Technical Surveillance Counter-Measures (TSCM)
Technical Surveillance Counter-Measures (TSCM)
To assist clients and to hopefully give some clarity, the following information is being provided, so a better understanding of the equipment used, eavesdropping devices deployed, methodology of TSCM and possible motivation of perpetrators has been outlined in this document.
It is intended to be informative so that clients can make decisions as to whether TSCM should be an integrated part of their corporate security program or an ad hoc service determined by the threat environment or threat information received.
Technical Equipment Used:
- Radio Signals Detector and Analyser – The Radio Signal Detector & Analyser is a broadband signal detector which displays its results in both amplitude & time domains. Based around a logarithmic amplifier it is used for detecting and identifying pulsed signals. Furthermore, the internal analysis software will identify Time Domain Multiple Access signals in real time. This enables GSM transmissions, very commonly used for cheap, quick plant eavesdropping devices, to be quickly identified & located, as well as identifying Bluetooth & DECT transmissions.
- Surface Scanner – The Surface Scanner assists the physical search by providing a visual means to identify plaster rework, pinholes and any concealed cameras (reflection off Camera lens).
- SigNet is a broadband counter-surveillance eavesdropping device detector that detects and locates active radio eavesdropping devices. It can detect all types of analogue and digital signals including elusive burst transmitters. SigNet is used hand-held to detect and locate covert transmitters, or stand-alone on a desk to provide unobtrusive real-time monitoring. Both modes are used during a TSCM Sweep & the threat from burst transmitters is constantly monitored with activity immediately indicated to the user.
- Non-Linear Junction Detector (NLJD) - detects the presence of electronics, regardless of whether they are radiating, hard wired, or even turned off. Electronics containing semi-conductor properties return a ‘harmonic’ signature when radiated with RF energy (usually around 888 or 915 MHz). Various frequencies are then monitored for a reflected harmonic signal.
An NLJD detects physical properties and not energy emissions. Therefore, devices that contain circuit boards and their components, like cell phones, video cameras and microphones can be detected.
The NLJD is a transceiver (transmitter and receiver) that radiates a digital spread spectrum signal to determine the presence of electronic components. When the energy encounters semi-conductor junctions (diodes, transistors, circuit board connections, etc.), a harmonic signal returns to the receiver. The receiver measures the strength of the harmonic signal and distinguishes between 2nd or 3rd harmonics, while it is possible to measure the 4th, 5th, 6th and other harmonics those above the third are only of limited TSCM value. When a stronger 2nd harmonic is represented; it indicates an electronic junction has been detected. In this way the NLJD is used to sweep walls, objects, containers, furniture & most types of surfaces to look for hidden electronics, regardless of whether the electronic device is turned on.
Semiconductors contain multiple layers of silicon, a P-Type and an N-Type, the point where they meet is called a Non-Linear Junction. This junction also appears in nature when dissimilar metals come into contact with one another (such as that used in the old crystal radio set). Also, the rust on a screw, the springs in a car, or the support structure in any piece of furniture may also contain non-linear junctions (resulting from corrosion).
A Non-Linear Junction Detector is nothing more than an instrument which detects ‘harmonic anomalies’ of which there are six. The second and third harmonics are very pertinent to TSCM, whilst the others are of far lesser relevance. Any positive indication must be verified with a metal detector, X-Ray examination, thermal viewer, and/or a physical inspection to confirm the actual presence or absence of an eavesdropping device.
A Non-Linear Junction Detector was used to ascertain whether any of the following were present:
Active or Live listening device
Covert or Concealed Video Cameras
Remote Control or Remote Powered listening device
Inactive listening device
Dead listening device
Turned on listening device
Resonant Cavity Devices
Mains & telephone cabling attached devices
Turned off listening device
Hidden Tape Recorders (even broken ones)
Burned out listening device
Covert Eavesdropping Devices
Electronic Timers for Hidden Bombs
5. Conduct Signals Scanner
Broadband Detector (Lowpass)
Broadband Detector (Highpass)
Spectrum Analyser (narrowband carrier)
6. Spectral Analysis – Captures all the radio frequency information in the vicinity to identify suspicious signals. The Spectral Analysis Software then uses a number of analysis & comparison techniques to highlight signals worth further investigation. Investigating radio transmissions has always been a two-dimensional process checking amplitude & frequency. With the Analysis software, it adds time & space to complete the radio environment image. Maximum visibility in 4 dimensions: comparing spectrum scans from different times and/or different rooms in a search area.
7. Digital Endoscopic video/camera – Used to search and investigate all spaces such as false ceilings, ceiling and wall cavities, air-conditioning ducts, cabling ducts, other enclosed spaces which cannot be easily accessed.
Whilst Checking a space /cavity; a video recording is always made and still photograph captures are also taken, for reference and further examination. Also, if a ‘suspicious item’ or ‘items of interest’ are seen, photographs will be taken, even if the item is later cleared as not being a covert listening device.
Subsequently, the video recording will be reviewed in detail & all items will be identified & cleared as not being an eavesdropping device.
The electronic and physical sweep also searched for the following:
- Voice activated eavesdropping devices
- Burst transmission eavesdropping devices
- Concealed Cellular, PCS and GSM Telephones/devices – GSM eavesdropping device – uses sim card – A GSM eavesdropping device is usually a small, battery-powered listening device that has its own telephone number where a user can dial in from anywhere in the world & listen to conversations in real time in the targeted location. GSM transmitters are now being implanted into everyday objects such as a computer mouse.
- External microwave/laser devices for eavesdropping
- Devices utilizing low-power transmissions such as those found in Bluetooth, Wi-Fi, or WiMAX transmissions (Worldwide Interoperability for Microwave Access).
Types of Devices (in General terms)
Some devices record for later recovery, some transmit, there are different categories for different uses. There are three main categories based on deployment:
- Plug & Play
- Leave & Retrieve
Plug and Play Listening Devices – “Plug and Play” devices are those that you can quickly plug into a power source & leave. These devices will transmit on whatever frequency to a receiving device, this could be a special recorder or standard cell phone.
This category of device is useful for quick deployment and would include adapter sockets, light bulbs, clocks etc. Being plugged into the power supply means that these devices do not need to contain or rely upon batteries.
Leave and Retrieve Listening Devices – “Leave and Retrieve” devices are normally small recording devices that can be left in a suitable location to record a conversation rather than transmitting the conversation. These categories of devices are often disguised as plant pots, pens, calculators etc. and are all powered by battery.
The nature of this category of device is that they are limited in use by both power and solid-state memory, so have limited applications.
Hard-wired Listening Devices – This type of device is the hardest to detect. “Hard-wired” Listening Devices can be imbedded into any electronic device including of course household appliances such as televisions, radios, smoke alarms, plug sockets etc. and take power directly from that device.
Hard-wiring eavesdropping devices is the preferred method of professionals. These devices take much longer to install and would often need prior knowledge of the host device but will yield the best result.
Prior planning would consider a number of key issues, the most suitable location for the device (close to where conversations are likely to take place). The choice of host device is important, a hard-wired device cannot of course be concealed inside electronic devices that will interfere with the device.
Given time, there are a number of extremely advance options open to those planting Hard-wired eavesdropping devices these include:
Back-up battery power – This option enables the Listening Device to remain active, even if the host device is switched off. This will remain active until the battery discharges & as long at the battery gets regularly recharged, eavesdropping will be able to be carried out for long uninterrupted periods.
Microphone & lead – This can be an extremely complicated eavesdropping device. The principle is that a small & powerful microphone is concealed within the target area, connected to a lead that is itself connected to the Listening Device. Ideally hijacking cabling that is already in place – telephone cabling for example does not make use of all wires within its core and this is a prime candidate.
This option means that the Listening Device does not need to be in the target room or indeed the same building, making the device extremely hard to detect via a TSCM Sweep, even using the most well-equipped, competent TSCM teams. The only ways of really discovering this method is a physical test of wiring & thoroughly inspecting sockets etc. & this should ONLY be done by a qualified professional
Nature of Devices
- Concealable transmitters – These can monitor conversations in a room if gaining access is difficult, by using room transmitters, wireless microphones or similar. These listening devices are self contained, free-standing and can be placed in a room where discovery would be unlikely yet close to where conversations take place.
- Disguised transmitters – These are covert transmitters used for covert surveillance by placing audio transmitters into everyday objects such as a clock, belt, calculator, etc.
- Digital surveillance transmitters – These are listening devices with features such as remote-controlled activation, audio surveillance recorder features, encrypted surveillance transmitters, and data monitoring transmitters.
- Listening devices – Listening devices that transmit audio surveillance over long distance while drawing very low power output are known as lithium transmitters. These listening devices are very small and can be placed in hard to view areas.
- Telephone transmitters – These are listening devices used for phone tapping in order to obtain both sides of a phone conversation. These listening devices live off the energy of the phone line, prolonging their operation life indefinitely.
- Mains powered transmitters – These are listening devices and broadcast audio surveillance for extended use where continuous power exists & audio surveillance access is difficult to get. These listening devices can operate indefinitely due to the AC power line that provides continuous power to the listening device.
- Audio from optical sources (using laser or microwave) – the device target items in the room or glass pane of a window, which will be microscopically vibrating from the voices in the room (external laser/microwave devices).
- UV or IR spectrum – Eavesdropping devices which use technology utilizing the UV or IR spectrum to listen in on conversations and are in the same class as serial 7 above.
- In Hong Kong it is also simpler to identify Government from private sector ‘devices’ by their level of sophistication and construction.
Comment: Having been involved in TSCM operations for 20+ years, working for clients worldwide and lessons learned; it has been noted that there has been a total shift in the technology involved in electronic eavesdropping, from very simply FM & UHF devices to GSM, burst transmission and encrypted devices.
The constant rise of attacks on IT systems and the use of spyware in both desktop computers and mobile devices, such as smartphones, also cannot be ignored, when talking about the age that we live in and present threats to security.
A TSCM sweep is a very intrusive service or should be if conducted right. One critical bad practice that is creeping into the security industry is the subcontracting of TSCM services. This should not be accepted, as all continuity and privacy is lost.
A client needs to be able to discuss their security concerns with the TSCM sweep company. They need to be able to have honest and open discussions with those professionals about what they feel is the threat level and the direction of the threat. To just get a company in for a TSCM sweep & not talk to them is an opportunity missed.
TSCM professionals should/will be a font of knowledge as to the present technologies & threats; from whom senior management, risk, security, or IT personnel should be taking an interest and asking questions. They should also have local knowledge regarding ‘what works and doesn’t work’ in the local environment, any trends, tactics used & so on. This information will help client make informed decisions, to develop and effect and very importantly cost-efficient mitigation program.
Ideally, companies should look at TSCM sweeps as part of their ‘security housekeeping policy’; they should have a security and risk policy that includes the budgeting for TSCM. The frequency and the requirements are very much down to the individual company and how they perceive the level of threat against them during a particular timeframe or event (e.g. board meeting).
Most people's understanding of bugging or eavesdropping devices comes from watching television, films or from popular fiction books. 70% of the capabilities of bugging devices that are depicted in popular film and television are not technically possible.
It is also beneficial for clients to have an understanding of those who plant covert eavesdropping devices and their need to look at many options before even getting to the stage of entering the building/area and planting any devices. In this way there is a better understanding of capabilities and ability, so such can be countered/combated in a realistic and viable manner.
Perpetrator’s possible motives would include, but not limited to:
- Collection of confidential and sensitive information for commercial/financial gain
- Collection of confidential and sensitive information for public release to cause the loss of public confidence, to damage client’s reputation.
- Collection of confidential and sensitive information to gain an advantage.
- Collection of confidential and sensitive information to cause disruptions/damage to client’s operations
- To target individuals in the organization
- Disgruntled employee misconduct
- Law enforcement / regulating Authorities investigating suspected criminal or corrupt activities.
- Internal audit/compliance conducting aggressive integrity checks (see more overseas and not the norm in Hong Kong)
Perpetrator’s considerations would be and are not limited to:
- Cost vs reward
- Level of risk
- Type of building (steel and concrete or brick)
- Location of target room/area within building
- Timescale monitoring
- Monitoring or receiving location
- Access to room/area and building
The above gives just a small insight into the questions that need to be asked before even selecting what type of device to deploy: UHF, VHF or GSM etc. This is vital before getting onto how the device is going to be powered or how and where the signal is going to be received.
With GSM devices, one big technical consideration and further questions for those carrying out acts of corporate eavesdropping is whether the chosen network operates with high signal strength in that building.
Small eavesdropping devices are sufficient for quick, short-term tasks, such as those built into pens, computer mice or stuck under desks or chairs etc. However, these devices have their drawbacks and devices that are going to be required to be in position long-term require more sustainable power supplies and are normally “hard wired” or built in to powered devices, for example plug sockets, extension leads, phones or computer monitors etc.
“Sometimes it really is as simple as placing a Dictaphone on voice activation for later retrieval.”
Since the mid 2000's and the rise of internet usage there has been a large increase in “off the shelf” eavesdropping devices, ranging from complex GSM devices to the lower end of the scale FM, UHF devices. One thing is for sure, for less than HK$1,000, a person can buy a reasonable device capable of causing a company loss of important confidential information.
An individual or organisation carrying out acts of ‘commercial espionage’ is going to look at the easy options for intelligence gathering first, e.g. those with the least risk and that are most cost-effective. Eavesdropping and monitoring of devices can be expensive and full of risks, with huge damage if caught, not forgetting prison sentences. That said, very few ‘commercial espionage’ cases are ever brought to court, victims instead prefer to settle such matters outside of court to save bad PR and reputational damage.
Computers are not normally covered on TSCM sweeps but can also easily be turned into eavesdropping devices with just the edition of spyware. This is not a real worry but can be totally forgotten and overlooked when it comes to staff working remotely from home. Computers should be physically inspected by a qualified IT Experts and a strong cyber security program should be in place.
Very few TSCM firms cover computers during TSCM sweeps, even though computer cases are the ideal place to conceal a hard-wired device. Having said such MSS does search for devices attached externally to ports, cabling, ancillary IT devices, etc. Malware, spyware, ransomware, etc. are not covered in the TSCM sweep.
Basically, a part of the TSCM sweep is looking for anomalies and what is not normal. The MSS team also uses the perspective of a potential perpetrator – looking for ideal and suitable locations to install eavesdropping devices, how to disguise them, ‘red herrings’ and deceptions which can be applied and so on.