
This includes an inspection of perimeter and interior physical security hardware. Doors, locks, windows, vents, alarm devices, waste paper disposal methods, etc. It should also include a review of your current security policies and procedures. Be prepared to take a full tour of your facility. Have all the necessary keys available, and if possible, a copy of the floor plans.
The Visual Examination.
The areas in question should be visually inspected for all types of current electronic eavesdropping devices and evidence of past attempts. The consultant and technical assistants rely heavily on their eyes, minds and experience. These are the finest auditing instruments available. In addition to discovering actual devices during this stage of the inspection, they will also be searching for evidence of prior eavesdropping attempts (bits of wire, tape, holes, fresh paint or putty, disturbed dust, etc.) The visual inspection should be thorough and include: furniture; fixtures; wiring; ductwork; and small items within the area.
The Acoustic Ducting Evaluation.
Unexpected sound leakage into adjacent areas has been found to be the cause of many information leaks, especially the in-house type. Open air ceiling plenums, air ducts, common baseboard heater ducts, walls common with storage/rest/coffee rooms, and holes in concrete floors have all aided eavesdroppers at one time or another.
As you can see, electronic eavesdropping auditing and counterespionage consulting begins even before the electronic instruments are unpacked.
Inspection of Telephone Instruments.
An extensive physical examination of the telephone instruments must be undertaken. There are more than 16 types of attacks involving bugs, taps, and compromises that can be made on a basic telephone instrument (National Wiretap Commission Report). The newer, electronic telephones have other vulnerabilities, some of which are simple system features which can be abused.
After the instrument is inspected, it is put back together and its screws are sealed over with friable security tape, thus providing visual proof that the phone has not been opened since the last inspection. A good consultant will have these seals custom made so that they can not be easily duplicated. Executives and security personnel may periodically inspect these seals themselves. Broken seals indicate an intrusion, while missing seals indicate a switch of telephone sets. Treat either condition as a suspicious incident.
Inspection of Telephone Wiring.
Wiring associated with the telephones under test are inspected for attachments, and damage. Damaged wiring is often the only evidence of a prior wiretap.
Inspection of Junction Blocks.
Junction blocks are where telephone wires connect to each other in the building. These connected wires form a path between the telephone instrument and the on-premises, telephone switching equipment. In some cases (e.g.: simple residential phone service and facsimile machines) internal wiring connects directly to outside cables which lead to the phone company central office. Junction blocks are an easy, and relatively safe, place to attach a wiretap device. Extra wiring paths can also be constructed at junction blocks (using the spare wiring already in place) to route the call to a remote device, or a listening post. This type of common attack is called a direct, or bridge, tap.
Telephone Room Inspection.
The building Telephone Room houses junction blocks for the internal phone system; switching equipment for the internal telephone system; and Telephone Company junction blocks for the incoming lines. This is another area of vulnerability which requires an inspection from both a wiretapping and physical security point of view. In large buildings, this room is usually found in the basement / utility area. Historically, they have received minimal security attention. Expect this to change as more people realize that this is the communications nerve center of their business.
Phone Line Electrical Measurements.
Measurements are taken and compared against telephone industry standards. Readings which deviate from the norm can help reveal certain types of wiretaps.
Time Domain Reflectometry Analysis.
In this test, a pulse is injected into the telephone line. If the two wires are parallel to each other, the pulse continues it's trip smoothly. If the pulse passes a point where it sees a change in the wiring (splices to other wires, a wiretap, a wall plug, the end of the wires, etc.) a portion of the pulse is reflected back.
An instrument called a Time Domain Reflectometer (also known as TDR or cable radar) injects these pulses, reads their reflections, and measures the time difference between the two events. This allows the TDR to calculate the distance to the irregularity. A time verses irregularity graph is displayed on the TDR's display. This signature is interpreted. Imperfections in line integrity are calculated to within a few inches of their actual location. An inspection of these points is made. This allows a thorough examination of the wiring, even when its hidden from normal view. Time Domain Reflectometry allows reliable testing of phone wiring up to 2,000 feet in length, and detection of some wiretap attacks at distances of up to 36,000 feet.
Non-Linear Junction Detection (NLJD)
This detection technique is used to locate the semiconductor components used in electronic circuits, e.g. diodes, transistors, etc.. Bugging devices which contain these components (transmitters, tape recorders, amplified microphones, miniature TV cameras, etc.) are discovered in this manner. They are detectable even when secreted inside walls and objects. Special feature: Discovery is not dependent on the eavesdropping device being active at the time of the search.
Non-Linear Junction Detectors are used only by the best equipped firms due to the cost of the instrument ($15,000 to $30,000). Ownership of the proper instrumentation is, of course, only one indication of competence. But, as the old saying goes, "Its hard to drive a nail without a hammer."
Radio Frequency Spectrum Analysis
Eavesdropping devices which transmit a radio signal (over-the-air, or on building wiring) can be detected by an instrument called a Spectrum Analyzer ($6,000 to $80,000). In simple terms it can be thought of as a radio which has a very long, and continuous, tuning dial. The received signals are shown on a display screen for visual analysis, and are also converted to sound. Each signal is then individually evaluated by the technician to determine if it is carrying voice, data or video information from the area.
The next level up - for high-level corporate and governmental requirements -Radio Reconnaissance Spectrum Analysis ® (RRSA), consists of military level computer-assisted radio receivers, coupled with microwave spectrum analyzers.
Low-cost pocket bug detectors ($100 to $700) and other broadband receiving devices ($500 to $2,000) should not be confused with (or used instead of) spectrum analyzers. Effectiveness of these devices range from fairly useful in a rural residential setting to useless in an urban business environment. This is due to their common principle of operation... The strongest signal received will be from the bug in the room. Of course, the closer one is to a metropolitan area, where thousands of transmissions are being made all the time, the more faulty this logic becomes. Besides, the rule-book never said the transmitter has to be in the same room as the microphone.
The frequency range of the older spectrum analyzers used in countermeasures work is approximately 10 kilohertz (kHz) to 1.8 gigahertz (GHz). They are outdated by today's standards. Serious technicians, use Spectrum Analyzers capable of tuning as high as 320 GHz. (30-40 GHz is currently more than adequate.)
Eavesdropping radio transmissions can occur at almost any frequency. To give you an idea of the reception capability of a spectrum analyzer, think of your FM radio for a moment. Its tuning capacity is from 88 MHz to 108 MHz, 20 MHz in all; a choice of 4000 frequencies for an electronic eavesdropper to use. This is only 1/90th of what many spectrum analyzers receive.
Radio frequency spectrum analysis should also include the conversion of video signals received to a television type display. This technique detects: Video bugging devices and Computer emissions; signals inadvertently emitted by some computers which can be received and reconstructed a considerable distance away. Also detectable... emissions from a computer which has been deliberately bugged.
Radio transmissions from bugging devices are usually detectable even if the device is only in the vicinity of the areas being inspected. This means that although only certain rooms may be slated for inspection, entire sections of buildings benefits from this particular test.
Thermal Emissions Spectrum Analysis ® (TESA)
This technique was pioneered at Murray Associates.
Heat is the graveyard of electricity. It is where expended electrons go to die. Look in the right places for these graveyards, and start digging. You just might find buried electronic surveillance devices... audio bugs, micro-sized video cameras, recorders, wiretaps, and the transmitters which move private sights and sounds to illicit eyes and ears.
The premise is simple. When electricity moves through any electronic circuit, some of the energy converts to heat. This is caused by resistance which is inherent in all circuits. Cooling a circuit to a temperature of absolute zero (0º Kelvin / -450º Fahrenheit) is the only way to eliminate resistance. Fortunately, refrigeration of electronic circuits is not practical in the real world, or the shadowy world of espionage. Electrons will meet with resistance. Heat will be generated. Heat will migrate. Heat can be detected.
Heat may be generally thought of as light waves that are too low in frequency for our eyes to see… thus the term used to describe this is infrared (below red). Neither can we hear radio waves, dog whistles and bats’ echo-locating sounds, because the frequencies are either too high, or too low, for our ears to hear. To perceive these out-of-our-perception frequencies we need some type of instrument which will detect and then convert them into something we can perceive. A thermal imager is basically a converter - taking low frequency light waves and converting them to the light frequencies we can see. Loosely speaking, radios perform the same function for our ears.
Currently, price is the only thing standing in the way of complete acceptance and adoption of TESA to TSCM toolkits. This instrumentation currently costs between $50,000. - $80,000. The good news is that rapid advancements in the field of thermal imaging sensors, combined with increased demand, should cause prices to fall into acceptable ranges within five years. (Note - Murray Associates currently offers this capability to their clients.)
There are three stunning advantages that TESA instrumentation brings to a TSCM inspection…
1. The ability to see slightly elevated temperatures. Example: Inspect 40,000 square feet of ceiling tiles in less than five minutes to find a 1 inch square video camera embedded in one tile.
2. The ability to see density differences in materials. Example: Inspect 40,000 square feet of ceiling tiles in less than five minutes and find where a video camera was - at one time - embedded in a ceiling tile.
3. The ability to see through some materials. Example: Certain materials which appear opaque in normal light become quite transparent when viewed at infrared wavelengths.
Common Misconception... Inexpensive law enforcement or fire department imagers ($6,000. - $30,000.) can be used if the area being inspected is either quickly heated or cooled just before viewing. This is does not apply to TSCM work. The technique does not increase the temperature differential between a covert surveillance device and its surroundings. Small electronic objects do not have thermal mass. They will track with the temperature change as quickly as most other objects in the area.
The concept that a law enforcement, fire department or electrical maintenance thermal imager can be used in this manner has its roots in applications where the objects being viewed have great thermal mass compared to the features of interest. Finding buried bodies, and infrared examination of the Pyramids are two good examples of this.
“I tried a regular imager. It saw a hidden video camera. So why not just use it? It’s cheaper.”
Yes, the less sensitive imagers will see very hot covert surveillance devices. They are not, however, capable of seeing the majority of surveillance devices, or the slight density differences in enclosure materials which give away current and former installations. To be an effective TSCM instrument, a thermal imager must have an NEdT of less than 20 milliKelvins.
Thermal Emissions Spectrum Analysis is not a replacement for any other TSCM inspection procedure. It is simply an additional technique which greatly enhances detection capabilities
Ultra-Violet Light Inspection.
In some cases ultra-violet light (long and short wave) will be used to inspect room surfaces. High frequency light can reveal fresh paint / putty, structural changes, hidden wiring, and other evidence of tampering not usually seen under normal light. Other tests which may be conducted include detection of: infrared light transmissions, laser beams, tracking beepers in vehicles, piezo-film and fiber-optic microphones.
In addition to the aforementioned tests you should be sure the investigative process covers infrared, fiber optic and other eavesdropping threats which will develop after this article is published.
The Final Report
When the inspection is over you should receive a full verbal debriefing. In this meeting your consultant will highlight all serious problems found, and will recommend solutions which need to be implemented immediately. You should also receive a written report within a week. It should include: A description of all the areas and communications equipment inspected. An explanation of all tests conducted. The findings. Recommendations for security improvements. A review of other espionage loopholes found. Security improvements since the last inspection and other useful espionage prevention information.
Final reports are important documents. Safeguard each one. Together they show your continuing effort to provide information security for specific areas within your company. This is your proof that you took extraordinary steps to legally classify your business information as proprietary and secret. You have gone above and beyond LAG. Courts will now listen, stockholders will be quiet, and the industrial spies will have to move on to your competitor's door for easier pickings.
About the author...
Kevin D. Murray - CPP, CISM has been solving electronic eavesdropping, security and counterespionage matters for business and government since 1973.
His many written works include:
Electronic Eavesdropping Detection and Industrial Espionage - The Missing Business School Courses formed the basis for his college course: Electronic Eavesdropping Detection & Industrial Espionage. Created for the John Jay College of Criminal Justice in New York City.
Mr. Murray is a Board Certified Forensic Examiner; a Board Member of the International Association of Professional Security Consultants; and a member of the American Society for Industrial Security.
The Murray Associates corporate client family keeps Kevin and his technical staff quite busy. However, there is always time to make a new friend, and room for one more family member.
Murray Associates services are available to corporations and government agencies only, throughout North America, and is classified for government procurement as a small business.