15 July 1997 Source: Mail list cypherpunks@toad.com Thanks to SS. See earlier report: http://jya.com/bugs.htm ----------------------------------------------------------- To: cypherpunks-errors@toad.com X-Sender: jmatk@tiac.net Date: Mon, 14 Jul 1997 21:09:11 -0500 To: TSCM-L@tscm.com From: "James M. Atkinson, Comm-Eng" Subject: Spread Spectrum Update =========================================== TSCM-L Technical Security Mailing List Monday, July 14 1997 Postings: TSCM-L@tscm.com Unsubscribe: unsubTSCM-L@tscm.com Subscribe: subTSCM-L@tscm.com Admin: jmatk@tscm.com =========================================== Several weeks ago I had a chance to examine a number of spread spectrum microwave bugging devices. Since that time I've conducted some analysis and gathered further intelligence on the circuit. Here are a few of my observations. ======= C O N F I D E N T I A L ======== 1) Most of the products use a high bandwidth QPSK/BPSK modulator, multi channel audio CODEC, and a RISC micro-controller chip (all components are either surface mounted ICs or multiple dice potted in epoxy). 2) RF Circuit seems to be a simple homodyne audio transmitter (6 Ghz Gilbert Cell Mixer) which is driven by a single CPU/microcontroller (with a clock speed of 180 Mhz). 3) Frequencies used for the ultra low power device are clean from 130 Mhz to 4 Ghz, circuit starts to fail above 5.5 Ghz (but is still operable to about 8 Ghz). 4) Emitter is driven directly from vector modulator chip, with no power amp circuits. PIN diode found on output appears to provide gain control or disconnect of circuit, but provides no amplification of signal. 5) Noise floor of circuit is -135 dBm (below 2 ghz), -142 dBm (2-4 ghz), and -150 dBm above 4 Ghz. 6) Signal has a variable bandwidth which varies between 350 Mhz and 900 Mhz. Appears to be designed for a 900 Mhz bandwidth signal. Device operates "deep" inside the noise floor. 7) Virtually impossible to detect at close range with a conventional RF spectrum analyzer (492/494/8566/etc). 8) Detectable with most wideband systems (with IF BW above 300 - 900 Mhz, 700 Mhz ideal). 8) VCC = +3.0 VDC, all circuits functional 2.3 to 6.8 VDC 9) Output applied to PIN diode ranges between -28 and -42 dBm (depending on frequency and span) 10) Device enters some type of sleep mode when power is present but audio level is low (seems to auto squelch). Total current draw when in sleep mode is 12 �A. Device does not emit RF energy when in sleep mode. ------------- 11) One of the devices has no type of connection for external power, but instead uses a uses a network of Schottky diodes and capacitors which constitute an effective RF to DC converter. 12) The RF to DC circuit requires an un-modulated 10-15 Ghz RF signal, and seems to respond well to X-Band microwave motion detectors used for many corporate alarm systems. 13) Device also has a small microphone built onto the circuit, microphone measures 4.5mm * 1.6mm * 4.1mm. 14) Entire device measured 3.2 cm * 5.2 cm and about 3 mm thick (or about the thickness of a standard business envelope). 15) Device contains some type of adhesive on both sides of a foil backing. Suspect it's applied as some type of "sticky label". Once the device is installed any attempt to remove results in its total destruction (unless you freeze it off). 16) The French government has been know to use a similar device in some of its "Diplomatic" activities. -jma ======================================================================== "For those who risk, life has a flavor the protected shall never enjoy." ======================================================================== James M. Atkinson Phone: (508) 546-3803 Granite Island Group - TSCM.COM 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@tscm.com ======================================================================== The First, The Largest, The Most Popular, and The Most Complete TSCM Counterintelligence Site on the Internet ======================================================================== To: cypherpunks@cyberpass.net From: Steve Schear Date: Tue, 8 Jul 1997 13:15:44 -0700 Subject: Re: Spread Spectrum Surveillance Modules Cc: cypherpunks@cyberpass.net >[From the TSCM-L Technical Security Mailing List] > >................................. cut here ................................. > >TSCM Intelligence Update - Spread Spectrum Surveillance Modules > >New Spread Spectrum Surveillance Modules > >There are some new spread spectrum products coming into the US by way of >China, and are starting to show up in Spy Shops on the West coast, Chicago, >and Miami area. > >Two sided, four layer, surface mount PCB, several RF and audio IC's, >several pots, coils, etc. Device is a raw module, designed for covert >installations in an office or SOHO environment. > >SM connector for antenna, micro molex connector for power and >computer/serial interface. > >PCB is 1.5 mm wide, 3.25 mm long, and .5mm thick. > >Products are all based on a cordless telephone chip set, 780 Mhz to 980 >Mhz, Direct Sequence Spread Spectrum (BPSK/QPSK?). Unfortunately, all high volume consumer direct sequence (DS) chips are optimized for data throughput and spectral efficiency, the exact opposite of what you want for surveillence. The compact sinx/x DS signature is easy to see on any spectrum analyzer when one is relatively close to the bug. However, if the DS chip is used in combination with frequency hopping (FH), especially if the hop frequencies overlap, then a much more robust surveillence device can be created. Introduction of FH does complicate the design, especially receiver acquisition/synchronization, but the results could be well worth the effort. --Steve PGP encrypted mail PREFERRED (See MIT/BAL servers for my PK) PGP Fingerprint: FE 90 1A 95 9D EA 8D 61 81 2E CC A9 A4 4A FB A9 --------------------------------------------------------------------- Steve Schear (N7ZEZ) | Internet: azur@netcom.com 7075 West Gowan Road | Voice: 1-702-658-2654 Suite 2148 | Fax: 1-702-658-2673 Las Vegas, NV 89129 | --------------------------------------------------------------------- God grant me the serenity to accept the things I cannot change; The courage to change the things I can; The weapons that make the difference; And the wisdom to hide the bodies of the people that got in my way;-) "Surveilence is ultimately just another form of media, and thus, potential entertainment." --G. Beato "We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Dr. Robert Silensky