Wiretap And Bug Detection
A Roomsweeper's View of
Counter Measures Electronics 1983
The Basic Principals of Bug and Wiretap Detection
by Roger Tolces
As published in the California Association of Licensed
Fellow roomsweepers, bugsweepers and interested security professionals in the bug detection field, I felt it was time that someone wrote a nuts and bolts overview of wiretapping detection and counter measures in 1983. Most of the insights and opinions here will be from my own ten years of experience and study, and I do stay in touch with a network of counter measure and counterspy professionals around the country; some of their views may also be included. I will look at some general counter measures systems, bug detectors, and other detection tools available from many manufacturers and try to give a general evaluation of their functions and usefulness in detecting wiretaps and bugs.
Radio Frequency Bug Detection
The two basic systems in use today to detect radio transmission wiretap bugs are the field strength meter and the radio spectrum analyzer. The field strength meter has some real shortcomings in detecting wiretaps. It usually consists of a box with an antenna, a meter, and sometimes, in the more expensive ones, an audio listening circuit. They generally operate in the frequency range of .5MHZ to 1GHZ (1000 million HZ). The main problem with them is that they try to gulp this whole frequency spectrum at one time. In other words, they have no selectivity to separate one radio station from another. What this means is if the bugging device you are sweeping for is of a lower power level than the ambient radio energy of the local AM, FM, television, aircraft, two-way radio, etc., the field strength meter will not detect the low level power eminating from the suspected wiretap bug. The higher power emissions will "step on" the lower power bug and in effect cancel the bug out. It's quite common to find bugging transmitters that will broadcast out of a building for a few blocks and yet be far under the power level of the local radio energy. The field strength meters that have listen capability usually do so with the use of a slope detector. In not so simple terms, an amplitude modulated receiver can be made to receive frequency modulated signals if the receiver is tuned so that the carrier frequency (at I.F.) falls on the side of the I.F. response curve. In simple terms with this process you can hear some of the strongest AM and FM radio stations. If your hidden bug is powerful enough and if you are in close proximity you may hear the test sound you put into the room under evaluation - maybe! If the bug is transmitting in a complex modulation format or in digital code you will probably not discover it. The last problem with these units are that their circuitry is so simple that they sometimes have a big hole missing from their receiving response. Now let's get on to what works reliably for finding most transmitter wiretap bugs.
The Radio Frequency Spectrum Analyzer
This is the right tool for the job. The radio frequency spectrum analyzer (RFSA) is a selectable radio frequency receiver with a built-in scope to display the wave form of the carrier that is tuned in, add on a slope detecting listening circuit and now you are ready for any kind of bug. The selectability of the analyzer allows you to tune in all carriers one at a time, adjusts their bandwidths amplitude for examination on the video screen and adjusts the signal for maximum audio demodulation ability. If you put an electronic noise source in the room under test you can even intercept the wave pattern of a complex or a digital bug. Now you're radio frequency roomsweeping.
Non-Linear Junction Detectors
These are the electronic units that you see the guys walking around with - long poles, vacuum cleaning the walls - electronically, that is. On the end of the pole is a dual head antenna, one transmitting and one receiving. The principal of operation here is that the transmitting antenna transmits a pure microwave frequency and the receiving antenna does not pick it up. The receiving antenna circuitry is tuned to reject that transmitted frequency and to look for frequencies harmonically related to it. The reason that this is useful for debugging wiretaps is that transistors and integrated circuits being semiconductor materials, with semiconductor junctions, electronically resonate when radiated with the microwave transmitted energy. The received byproduct of this resonance is the second and third harmonic frequency of the transmitted fundamental. The non-linear junction detector (NLJD) consists of a meter and a headphone that gives visual and sound feedback when a semiconductor material is present. As in most debugging systems, there are some effectiveness tradeoffs. The units will also trigger off when they encounter the junction of dissimilar metals. Things like wire in false ceiling supports and metal wall supports can trigger it. This poses somewhat of a problem - do you tear into a client's wall when you get a positive reading? This could be an unexplainable mess. The other problem with these units is that their microwave transmitting power level is critical to their effectiveness. The original units produced for the government used around 1/2 watt power levels; the commercial units available are forced to have much lower levels by the FCC. I've done tests with two units on the market where one side of a transmitter bug was open and unshielded and the other side had metal shielding. As you rotated the bug in the presence of the NLJD the unit would go from detection to non-detection mode. The other thing the NLJD is said to be useful for is discovering hidden microphones that use semiconductor elements such as electretcondenser microphones. I tested the Sony ECM 16 microphone with both NLJD units and with both got a 'no detection' response. A microphone like this uses quite a bit of shielding on its element to protect it from radio frequency interference. The other obvious problem is what to do if the bug has been placed in the presence of known transistors. Bugs have been built into digital clocks and radios. One other thing, if you want to find out what sore arms and shoulders are all about, try using these units eight hours a night. These units cost three times as much as a good available R.F. spectrum analyzer, but I have some associates who think they are worth it.
These test units can be some of the sweeper's most visually impressive tools; a suitcase crammed with wires, dials, readouts, and lights. The only problem is that many of the tests that these units perform are either not useful or marginal in effectiveness in detecting wiretaps. Take, for instance, the use of tone sweeps or high voltage tests for wiretaps. In the days before telephone electronic switching, you could call a target individual and your phone would be connected to his as it was ringing. This meant that if you planted a remote tone controlled unit in his telephone, you could turn it on without his answering. Of course, all his associates want to know why his telephone is always busy and he doesn't know. The new electronic switching systems today do not connect telephones until the called party has answered. In the past, buggers used high voltage batteries to turn on mouthpieces in telephones by planting semiconductor devices in the phone. Anyone who tries this today on a solid state business telephone system is asking to be discovered. In many medium to large size companies it is quite common to find the typical business telephone is isolated from the outside world by an in-house switching computer.
Well, what about tests measuring exchange voltage and loop current? These measurements look good on a chart for the client, but what do they really mean? Hook a volt meter to your telephone line some time for a day or two and you will see that exchange voltage will vary; some up to a volt in a 12 hour period. This is caused by the usage load demand on the central office batteries. Well, you say, you can compare the voltage from one telephone trunk to another for comparison. The only thing I can tell you is that generally when a person's trunk lines are bugged, all the lines are bugged and they all read the same voltage. Let's face it, most tape recorder wiretaps and battery operated transmitter taps draw such small amounts of current from the line that voltage is rarely affected to any noticable degree. Making capacitive and A.C. impedance measurements also are somewhat fruitless because the typical tapping device is capacitively and resistively decoupled from the line and the first semiconductor of the device will probably be several million ohms of junction impedance. So what telephone test equipment and tests are effective?
The Telephone Sequencer, the Vector Scope, and KTS Manual
For testing the individual telephone instrument for wiretaps, the basic tool is the telephone sequencer. The sequencer is basically a patch bay that gives you the ability to separate out all fifty wires in a standard business telephone wall connection. The sequencer has compatible plugs so the unit plugs both into the phone instrument under test for wiretaps and into the feed to the switching equipment. The phone instrument can work normally and also be tested for wiretaps at the same time. One section of the sequencer has fifty switches that allow each one of the fifty wires of the instrument to be tested against the other forty-nine for electrical connection. The output of this sequencing network is especially meaningful when it is connected to a vector scope. The vector scope is an oscilloscope that is set up to display wave patterns for different types of electronic components under test. By sequentially testing all the wires of the telephone instrument and viewing the results on the vector scope, all the internal connections of the phone can be verified as standard or tampered. With the schematic diagram of the phone instrument under test looked up in the key telephone system's manual and open for reference, any questions of tampering or modification can be answered. During this test procedure we also feed an audio signal into the phone mouthpiece which can be seen on the vector scope to detect bypass modifications. One important bottom line test is to always disassemble and physically inspect all suspect telephone instruments for extra components. If you are not sure what the inside of the phone should look like, bring a phone of the same model from somewhere else for comparison.
Testing Telephone Trunks For Wiretaps and the Time Domain Reflectometer
The time domain reflectometer (TDR) is the best single piece of test equipment for wiretap detection. It can give you some help at knowing what's down the telephone wires at points you just can't get to. The TDR is a scope unit that can be best expressed as a radar for wires. It puts out short duration electronic pulses that are zapped down the wire under test. It then gives a waveform display of the reflections of these pulses that come back when the pulses meet different wire impedances along the way. The more mismatched the wire junctions or splices, the larger the amplitude of the corresponding section of wave signature on the scope.
Our primary use of TDR for wiretap detection is for looking out the trunk wires from the master trunk terminals toward the central office with the internal phone system unhooked. Using TDR in this manner, it is important to understand that the distance from the telephone room under test to the central office exchange equipment can be from one to fifteen miles. The further you are from the possible wiretap, the less the reflected wave amplitude from its connection. Add to these problems that if the phone company has used repeat coils in the line for matching, the TDR will not work through them. If the wiretap has high impedance (50 K ohms and up) and has very little cable lead to it, it will draw so small an amount of electrical energy from the line that the TDR may not see it.
Putting these problems aside for the moment, let's say your TDR shows a possible tap 1000 feet down the line and you can follow the line for 300 feet along the telephone poles over ground and then the cable goes underground to who knows where. So you call the local telephone company for assistance and ask them to help you to find and examine the suspected cable appearance point. The answer you will most likely get is that cable routing information out of the cable routing computer is confidential, unavailable, and you will get no help or cooperation. The only time we have gotten help on this kind of problem is when we have worked for top political candidates and even in those cases telephone security people supervised our inspections. Wiretap detection can be a tricky business!
This brings to a close my quick tour of counter measures electronics in 1983. I think you can see that with the many tradeoffs and compromises with equipment and techniques a respectable amount of skill, electronics knowledge, experience, and intuition are necessary to successfully detect wiretaps. The key skill necessary is wave pattern recognition of scope displays generated on test equipment that indicate the presence of suspect wiretap devices. Some equipment manufacturers would like you to believe that after a two-day course with them you can be an expert, or that the machines can run automatically and print out final decisive results. In the real world of electronic counter measures, it just ain't so.