15 July 1997: Link to recent report on spread spectrum microwave bugging devices.
30 January 1997
Thanks to SS for publicizing this document.
James M. Atkinson
Granite Island Group - TSCM.COM
127 Eastern Avenue #291
Gloucester, MA 01931-8008
0.902 - 0.928 ghz - Popular Commercial FH/DS Devices
1.710 - 1.755 ghz - DEA Audio/Video Bugs (over 1400 bugs purchased in 1995)
1.710 - 1.755 ghz - DOJ Audio/Video Bugs (.25 to .50 watts)
1.710 - 1.850 ghz - Treasury Video Surveillance Systems
2.400 - 2.484 ghz - Popular Commercial FH/DS Devices
4.635 - 4.660 ghz - Treasury Video Surveillance Systems
Most recently purchased government microwave surveillance gear seems to be running between 900mhz to 5ghz, with a few systems operating on the 7/8 ghz bands.
Also, keep in mind that the pros love to use ultra low power devices which use the power lines as the transmission medium/antenna (9khz to 300 mhz). Devices typically operate below 10mw, often below 1mw. The devices typically use Wide FM and use voice inversion encryption... VERY easy to demodulate.
Note: According to a recently obtained DOJ surveillance training manual:
"The typical range for the 28 ghz devices is six miles, the typical range of the 2.4 ghz is thirty miles, and the typical range for the 1.7ghz is 44 miles."
"... frequency modulated applications should operate below 3 ghz to take advantage of the favorable frequency propagation characteristics of that part of the spectrum."
"...Frequency Hopping and Direct Sequence Devices spread spectrum devices should operate above 1.5 ghz, this will prevent the emissions from being detected by electronic countermeasures."
The most popular surveillance receiver used covers 9khz (for CC/VLF) up to 9ghz, so be sure to cover AT LEAST those bands.
All TSCM people have heard about AID devices, but few know the actual frequency they use, or what they look like.
The devices are VERY popular with the law enforcement crowd, private investigators and corporate security types. The equipment is VERY over-priced, and the fairly easy to detect.
AID bills itself as "The World's Largest Manufacturer of Electronic Intelligence Equipment and Specialized Protective Systems."
AID was founded in 1970, and was sold in 92/93 to Westinghouse (Westinghouse is currently selling TONS of equipment to the DEA and State Department).
AID - Westinghouse/Audio Intelligence Devices, Inc. Bug Frequencies:
135 MHz - 150 MHz Special Order/Secondary Band
150 MHz - 174 MHz Standard/Primary Band (Most Popular)
216 MHz - 220 MHz Special Order
400 MHz - 470 MHz UHF Repeaters
21 MHz - 80 MHz Very Low Power WFM (.5mw - 10mw) Special Order Only
36 MHz - 39 MHz Very Low Power WFM (.5mw - 50mw) - Very Dangerous
80 kHz - 200 kHz "Line Carrier" Microphone Systems - Very Dangerous
30 kHz - 700 kHz Spread Spectrum Current Carrier Devices
1700MHz - 1900MHz 25-250mw Video and audio bugs (Mostly DEA/DOJ stuff)
2400MHz - 2484MHz 25-250mw Video and audio bugs
If the signal is "scrambled" it is nothing more than simple voice inversion, a circuit to "de-scramble" costs around $20.
Note: AID devices are often re-tuned for outband channels... so be careful.
The area of spectrum from 15MHz to 500MHz is the primary threat, 500MHz to 3GHz is the secondary threat, a "line carrier" threat is from 30kHz to 750kHz.
If the person planting the bug suspects that a TSCM inspection may be conducted then AID suggests a frequency between 30MHz to 50MHz, sensitivity of receiver should be better than .18uv/-122dbm. The mode is usually wideband FM.
Also, keep in mind that AID devices are frequently used for illegal buggings, so be familiar with their realistic specs, expect power outputs well under 50mw, and expect to see the AC power circuits being used as the antenna.
Note: Mike Langley at NIA advises that AID/NIA/Westinghouse is totally shutting down all TSCM training, in that they have cancelled the production of all TSCM products effective 1 Jan 97.
Several devices were recently found at a DOE facility on Long Island, details are a bit sketchy, but initial information indicates that a defecting middle-eastern FIS agent provided a list of locations within several DOE facilities that were being targeted. TSCM inspection (not performed by DOE) located several devices. Facility/lab working on designs for triggering mechanisms... very interesting incident.
HDS - Household Data Services
50.000 - 750.000 kHz Carrier Current Audio System
120.000 - 400.000 kHz Carrier Current Audio System
138.000 - 174.000 MHz Wireless microphone/Body Wires (8KR Series .1 to 30 mw)
150.000 - 174.000 MHz Wireless microphone/Body Wires (ATX Series .1 to 30 mw)
174.000 - 230.000 MHz Wireless microphone/Body Wires
350.000 - 440.000 MHz Audio/Video Transmitters (360-440 popular)
470.000 - 608.000 MHz Audio/Video Transmitters
570.000 - 928.000 MHz Audio/Video Transmitters (Spread Spectrum Popular)
1,000 - 1,500 MHz Low Power Audio/Video Transmitter (10-100mw max)
1,425 - 1,450 MHz Low Power Audio/Video Transmitter (10-100mw max)
1,700 - 2,700 MHz Audio/Video Transmitters 2.4-2.5 hot (10-100mw max)
1,710 - 1,900 MHz Audio/Video Transmitters (10-100mw max) HOT
6,425 - 7,125 MHz Low Power Audio/Video Transmitter (10-100mw max)
8,100 - 8,700 MHz Audio/Video Transmitter, 8.2/8.5 popular (10-100mw max)
10,200 - 10,700 MHz Audio/Video Transmitter, 10.5 popular (10-100mw max)
17,700 - 19,700 MHz Low Power Audio/Video Transmitter (10-100mw max)
20,000 - 24,600 MHz Low Power Audio/Video Transmitter (10-100mw max)
Sony - Wireless Microphones and Body Wires
470.000 - 489.000 MHz 2.5mw - 20mw, WFM (110kHz), Ultra low power
770.000 - 782.000 MHz 2.5mw - 10mw, Ultra low power - Chnl 64
782.000 - 794.000 MHz 2.5mw - 10mw, Ultra low power - Chnl 66
794.000 - 806.000 MHz 2.5mw - 10mw, Ultra low power - Chnl 68
770.000 - 810.000 MHz 2.5mw - 20mw, WFM (110kHz), Ultra low power
902.000 - 928.000 MHz 2.5mw - 20mw, WFM (110kHz), Ultra low power
947.000 - 954.000 MHz 2.5mw - 20mw, WFM (110kHz), Ultra low power
60.000 - 970.000 MHz 2.5mw - 10mw, WFM (300kHz) Audio Transmitter
Note: These little low power devices have an adjustable frequency deviation which can be adjusted to as high as +/- 225khz... System also uses a matched receiver. Entire system transmitter and receiver sell for under $2500.
Imagine a 3mw transmitter operating at 782mhz (snuggled up to the audio of the local TV transmitter) using a 100khz cue channel subcarrier. Life expectancy at least 350 hours (using lithium cells). Reasonable range at least 1500 feet indoors.
Finished putting the final touches on a new page concerning Mace and Personal Protection Sprays.
Drop by and let me know what you think.
The ASP - Armament Systems and Procedures - Web page is now also online, the address follows:
BMS manufactures a line of pro-grade products used primarily for the Broadcast and Television markets, but their prices are cheap, very small, low power, and a serious threat to our clients.
Most of their voice/video/telem products (i.e.: BMT25-S) operates from 900mhz-4ghz, and are easily detectable at 10mw and 100mw.
The major threat is from the X-Band, and Ku-Band devices which they sell that operate up to 13.5ghz.
Keep in mind the devices are as small as 1.0in x 1.0in x 3.3in, and can be run from a 12vdc battery for days, if not weeks.
Most of the devices utilize a variable frequency audio dual sub-carrier between 4 to 9 mhz.
They sell small omni-directional, and highly directional antenna as well.
Intel on Microwave surveillance system (made by AST in MD ??)
1.2 to 2.2 ghz
3.7 to 4.2 ghz
5.9 to 6.45 ghz
Special Order Devices (1.4 ghz bands)
1.2 to 2.8 ghz - Justice just bought a bunch of these
2.2 to 3.8 ghz
3.2 to 4.8 ghz - State Department item
4.2 to 5.8 ghz
5.2 to 6.8 ghz
Tech material mentions product available to 8.5/8.8 ghz.
All functions (including frequency) are software controlled, Direct Sequence output, 60 mhz window for spread spectrum.
Device designed to transmit FDM baseband signals from a PBX backplane using QAM 64 or 256 modulation.
The box I examined measured 1 x 3.5 x 3 and took power from 8 to 16 vdc (12 pref).
Output power fixed at 100mw.
Recently I did some work designing an experimental spread spectrum wireless microphone.
The goal of the project was to see just how small, and how cheaply a realistic device could be built.
Initial goal was a device that would use the 47 CFR 15.247 for the ISM band from 902 to 928 mhz and an enhancement (jumper change) mode to extend the upper frequency range to 954 mhz.
The device would have to have a range of at least 150 feet in a hotel building and/or office building (parking lot monitoring).
The device must be small enough to be "dropped in a pocket," concealed in the seam of a drape, and placed into furniture.
Device must use consumer (radio shack) batteries.
Device must cost less $100 in materials to build.
I felt the above specs would reflect a realistic device.
1) Battery used was 2 each EPX-76 cells which gave 2.5 to 3 hours of usable audio, sub-ed a DL123A lithium which upped the time to over 4 days (and still counting).
2) Microphone was two surface mount Seimens hearing aid elements.
3) Spread Spectrum controller was a surface mount WL-9010 from Wireless Logic, the chip is a compact stand alone transmitter.
4) Used a Mitsubishi codec chip commonly used in cellular telephone with a noise cancelling circuit (this is why two microphones were used).
5) Small pot was used to adjust the output power between .15mw to 65mw.
6) All components used where SMT versions, hot flow was used for assembly
7) Entire circuit was assembled on a .30 by .25 inches square double-sided printed circuit board.
8) PCB soldered directly to battery cap.
9) .5 inch long paper clip used as antenna.
10) Currently working on a telephone line version.
11) Range at 50mw (legal power limit) tested usable and clear at 260 feet (device placed in hotel room, and monitored in the parking lot).
12) Device WAS NOT detectable with an AVCOM 65 until the antenna was within 8 inches of the device (until a hump started to slightly appear).
What doe this tell us?
Spread spectrum devices can be real small, cheaply made, and low power using off the shelf products.
Watch that area between 800 mhz and 1 gig.
We are interested in purchasing old catalogs, training materials, and technical documentation used by Audio Intelligence Devices, HDS, and other surveillance companies.
Specifically we are looking for:
Old product catalogs.
Sales materials picked up at trade shows (i.e.: NATIA).
Training Manuals from National Intelligence Academy.
Textbooks from National Intelligence Academy.
Product Owners Manuals.
Product Service Manuals.
We are also interested in purchasing "generations" of materials, so if you have ten years worth of old catalogs from the '70s were interested.
Let us know what you've got, and we'll work out cash payment arrangements.
The materials will be used for project that starts in January and will run for at least six months.
If you have materials from other technical intelligence schools or surveillance we could also be interested.
I recently had a chance to examine a new device made by Delft Industries.
It is very similar to the X-Band units I've examined, except that the frequencies were higher and mods were much more subtle.
Small PCB was cemented into the rear of the unit, underneath the regular PCB (black rubber covered 1.5 cm x 4cm x .8cm).
Unit consisted of a two microphones, compander circuits, power supply/regulator, and modulator circuit.
Compander circuit operated dual circuits around 120hz to 15khz.
No external mods to case, only very small variation in power drain, no internal battery, several large surface mount caps...
Entire unit double sided surface mount PCB, looks like 4 layers, 2/3 digital circuitry, 1/3 analog and RF circuitry.
The only mods to the alarm PCB was the cutting of several traces on the back of the PCB (near the emitter circuit).
The doppler alarm operated between 24 ghz and 24.25 ghz, intelligence seems to be a 480k bit digital data stream using the alarm signal as the carrier (QAM mod).
Looks like one version of the product will also allow someone to deactivate a specific sensor remotely upon on command.
According to the factory, the units are being shipped into Canada and Mexico in quantity, then transported into the US in small quantities.
Heavy usage in Texas, New Orleans, Florida, California, and Pennsylvania.
Device have already been offered for sale in several "spy shops" in New York, and Miami.
- Be Careful Out There
You may find it interesting to revisit our web site in the near future, during the last few months the site has undergone incredible growth, copious additions, and changes..
On January 2, 1997 we rolled out several new product lines which increased the number of TSCM products on our web page to over 1,000 TSCM and technical security products.
At the present time we have over 12,500 pages of printed documents available for download.
If you haven't reviewed it yet, be advised that we now have a TDR tutorial page available online.
We've also updated the materials we have online regarding the REI OSC-5000:
DOJ just took delivery of a large number of video transmitter modules.
Operating frequencies between 8ghz and 11ghz (PLL field programmable).
10mw rf output (max), nominal 8.5mw.
Power draw below 35ma.
Baseband video trans, not SS.
All modules have audio inputs (solder tab), standard audio subcarrier, audio section may be disabled to conserve power.
Min. effective (flat array ant) range indicated as 2700 feet line of sight, and 1500 rural.
I would estimate the range to be below 500 ft with a unity gain antenna.
A number of the units came pre-installed in fake squirrel and birds nests with a low light auto iris CCD camera (unknown manufacturer, suspect Kodak). I've seen similar units used by the DEA (installed under tree bark).
Both unity gain ant config (stub), and biconical flat pack.
Power requirements seem to correlate to 9vdc lithium batteries.
From what I can see on the physical specs, looks like the transmitter, and camera combined are 2/3 the size of a standard 9vdc battery.
The document indicates government paid $874 per module (Xmit module only), document also mentions req code for the "domestic counterterrorism" program.
I wonder if these are the "tree frogs" that the boys at Quantico were trying to get bids on, back in September?
It's only a matter of a few months before these devices start getting "lost in the field " and start re-appearing in the private sector.
I've heard from several engineers at TI that an unidentified government law enforcement agency has them working on a super compact thermal imaging system and video transmitter for covert surveillance. System utilizes an electronic LCD chopper instead of the regular mechanical chopper. Device contains integral microwave transmitter (unknown frequency). From what I can gather, these are going to be used for conducting long term thermal surveillance of areas... I will advise as I obtain further intel.
Just finished reading the 1997 Hewlett-Packard's opto-electronics designers guide, and found several items of interest.
Most of us are familiar with the low power 900nm I/R devices.
But did you know that they also make CHEAP LED's for communications that operate from 700nm to 1510nm??
700, 710, 875, 905, 940, 1100, and 1510nm are the most common products in the HEMT line.
Can be modulated (open air) from 0 to 750khz with no problem, and higher speeds with some minor distortion.
Just a heads up.
We are taking delivery of the first 95S radio's and third generation MSS units from Boeing... We are expecting initial shipments to customers mid to end of Feb.
The 95S is a stand alone wideband receiver designed for SIGINT and TSCM, weighs in at just under 8 lbs (complete). Radio will retail for around 6,000 and 7,500 dollars (US) depending on configuration.
While the unit is fully self contained, we will have a VME version available (we have them now). Coverage is a clean from 5khz to 8ghz (yes 8ghz), and sensitivity is superior to anything Watkins Johnson makes.
Receiver is being built into the new MSS-3500 briefcase system, which will allow automated spectrum monitoring of 40ghz of spectrum in 8/9ghz segments.
Just finished playing with a nasty little Radio Shack (CM-421) single channel VHF microphone.
While the product is designed for use in the 160-220 range, it's designed so that to be recrystalized and usable anywhere in the world.
The product can be easily retuned from 90-300Mhz (by the book), power output is variable via a pot from 5mw to 50mw.
Current drain is around 40ma at 50mw, and much lower for 5mw output.
Product is extremely stable, with adjustable deviations (to +/1 100khz).
Integral tietack microphone.
Radio Shack will sell the transmitter only for around 50 bucks (I bought several to evaluate).
Recently had access to some of the new fiber optic devices out there and wanted to post some of the techniques by which they can be detected.
Subject device optics are made by Corning Glass, and consists of three components. The "electronics" are manufactured by E-systems in Dallas, TX.
The entire installation kit fits into two 18 x 22 x 7 briefcases made by SKB, the first case contains a battery powered automatic fusion splicer/LID, equipment to test the installation, and a tool kit. The second case contains the microphones, spools of "cable", optical modules, controllers, and battery packs.
1. "Front-End Microphone" is a small glass cylinder roughly 2.5mm wide x 5mm long with a small 1.5mm long pinhole tube on one end, and a 3 to 12 ft 50/125 fiber tail on the other. This part of the system is designed to be installed "pinhole" style. Pigtail cable is routed to and fusion spliced into a "Runner Cable". The microphone contains small barbs to keep it in position with out the use of adhesives. A small 2.5mm needle drill bit is used to drill the hole.
2. The "Runner Cable" is a 50um/125um fiber optic bundle, typically 3 to 8 fibers are combined to allow a single runner to support 6-8 devices. This cable is flat and measures roughly 125um high, and .75 to 1mm wide. Cable has a min. bend radius of 4cm, and is field terminated with a small automated fusion splicer to the "Front-End Microphone". This cable can be left loose or secured with an adhesive. Installation kit contains a small flexible installation tube to assist in installing below carpet or behind wood panelling.
3. The "Repeater" consists of a disguised box roughly 15cm x 5cm x 5cm, with an optional battery pack/power supply/trickle charger (15cm x 10cm x 5cm) or the device can be powered directly off of AC Mains. The repeater can be easily installed and hidden in a cinder block or concrete on an outside wall. It looks like the device is for long term installations, it is totally sealed and the electronics have conformal coatings/potting.
Device appears to emit a RF digital signal using 64/128/256 QAM Spread Spectrum modulation on programmable frequencies between 1.5ghz and 8.5 ghz. Modulator is contained into a "flat-pack" style antenna module. A 512kbps baseband signal is supplied to the antenna (bit stream can go as high as 2mbps, the one I examined was set for 512).
Note: The "repeater" supplies the antenna with a baseband signal, control codes, and power. The modulator/transmitter is contained in the antenna.
The device uses an RF guard channel that is used to deactivate all emissions (Go Mute) upon remote command.
The "repeater" utilizes 8 fiber outputs (it has 8 field replaceable optical modules), and one min. SMA connector for the baseband output. Suspect the device can also be be uploaded with transmission times. It also contains sufficient memory (32mb) to hold a good 4 hours or more of compressed audio.
Repeater can also transmit (Spread Spectrum) over telco or power lines with a small adapter (I was not able to secure the frequencies, but I suspect somewhere between 200khz and 3 mhz).
System uses a 50/125 Raw fiber optic distribution system, the fiber is coated, but not jacketed or buffered in any way. The fiber has a frequency response between 1230 to 1550/1710? single mode. I suspect it is standard single mode (1500nm) fiber strand.
The "Repeater" contains a low power single mode solid state light source, a duplexer/splitter (prism), and a light receiver. The light beam is transmitted into the fiber, travels to the "Front-End" where it is reflected against an angled vibrating membrane. The membrane causes a slight frequency shift in the light beam, which is reflected back to the "Repeater" where it is "picked" off with a prism and solid state detector.
(typical fiber optic microphone).
There is NO METAL in the microphone or fiber distribution system, and they CANNOT be detected by a Non-Lin (no non-linear junctions). Nor can they be detected with metal detectors, and no electro-magnetic field is present on the "Front End".
The "Repeater" section is fairly to detect with a non lin, but since it is supposed installed into the outside wall it tends not to be practical. The ideal way to detect is to sweep the exterior of the building for RF emissions. Also, the unit tends to run VERY hot (110-135 degrees), and should be visible as a thermal anomaly.
Also, the system can be detected by looking for minute amounts of light "leaking" from both the microphone, fusion couplings, and fiber distribution system.
The pinhole for the microphone can be detected with a IR visual search around 440 to 450nm (you'll need a light source with at least 500,00 candle power, the Blue Light Ultra works well, or an Omnichrome).
Once a suspect pinhole is found it can be tested for IR with a conventional Spectrum Analyser with a IR front end (the Tektronix SA-42 or SA-46 works well). There is always a small amount or IR leakage with this system.
Once the microphone is detected it is a fairly simple matter to trace the line back to the controller module or "Repeater."
Keep in mind that the system is designed to use 3 to 8 microphones.
I am going to get a look at an OC-12 clamp-on fiber optic tapping system in a few weeks and will advise.
Please treat this information as highly confidential and please do not redistribute. Thank you.
Train, Observe, Detect, Protect, Defend, Repel
James M. Atkinson
Granite Island Group - TSCM.COM
127 Eastern Avenue #291
Gloucester, MA 01931-8008
The First, The Largest, The Most Popular, and the Most Complete TSCM Counterintelligence Site on the Internet
Hypertext by JYA/Urban Deadline.