15 July 1997
Source: Mail list cypherpunks@toad.com
Thanks to SS.

See earlier report: http://jya.com/bugs.htm

-----------------------------------------------------------

To: cypherpunks-errors@toad.com
X-Sender: jmatk@tiac.net
Date: Mon, 14 Jul 1997 21:09:11 -0500
To: TSCM-L@tscm.com
From: "James M. Atkinson, Comm-Eng" <jmatk@tscm.com>
Subject: Spread Spectrum Update


===========================================
TSCM-L Technical Security Mailing List
Monday, July 14 1997

Postings:           TSCM-L@tscm.com
Unsubscribe:   unsubTSCM-L@tscm.com
Subscribe:       subTSCM-L@tscm.com
Admin:		     jmatk@tscm.com
===========================================


Several weeks ago I had a chance to examine a number 
of spread spectrum microwave bugging devices.

Since that time I've conducted some analysis and
gathered further intelligence on the circuit.

Here are a few of my observations.


   =======  C O N F I D E N T I A L  ========


1) Most of the products use a high bandwidth QPSK/BPSK
modulator, multi channel audio CODEC, and a RISC
micro-controller chip (all components are either
surface mounted ICs or multiple dice potted in epoxy).

2) RF Circuit seems to be a simple homodyne audio
transmitter (6 Ghz Gilbert Cell Mixer) which is driven
by a single CPU/microcontroller (with a clock speed of 180 Mhz).

3) Frequencies used for the ultra low power device are
clean from 130 Mhz to 4 Ghz, circuit starts to fail
above 5.5 Ghz (but is still operable to about 8 Ghz).

4) Emitter is driven directly from vector modulator chip,
with no power amp circuits. PIN diode found on output
appears to provide gain control or disconnect of
circuit, but provides no amplification of signal.

5) Noise floor of circuit is -135 dBm (below 2 ghz),
-142 dBm (2-4 ghz), and -150 dBm above 4 Ghz.

6) Signal has a variable bandwidth which varies between
350 Mhz and 900 Mhz. Appears to be designed for a 
900 Mhz bandwidth signal. Device operates "deep" inside 
the noise floor. 

7) Virtually impossible to detect at close range with a
conventional RF spectrum analyzer (492/494/8566/etc).

8) Detectable with most wideband systems (with IF BW
above 300 - 900 Mhz, 700 Mhz ideal).

8) VCC = +3.0 VDC, all circuits functional 2.3 to 6.8 VDC

9) Output applied to PIN diode ranges between -28 and
-42 dBm (depending on frequency and span)

10)  Device enters some type of sleep mode when power
is present but audio level is low (seems to auto
squelch). Total current draw when in sleep mode is 12
�A. Device does not emit RF energy when in sleep mode.

-------------

11) One of the devices has no type of connection for
external power, but instead uses a uses a network of
Schottky diodes and capacitors which constitute an
effective RF to DC converter.

12) The RF to DC circuit requires an un-modulated 10-15
Ghz RF signal, and seems to respond well to X-Band
microwave motion detectors used for many corporate
alarm systems.

13) Device also has a small microphone built onto the
circuit, microphone measures 4.5mm * 1.6mm * 4.1mm.

14) Entire device measured 3.2 cm * 5.2 cm and about 3
mm thick (or about the thickness of a standard
business envelope).

15) Device contains some type of adhesive on both
sides of a foil backing. Suspect it's applied as some type
of "sticky label". Once the device is installed any 
attempt to remove results in its total destruction 
(unless you freeze it off).

16) The French government has been know to use a 
similar device in some of its "Diplomatic" activities.


-jma

 ========================================================================
 "For those who risk, life has a flavor the protected shall never enjoy."
 ========================================================================
  James M. Atkinson                                 Phone: (508) 546-3803
  Granite Island Group - TSCM.COM
  127 Eastern Avenue #291                           http://www.tscm.com/
  Gloucester, MA 01931-8008                         jmatk@tscm.com
 ========================================================================
          The First, The Largest, The Most Popular, and The Most  
          Complete TSCM Counterintelligence Site on the Internet
 ========================================================================

To: cypherpunks@cyberpass.net
From: Steve Schear <azur@netcom.com>
Date: Tue, 8 Jul 1997 13:15:44 -0700
Subject: Re: Spread Spectrum Surveillance Modules
Cc: cypherpunks@cyberpass.net

>[From the TSCM-L Technical Security Mailing List]
>
>................................. cut here .................................
>
>TSCM Intelligence Update - Spread Spectrum Surveillance Modules
>
>New Spread Spectrum Surveillance Modules
>
>There are some new spread spectrum products coming into the US by way of
>China, and are starting to show up in Spy Shops on the West coast, Chicago,
>and Miami area.
>
>Two sided, four layer, surface mount PCB, several RF and audio IC's,
>several pots, coils, etc. Device is a raw module, designed for covert
>installations in an office or SOHO environment.
>
>SM connector for antenna, micro molex connector for power and
>computer/serial interface.
>
>PCB is 1.5 mm wide, 3.25 mm long, and .5mm thick.
>
>Products are all based on a cordless telephone chip set, 780 Mhz to 980
>Mhz, Direct Sequence Spread Spectrum (BPSK/QPSK?).

Unfortunately, all high volume consumer direct sequence (DS) chips are
optimized for data throughput and spectral efficiency, the exact opposite
of what you want for surveillence.  The compact sinx/x DS signature is easy
to see on any spectrum analyzer when one is relatively close to the bug.
However, if the DS chip is used in combination with frequency hopping (FH),
especially if the hop frequencies overlap, then a much more robust
surveillence device can be created.  Introduction of FH does complicate the
design, especially receiver acquisition/synchronization, but the results
could be well worth the effort.

--Steve

PGP encrypted mail PREFERRED (See MIT/BAL servers for my PK)
PGP Fingerprint: FE 90 1A 95 9D EA 8D 61  81 2E CC A9 A4 4A FB A9
---------------------------------------------------------------------
Steve Schear (N7ZEZ)     | Internet: azur@netcom.com
7075 West Gowan Road     | Voice: 1-702-658-2654
Suite 2148               | Fax: 1-702-658-2673
Las Vegas, NV 89129      |
---------------------------------------------------------------------

        God grant me the serenity to accept the things I cannot change;
        The courage to change the things I can;
        The weapons that make the difference;
        And the wisdom to hide the bodies of the people that got in my way;-)

        "Surveilence is ultimately just another form of media, and thus,
        potential entertainment."
        --G. Beato

       "We've all heard that a million monkeys banging on a million
        typewriters will eventually reproduce the entire works of
        Shakespeare. Now, thanks to the Internet, we know this is
        not true."                           -- Dr. Robert Silensky



