Modeling Eavesdropping Devices Evaluating TSCM and eavesdropping detection equipment can be
a tricky when a formal "Threat Model or Protocol" is not available. Outside of "Certain Government Channels" (DCI, DOS, DOD, etc)
a formal evaluation method generally does not exist to allow
equipment performance to be evaluated or for a "Threat Model" to
be developed based on realistic threats. Typically a TSCM specialist ends up gaining access to a few
eavesdropping devices while trying to evaluate equipment, but
sadly this puts the specialist in a rather touchy legal
situation. Of course a TSCM specialist would never violate the law and
possess bugs (ahem, cough-cough). Seriously folks, a TSCM
specialist has no legitimate reason to possess, buy, sell,
build, or otherwise fondle eavesdropping devices. Having dummy
or mockup devices is one thing, but having actual devices will
always come back to haunt you. While this method of "playing with actual devices" does allow
the evaluation of a specific threat it does not permit more then
a few devices to be evaluated. Sadly this is often how the Spy
Shop hustle "bug detectors" when they demonstrate their special
equipment prior to selling thousands of dollars of equipment by
"finding" a bug. I propose that you create a formal series of threat models to
address the RF threat (for five levels), and that the protocols
used are based on actual, practical, historical, and also
assumed (or emerging) threats.
Proposed "Threat Model"
The "model eavesdropping device" typically used to evaluate TSCM equipment should consist of a signal that does not exceed half a milliwatt. This is critical in that most of the "Spy Shop Bug Detectors" will only alert on (fairly hot) 100 mW transmitters, and usually only ones in the VHF bands. This is works well when the demonstrations are rigged, but is virtually worthless in the real world.
The signal (if FM) may use a very narrow FM deviation (below 3 kHz BW), or a very wide deviation (above 75 kHz, and often over 10 MHz BW). Note: The 3 kHz to 10 MHz bandwidth covers about 85% of threat levels 1 though 3.
A typical "Bumper Beeper" has a bandwidth of 300 Hz or less, but also generates a fairly hot signal level. Most CDPD devices generate less then 250 mW, and are very easily detected.
The signal should be typically modeled as both a "locked" crystal controlled frequency (.005%), or a "drifty LC Tuned signal" (3-5%). The instruments used must be able to "track the signal" as it drifts due to a variety of effects (up to 10-15% of instability) through an AFC or peak hold function.
The signal may include frequency hopping, chirp, and similar modulation/ECCM types provided the "Dwell Time" is at least 5 uS or longer. This covers over 90% of levels 1 though 3, but less than 50% of threat level 4 and 5 (which utilize multi-megabit QAM, BPSK, DS/SS, etc and very short dwell times). Dwell times faster that this should be considered a threat level 4 or 5. (Note: Watch the pulse widths and repetition rates).
Methods of modulation will include AM, FM, FSK, Phase, Pulse, FH, Spread Spectrum/DS, and other Pseudo-Noise based methods such as CPFSK (becoming very popular).
Narrow band Spread spectrum FH and DS should only be applied to levels 1, 2, and 3 with chipping rates below 1.5 M/bps.
Typically threat levels 1, 2, and 3 would cover only publicly available modulation methods such as AM, FM, WFM, SSB, FSK, QAM, BPSK, and other demodulation methods available in consumer, industrial, or broadcast equipment.
The "model signal" will include pulsed devices such as those used as bumper beepers, voice signals, or video signals (with limited bandwidth).
Threat levels 1, 2, and 3 will include threats using less that 10 MHz of BW, 40 MHz for level 3 and 4, and 500-800 MHz + for level 5.
The distances used for "modeling" the hostile device should include a standard 3 and 10 meter distance (or 8-ft/30 ft) "in the realistic environment of usage" and not just in a ECM/EMI lab (which is typically shielded).
Path loss should be computed based on a model of at least 35 dB for concealment loss, and 35 dB for free space loss (assuming a 300 MHz signal). A model path loss of at least 110 dB is commonly used in government standards.
The equipment used to detect the signal in the field must possess the ability (though a tuned antenna, preamplifier, etc) to generate a threat warning or alert. The threshold for this alert should be a 1/2 milliwatt (-3 dBm or less), 16 kHz BW signal (or less), at a distance of at least 30 feet, using an "alarm" sensitivity of at least -123 dBm or less (including the instrument noise figure).
On a typical 10/15 mW "spy shop" eavesdropping device the detection distance should increase to at least 300 feet or more. Narrow band 35-50 mW VHF wireless microphones must be detectable at a distance of at least 500 feet (750 feet for UHF microphones).
Detection of IF components, bleed though, harmonics, spurious signals, inter-modulation products, and other signal artifacts should be detectable at a distance of at least 1 meter when using a directional antenna. The "detected signal" must appear at the input of the analyzer or receiver at a level of at least -107 dBm (-128 or -129 dBm is ideal).
The ultimate goal is to "dig so deeply into the noise floor" that any type of energy present on the spectrum is detected and evaluated. This forces the TSCM'er to work just above the "Thermal Noise Floor" of -174 dBm. This is achieved by using high gain antennas, low loss cables, and strong preamplifiers.
Frequency coverage must include the primary threat 9 kHz - 2.7/3 GHz band for levels 1, 2 and 3 threats.
The primary threat may also include the 3 GHz - 18 GHz bands for lower end microwave threats, but this would raise the threat level to a 4 or higher. Level 4 threats could be considered up to 40 GHz due to the availability of eavesdropping equipment around 30-35 GHz. Threat level 5 includes emissions above 35/40 GHz.
Frequencies between DC and 500 kHz that are found during conducted or radiated measurements would classify as a level 1, 2, or 3 threat (typically a carrier current VLF device).
Conducted emissions above 500 kHz should be considered at least a level 2 threat up to 30 MHz. Conducted signals between 30 MHz and 400 MHz should be considered at least a level 3 threat. Above 400 MHz a threat level of 4 or 5 would apply.
Just over 95% of threat levels 1, 2, and 3 radiated signals appear below 3 GHz (not including recent additions to the 5.8 GHz ISM bands such as the Trango products).
Of the remaining "lower threat" microwave devices 3% appear below 18 GHz and the balance below 40 GHz (and are fairly easy to detect).
The signal may be present for only a few microseconds such as those used by "bumper beepers", CDPD tracking systems, and so on. The model (for a threat level of 3) should assume the signals would be present for no more than 5 uS.
The signal may be "Stimulus Activated" such as a drop out relay and may only generate RF on command (popular with "phone bugs") or VOX circuit. Considering this the spectrum must be monitored for any variations in the spectrum for at least 15 minutes after the application of any type of stimulus (90 minutes is ideal. Typically an audio signal is used to create the stimulus.
The more common device is the "open transmission wireless microphone" where the eavesdropping device is generating a continuous RF field (very popular with amateur spies around threat levels 1 and 2).
The "Model" must take each of these issues into account, and must also factor in native RF levels, broadcast frequencies, losses due to concealment, and of course other issues.
It is important that the "simulated threat" used for testing is created with instruments (such as an arbitrary waveform generator, or signal simulator) and not an actual eavesdropping device. This allows for more flexibility in exploring various threats, and allows for more accurate measurements (and more reality).
The "model" may then be compared to actual eavesdropping devices periodically to ensure that it accurately reflects "The Threat". Simply create the threat model and occasionally throw a consumer device, spy shop toy, test oscillator, or even an eavesdropping device at it to test its integrity.
What follows is a sample technical protocol used to find RF energy using a spectrum analyzer for "bug hunting at the noise floor". Of course other settings (wider RBW/Spans, etc.) are also used for wide band signals, but the following will "hit on" most narrowband eavesdropping devices and bands.
This protocol may be applied to lists of specific known bug frequencies (143.050 MHz), lists of common "bug band spans" (135-174 MHz), or to a wider area of RF spectrum (100 Hz to 6.5 GHz) to identify potential eavesdropping signals. The entire "hunting" sequence is also best automated by using a laptop computer and a digital spectrum analyzer.
Just remember, that in TSCM we are more interested at what is at the BASE of the signal, then what is at the top of it. Any type of variation in the noise floor should be considered hostile until proven otherwise.
... of course your mileage may vary ...
Click HERE to obtain more TSCM Tutorials
Any comments or questions regarding this specific page?
Please feel free to sign our Guest Book
To be contacted for a confidential consultation please E-mail: jmatk@tscm.com
or send a letter via US Mail to:
or call:
URL: http://www.tscm.com/ |